OpenSearch/x-pack/docs/en/watcher/encrypting-data.asciidoc

[role="xpack"]
[[encrypting-data]]
== Encrypting sensitive data in {watcher}

Watches might have access to sensitive data such as HTTP basic authentication
information or details about your SMTP email service. You can encrypt this
data by generating a key and adding some secure settings on each node in your
cluster.

Every `password` field that is used in your watch within an HTTP basic
authentication block - for example within a webhook, an HTTP input or when using
the reporting email attachment - will not be stored as plain text anymore. Also
be aware, that there is no way to configure your own fields in a watch to be
encrypted.

To encrypt sensitive data in {watcher}:

. Use the <<syskeygen,elasticsearch-syskeygen>> command to create a system key file.

. Copy the `system_key` file to all of the nodes in your cluster.
+
--
IMPORTANT: The system key is a symmetric key, so the same key must be used on
every node in the cluster.

--

. Set the <<notification-settings,`xpack.watcher.encrypt_sensitive_data` setting>>:
+
--

[source,sh]
----------------------------------------------------------------
xpack.watcher.encrypt_sensitive_data: true
----------------------------------------------------------------
--

. Set the
<<notification-settings,`xpack.watcher.encryption_key` setting>> in the
<<secure-settings,{es} keystore>> on each node in the cluster.
+
--
For example, run the following command to import the `system_key` file on
each node:

[source,sh]
----------------------------------------------------------------
bin/elasticsearch-keystore add-file xpack.watcher.encryption_key <filepath>/system_key
----------------------------------------------------------------
--

. Delete the `system_key` file on each node in the cluster.

NOTE: Existing watches are not affected by these changes. Only watches that you
create after following these steps have encryption enabled.
[DOCS] Add missing xpack role attributes (#46468) 2019-09-10 13:32:51 -04:00			`[role="xpack"]`
[DOCS] Added sysgenkey command and watcher encryption settings (elastic/x-pack-elasticsearch#3043) * [DOCS] Added sysgenkey command and watcher settings * [DOCS] Added data encryption task for Watcher * [DOCS] Addressed feedback about watcher encryption Original commit: elastic/x-pack-elasticsearch@edb1fccbfbaff6bd3e32f0de1195f42e9bcea653 2017-11-20 11:44:43 -05:00			`[[encrypting-data]]`
[DOCS] Moves Watcher content into Elasticsearch book (#47147) (#47255) Co-Authored-By: James Rodewig <james.rodewig@elastic.co> 2019-09-30 13:18:50 -04:00			`== Encrypting sensitive data in {watcher}`
[DOCS] Added sysgenkey command and watcher encryption settings (elastic/x-pack-elasticsearch#3043) * [DOCS] Added sysgenkey command and watcher settings * [DOCS] Added data encryption task for Watcher * [DOCS] Addressed feedback about watcher encryption Original commit: elastic/x-pack-elasticsearch@edb1fccbfbaff6bd3e32f0de1195f42e9bcea653 2017-11-20 11:44:43 -05:00
			`Watches might have access to sensitive data such as HTTP basic authentication`
			`information or details about your SMTP email service. You can encrypt this`
			`data by generating a key and adding some secure settings on each node in your`
			`cluster.`

Docs: Fixed a grammatical mistake: 'a HTTP ...' -> 'an HTTP ...' (#33744) Fixed a grammatical mistake: 'a HTTP ...' -> 'an HTTP ...' Closes #33728 2018-09-17 15:35:55 -04:00			Every `password` field that is used in your watch within an HTTP basic
			`authentication block - for example within a webhook, an HTTP input or when using`
Docs: Clarify sensitive fields watcher encryption (#31551) Clarify the scope of encrypting sensitive settings in watcher, which fields are encrypted and if users can have their own encrypted fields. 2018-06-26 10:24:28 -04:00			`the reporting email attachment - will not be stored as plain text anymore. Also`
			`be aware, that there is no way to configure your own fields in a watch to be`
			`encrypted.`

[DOCS] Added sysgenkey command and watcher encryption settings (elastic/x-pack-elasticsearch#3043) * [DOCS] Added sysgenkey command and watcher settings * [DOCS] Added data encryption task for Watcher * [DOCS] Addressed feedback about watcher encryption Original commit: elastic/x-pack-elasticsearch@edb1fccbfbaff6bd3e32f0de1195f42e9bcea653 2017-11-20 11:44:43 -05:00			`To encrypt sensitive data in {watcher}:`

[DOCS] Moves Watcher content into Elasticsearch book (#47147) (#47255) Co-Authored-By: James Rodewig <james.rodewig@elastic.co> 2019-09-30 13:18:50 -04:00			`. Use the <<syskeygen,elasticsearch-syskeygen>> command to create a system key file.`
[DOCS] Added sysgenkey command and watcher encryption settings (elastic/x-pack-elasticsearch#3043) * [DOCS] Added sysgenkey command and watcher settings * [DOCS] Added data encryption task for Watcher * [DOCS] Addressed feedback about watcher encryption Original commit: elastic/x-pack-elasticsearch@edb1fccbfbaff6bd3e32f0de1195f42e9bcea653 2017-11-20 11:44:43 -05:00
			. Copy the `system_key` file to all of the nodes in your cluster.
			`+`
			`--`
			`IMPORTANT: The system key is a symmetric key, so the same key must be used on`
			`every node in the cluster.`

			`--`

[DOCS] Moves Watcher content into Elasticsearch book (#47147) (#47255) Co-Authored-By: James Rodewig <james.rodewig@elastic.co> 2019-09-30 13:18:50 -04:00			. Set the <<notification-settings,`xpack.watcher.encrypt_sensitive_data` setting>>:
[DOCS] Added sysgenkey command and watcher encryption settings (elastic/x-pack-elasticsearch#3043) * [DOCS] Added sysgenkey command and watcher settings * [DOCS] Added data encryption task for Watcher * [DOCS] Addressed feedback about watcher encryption Original commit: elastic/x-pack-elasticsearch@edb1fccbfbaff6bd3e32f0de1195f42e9bcea653 2017-11-20 11:44:43 -05:00			`+`
			`--`

			`[source,sh]`
			`----------------------------------------------------------------`
Docs: Fix encrypt watcher sensitive data documentation (elastic/x-pack-elasticsearch#4198) The documentation mentions that the xpack.watcher.encrypt_sensitive_data setting needs to be set in the keystore. This is wrong however, it needs to be set in the standard elasticsearch yaml file. relates elastic/x-pack-elasticsearch#4195 Original commit: elastic/x-pack-elasticsearch@613d63da85790dc92618a5e75589993c2027d261 2018-03-22 13:57:31 -04:00			`xpack.watcher.encrypt_sensitive_data: true`
[DOCS] Added sysgenkey command and watcher encryption settings (elastic/x-pack-elasticsearch#3043) * [DOCS] Added sysgenkey command and watcher settings * [DOCS] Added data encryption task for Watcher * [DOCS] Addressed feedback about watcher encryption Original commit: elastic/x-pack-elasticsearch@edb1fccbfbaff6bd3e32f0de1195f42e9bcea653 2017-11-20 11:44:43 -05:00			`----------------------------------------------------------------`
			`--`

			`. Set the`
[DOCS] Moves Watcher content into Elasticsearch book (#47147) (#47255) Co-Authored-By: James Rodewig <james.rodewig@elastic.co> 2019-09-30 13:18:50 -04:00			<<notification-settings,`xpack.watcher.encryption_key` setting>> in the
			`<<secure-settings,{es} keystore>> on each node in the cluster.`
[DOCS] Added sysgenkey command and watcher encryption settings (elastic/x-pack-elasticsearch#3043) * [DOCS] Added sysgenkey command and watcher settings * [DOCS] Added data encryption task for Watcher * [DOCS] Addressed feedback about watcher encryption Original commit: elastic/x-pack-elasticsearch@edb1fccbfbaff6bd3e32f0de1195f42e9bcea653 2017-11-20 11:44:43 -05:00			`+`
			`--`
			For example, run the following command to import the `system_key` file on
			`each node:`

			`[source,sh]`
			`----------------------------------------------------------------`
			`bin/elasticsearch-keystore add-file xpack.watcher.encryption_key <filepath>/system_key`
			`----------------------------------------------------------------`
			`--`

			. Delete the `system_key` file on each node in the cluster.

			`NOTE: Existing watches are not affected by these changes. Only watches that you`
			`create after following these steps have encryption enabled.`