54 lines
1.8 KiB
Plaintext
54 lines
1.8 KiB
Plaintext
|
[[encrypting-data]]
|
||
|
== Encrypting Sensitive Data in {watcher}
|
||
|
|
||
|
Watches might have access to sensitive data such as HTTP basic authentication
|
||
|
information or details about your SMTP email service. You can encrypt this
|
||
|
data by generating a key and adding some secure settings on each node in your
|
||
|
cluster.
|
||
|
|
||
|
To encrypt sensitive data in {watcher}:
|
||
|
|
||
|
. Use the {ref}/syskeygen.html[syskeygen] command to create a system key file.
|
||
|
|
||
|
. Copy the `system_key` file to all of the nodes in your cluster.
|
||
|
+
|
||
|
--
|
||
|
IMPORTANT: The system key is a symmetric key, so the same key must be used on
|
||
|
every node in the cluster.
|
||
|
|
||
|
--
|
||
|
|
||
|
. Set the
|
||
|
{ref}/notification-settings.html[`xpack.watcher.encrypt_sensitive_data` setting]
|
||
|
in the {ref}/secure-settings.html[{es} keystore] on each node in the cluster.
|
||
|
+
|
||
|
--
|
||
|
|
||
|
For example, run the following commands to create and update the keystore:
|
||
|
|
||
|
[source,sh]
|
||
|
----------------------------------------------------------------
|
||
|
bin/elasticsearch-keystore create
|
||
|
bin/elasticsearch-keystore add xpack.watcher.encrypt_sensitive_data true
|
||
|
----------------------------------------------------------------
|
||
|
--
|
||
|
|
||
|
. Set the
|
||
|
{ref}/notification-settings.html[`xpack.watcher.encryption_key` setting] in the
|
||
|
{ref}/secure-settings.html[{es} keystore] on each node in the cluster.
|
||
|
+
|
||
|
--
|
||
|
For example, run the following command to import the `system_key` file on
|
||
|
each node:
|
||
|
|
||
|
[source,sh]
|
||
|
----------------------------------------------------------------
|
||
|
bin/elasticsearch-keystore add-file xpack.watcher.encryption_key <filepath>/system_key
|
||
|
----------------------------------------------------------------
|
||
|
--
|
||
|
|
||
|
. Delete the `system_key` file on each node in the cluster.
|
||
|
|
||
|
NOTE: Existing watches are not affected by these changes. Only watches that you
|
||
|
create after following these steps have encryption enabled.
|