elasticsearch-syskeygen

Generate the system_key file in the default $ES_HOME/config directory

$ elasticsearch-syskeygen

elasticsearch-syskeygen [--key-size SIZE]

--key-size SIZE
    Specifies the key length in bytes (default: 32; minimum: 16; maximum: 512).

The elasticsearch-syskeygen command is a utility tool bundled with Elasticsearch distributions, primarily used to generate a cryptographically secure symmetric key for internal security features. This key is essential when X-Pack Security is enabled, which is the default in Elasticsearch 8.x and later versions.

It produces a random, base64-encoded key of configurable length (default 32 bytes) that protects sensitive operations such as password hashing for the built-in 'elastic' superuser and secure communication in clusters. The generated key must be copied identically to the xpack.security.system_key setting in the elasticsearch.yml configuration file on all nodes in the cluster to ensure seamless operation.

Usage is straightforward: run the command to output the key to stdout, then securely store and deploy it. Elasticsearch will fail to start or exhibit security issues if the key mismatches across nodes. Rotation is recommended periodically for enhanced security, requiring a cluster restart. This tool enhances cluster integrity without needing external key management systems, simplifying deployment for production environments.

Key benefits include resistance to brute-force attacks due to its length and randomness, sourced from secure cryptographic primitives.

Key must be identical across all cluster nodes; mismatches cause startup failures or security errors. Store securely outside version control. Rotate periodically via cluster-wide update and restart.

elasticsearch-syskeygen --key-size 32 > /path/to/system_key.txt
Add to elasticsearch.yml:
xpack.security.system_key: "$(cat /path/to/system_key.txt)"
Restart all nodes.

Key enables internal symmetric encryption; not for user data. Use elasticsearch-reset-password for user management. Vulnerable if compromised—monitor access logs.

Introduced in Elasticsearch 8.0 (2022) alongside default security enablement, replacing manual key generation. Evolved from earlier X-Pack tools for streamlined cluster bootstrapping.

elasticsearch-keystore(1), elasticsearch-certutil(1)