OpenSearch/docs/reference/setup/secure-settings.asciidoc

69 lines
2.3 KiB
Plaintext
Raw Normal View History

[[secure-settings]]
== Secure Settings
Some settings are sensitive, and relying on filesystem permissions to protect
their values is not sufficient. For this use case, elasticsearch provides a
keystore, which may be password protected, and the `elasticsearch-keystore`
tool to manage the settings in the keystore.
NOTE: All commands here should be run as the user which will run elasticsearch.
NOTE: Only some settings are designed to be read from the keystore. See
documentation for each setting to see if it is supported as part of the keystore.
[float]
[[creating-keystore]]
=== Creating the keystore
To create the `elasticsearch.keystore`, use the `create` command:
[source,sh]
----------------------------------------------------------------
bin/elasticsearch-keystore create
----------------------------------------------------------------
The file `elasticsearch.keystore` will be created alongside `elasticsearch.yml`.
[float]
[[list-settings]]
=== Listing settings in the keystore
A list of the settings in the keystore is available with the `list` command:
[source,sh]
----------------------------------------------------------------
bin/elasticsearch-keystore list
----------------------------------------------------------------
[float]
[[add-string-to-keystore]]
=== Adding string settings
Sensitive string settings, like authentication credentials for cloud
plugins, can be added using the `add` command:
[source,sh]
----------------------------------------------------------------
bin/elasticsearch-keystore add the.setting.name.to.set
----------------------------------------------------------------
The tool will prompt for the value of the setting. To pass the value
through stdin, use the `--stdin` flag:
[source,sh]
----------------------------------------------------------------
cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set
----------------------------------------------------------------
[float]
[[remove-settings]]
=== Removing settings
To remove a setting from the keystore, use the `remove` command:
[source,sh]
----------------------------------------------------------------
bin/elasticsearch-keystore remove the.setting.name.to.remove
----------------------------------------------------------------