elasticsearch-keystore

Create a new keystore (not password-protected)

$ elasticsearch-keystore create

$ elasticsearch-keystore create -p

$ elasticsearch-keystore add [setting_name]

$ echo "[setting_value]" | elasticsearch-keystore add --stdin [setting_name]

$ elasticsearch-keystore remove [setting_name]

$ elasticsearch-keystore passwd

$ elasticsearch-keystore list

$ elasticsearch-keystore upgrade

elasticsearch-keystore <command> [options] [arguments]

create
    Creates an empty Elasticsearch keystore file at the default or specified path.

add <setting_name>
    Adds a new sensitive setting to the keystore. Use -x to prompt for the value securely from the command line, or --force to overwrite an existing setting. Example: elasticsearch-keystore add s3.client.default.access_key -x

list
    Lists all setting names currently stored in the keystore, without revealing their values.

remove <setting_name>
    Removes a specified setting from the keystore.

show <setting_name>
    Displays the value of a specified setting. Note: This command cannot display the values of secure settings that were added using the -x option for security reasons.

passwd
    Sets or changes the password for an encrypted keystore. If the keystore is not encrypted, this command will add password protection.

upgrade
    Upgrades the keystore file to the latest compatible format, if an older format is detected.

The elasticsearch-keystore command-line utility is an essential tool for managing sensitive settings in Elasticsearch, such as passwords, cloud credentials, and other confidential information. By using a keystore, administrators can avoid storing these values in plain text within the elasticsearch.yml configuration file, significantly enhancing security. The keystore itself is an encrypted file, protecting its contents from unauthorized access. This utility allows users to add, remove, list, and manage the secure settings, ensuring that only authorized Elasticsearch processes can access the sensitive data during operation. Changes made with this command typically require a restart of the Elasticsearch node to take effect.

Security Best Practices:
It is highly recommended to protect your keystore with a password, especially in production environments. Without a password, anyone with file system access can retrieve secure settings.

Node Restart:
After making any changes to the keystore (add, remove, passwd), the Elasticsearch node(s) must be restarted for the changes to take effect.

Backup:
Always back up your elasticsearch.keystore file before making significant changes or upgrading Elasticsearch.

By default, the elasticsearch.keystore file is located in the Elasticsearch configuration directory ($ES_HOME/config). This location can be overridden using the ES_PATH_CONF environment variable.

The keystore can store both 'secure settings' (e.g., passwords, API keys) and 'regular settings' (e.g., paths, non-sensitive string values). Secure settings are typically added with the -x option, ensuring their values are never exposed on the command line or in logs, and cannot be displayed via the show command. Regular settings added without -x can be displayed.

The concept of an Elasticsearch keystore and the elasticsearch-keystore utility were introduced with Elasticsearch version 5.0.0. Its primary purpose was to provide a secure method for storing sensitive configuration settings, moving away from plain-text storage in elasticsearch.yml and aligning with modern security practices for application configuration.

elasticsearch (bin/elasticsearch), Elasticsearch Documentation (Keystore)