LinuxCommandLibrary

elasticsearch-keystore

Manage Elasticsearch keystore secure settings

TLDR

Create a new keystore (not password-protected)

$ elasticsearch-keystore create
copy

Create a new password-protected keystore
$ elasticsearch-keystore create -p
copy

Add a setting interactively
$ elasticsearch-keystore add [setting_name]
copy

Add a setting from stdin
$ echo "[setting_value]" | elasticsearch-keystore add --stdin [setting_name]
copy

Remove a setting from the keystore
$ elasticsearch-keystore remove [setting_name]
copy

Change the keystore password
$ elasticsearch-keystore passwd
copy

List all settings stored in the keystore
$ elasticsearch-keystore list
copy

Upgrade the keystore format (after an Elasticsearch upgrade)
$ elasticsearch-keystore upgrade
copy

SYNOPSIS

elasticsearch-keystore action [options] [key]

PARAMETERS

create
    Create a new empty keystore if none exists

list
    List all keys in the keystore (values hidden)

add key
    Prompt for and add a value for the specified key

remove key
    Remove the specified key from the keystore

has-password
    Check if the keystore is password-protected (exits with code 0 if yes)

gen-checksum
    Generate checksum for secure keystore verification

-v, --verbose
    Enable verbose logging

-h, --help
    Show help message

--stdin
    Read password from stdin (for 'add')

-E key=value
    Set Elasticsearch config for the command

DESCRIPTION

The elasticsearch-keystore command is a crucial utility in Elasticsearch for handling the encrypted keystore that stores sensitive configuration values such as passwords, API keys, and credentials. It prevents plaintext exposure in elasticsearch.yml by encrypting settings with a master password. Key operations include creating an empty keystore, adding key-value pairs (values prompted securely or via stdin), listing keys (values masked), removing entries, generating checksums for verification, and checking if a password protects the keystore.

This tool runs on Elasticsearch nodes and must execute as the elasticsearch user with proper permissions on the config directory (typically $ES_PATH_CONF). It's vital for secure production setups, supporting features like X-Pack security, snapshot repositories, and cloud integrations. Automation-friendly with stdin input and verbose logging. The keystore file, elasticsearch.keystore, resides in the config directory, ensuring portability across node restarts or clusters.

CAVEATS

Must run as 'elasticsearch' user; keystore locked after password ops without unlock; binary settings unsupported; no edit, only add/remove.

FILES

$ES_PATH_CONF/elasticsearch.keystore: encrypted store; elasticsearch.yml: references keystore keys.

EXAMPLES

elasticsearch-keystore create
elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password --stdin
echo 'pass' | elasticsearch-keystore add repo.file.password --stdin

HISTORY

Introduced in Elasticsearch 6.0 (2018) replacing jvm.options secrets; evolved in 7.x/8.x for better security integration with Elastic Stack.

SEE ALSO

elasticsearch(1), keytool(1)

Copied to clipboard