Secure Settingsedit

Some settings are sensitive, and relying on filesystem permissions to protect their values is not sufficient. For this use case, elasticsearch provides a keystore, which may be password protected, and the elasticsearch-keystore tool to manage the settings in the keystore.


All commands here should be run as the user which will run elasticsearch.


Only some settings are designed to be read from the keystore. See documentation for each setting to see if it is supported as part of the keystore.

Creating the keystoreedit

To create the elasticsearch.keystore, use the create command:

bin/elasticsearch-keystore create

The file elasticsearch.keystore will be created alongside elasticsearch.yml.

Listing settings in the keystoreedit

A list of the settings in the keystore is available with the list command:

bin/elasticsearch-keystore list

Adding string settingsedit

Sensitive string settings, like authentication credentials for cloud plugins, can be added using the add command:

bin/elasticsearch-keystore add

The tool will prompt for the value of the setting. To pass the value through stdin, use the --stdin flag:

cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin

Removing settingsedit

To remove a setting from the keystore, use the remove command:

bin/elasticsearch-keystore remove