Configure encryption keysedit

Enterprise Search is designed to keep content source synchronization credentials, API tokens and other sensitive information secure at all times. Data protection at rest is implemented by using a set of encryption keys shared between all nodes of an Enterprise Search deployment. To ensure safe storage of your sensitive information, encryption keys must be provided when starting and deploying the service.

When running on Elastic Cloud or Elastic Cloud on Kubernetes (ECK), the platform takes care of your encryption secrets and you are not required to set them yourselves.

Encryption keys configurationedit

To configure encryption keys, locate the config/enterprise-search.yml configuration file in the Enterprise Search directory, and set a secret_management.encryption_keys value:

secret_management.encryption_keys: [{encryption_key1}, {encryption_key2}, {...}]

secret_management.encryption_keys requires an array of values with at least one encryption key. Each key value needs to be a unique string and we recommend using a random value that is impossible to guess (256-bits or longer). See the dedicated section below on how you can generate a secure encryption key.

Since encryption keys are used to persist data in an Elasticsearch cluster shared by all nodes of an Enterprise Search deployment, you need to ensure all nodes within an Enterprise search deployment share the same set of encryption keys. Failure to configure the same keys across all nodes will lead to data inconsistencies and potential data loss.

When restoring an Enterprise Search deployment from a backup, you need to make sure your configuration file contains the right set of encryption keys to allow you to gain access to the restored dataset (on Elastic Cloud it happens automatically).

Protecting your encryption keysedit

The keys configured in the configuration file should be treated as sensitive information and protected from unauthorized access by third parties and from data loss. We recommend using permissions that do not allow reads by anybody but the owner (0640 or -rw-r----), storing the configuration file on an encrypted disk volume and encrypting the file during filesystem backups.

In Docker and Kubernetes environments, we recommend using Docker secrets or Kubernetes encrypted secrets to protect your encryption keys and provide them to the deployment via container environment variables.

Should an encryption key be misplaced or lost, the encrypted access tokens and source synchronization credentials will no longer be accessible, and content synchronization will be halted for all sources until they are re-authenticated.

We recommend you save your keys in a password manager or some other secure storage to ensure you would not lose access to encrypted data in Enterprise Search.

Using multiple keys and key rotationedit

Following the well-established security practices and various compliance requirements around the world, we recommend periodically rotating your encryption keys.

To support graceful key rotation, Enterprise Search lets you set multiple encryption keys. When a new value is added to the encryption_keys array, Enterprise Search will attempt to decrypt secrets from the first entry, moving across the array until success. Secrets are re-encrypted with the last key in the array when rewritten, which effectively allows you to rotate encryption secrets without downtime.

Generating encryption keysedit

There are several techniques for generating secure random 256-bit encryption keys.

On systems with openssl installed, run:

openssl rand -hex 32

Or on Linux environments without openssl, including empty docker containers for CentOS, Ubuntu, Debian, Alpine and even in a busybox environment, run this command:

od  -vN 32 -An -tx1 /dev/urandom | tr -d " \n" ; echo

If you do not specify a secret_management.encryption_keys value in the config/enterprise-search.yml file and run Enterprise Search, Enterprise Search will fail to start. But before failing, Enterprise Search will generate and display an example encryption key that you can copy and paste into the configuration file.