diff --git a/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java b/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java
index 38a41334243..89b7c9477ea 100644
--- a/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java
+++ b/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java
@@ -607,7 +607,7 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail {
             final TransportClient transportClient = TransportClient.builder()
                     .settings(Settings.builder()
                             .put("name", DEFAULT_CLIENT_NAME + "-" + settings.get("name"))
-                            .put("path.home", environment.homeFile())
+                            .put("path.home", environment.binFile().getParent())
                             .putArray("plugin.types", ShieldPlugin.class.getName())
                             .put(clientSettings))
                     .build();
diff --git a/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java b/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java
index a44aca9c1b9..212d64789e5 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java
@@ -94,7 +94,7 @@ public class FileUserPasswdStore {
         if (location == null) {
             return ShieldPlugin.resolveConfigFile(env, "users");
         }
-        return env.homeFile().resolve(location);
+        return env.binFile().getParent().resolve(location);
     }
 
     /**
diff --git a/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java b/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java
index 3bec4ed335e..455f4fb3e9d 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java
@@ -88,7 +88,7 @@ public class FileUserRolesStore {
         if (location == null) {
             return ShieldPlugin.resolveConfigFile(env, "users_roles");
         }
-        return env.homeFile().resolve(location);
+        return env.binFile().getParent().resolve(location);
     }
 
     /**
diff --git a/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java b/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java
index 2b0633f84d6..df146a5dc54 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java
@@ -148,7 +148,7 @@ public class PkiRealm extends Realm<X509AuthenticationToken> {
 
         String trustStoreAlgorithm = settings.get("truststore.algorithm", System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
         TrustManager[] trustManagers;
-        try (InputStream in = Files.newInputStream(env.homeFile().resolve(truststorePath))) {
+        try (InputStream in = Files.newInputStream(env.binFile().getParent().resolve(truststorePath))) {
             // Load TrustStore
             KeyStore ks = KeyStore.getInstance("jks");
             ks.load(in, password.toCharArray());
diff --git a/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java b/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java
index a1bc524e4be..2ae57e97ceb 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java
@@ -78,7 +78,7 @@ public class DnRoleMapper {
         if (location == null) {
             return ShieldPlugin.resolveConfigFile(env, DEFAULT_FILE_NAME);
         }
-        return env.homeFile().resolve(location);
+        return env.binFile().getParent().resolve(location);
     }
 
     /**
diff --git a/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java b/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
index c8df6ffde4d..bb6708cd5b4 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
@@ -96,7 +96,7 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
             return ShieldPlugin.resolveConfigFile(env, "roles.yml");
         }
 
-        return env.homeFile().resolve(location);
+        return env.binFile().getParent().resolve(location);
     }
 
     public static ImmutableSet<String> parseFileForRoleNames(Path path, ESLogger logger) {
diff --git a/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java b/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
index 9b114b8afb2..f05e154db46 100644
--- a/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
+++ b/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
@@ -123,7 +123,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
         if (location == null) {
             return ShieldPlugin.resolveConfigFile(env, FILE_NAME);
         }
-        return env.homeFile().resolve(location);
+        return env.binFile().getParent().resolve(location);
     }
 
     static SecretKey readSystemKey(Path file) {
diff --git a/shield/src/main/java/org/elasticsearch/shield/crypto/tool/SystemKeyTool.java b/shield/src/main/java/org/elasticsearch/shield/crypto/tool/SystemKeyTool.java
index 2d8da2f82d2..4e12a806df6 100644
--- a/shield/src/main/java/org/elasticsearch/shield/crypto/tool/SystemKeyTool.java
+++ b/shield/src/main/java/org/elasticsearch/shield/crypto/tool/SystemKeyTool.java
@@ -69,7 +69,7 @@ public class SystemKeyTool extends CliTool {
             if (args.length > 1) {
                 return exitCmd(ExitStatus.USAGE, terminal, "Too many arguments");
             }
-            Path path = args.length != 0 ? env.homeFile().resolve(args[0]) : null;
+            Path path = args.length != 0 ? env.binFile().getParent().resolve(args[0]) : null;
             return new Generate(terminal, path);
         }
 
diff --git a/shield/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java b/shield/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java
index ccb45571823..1e04560fc8d 100644
--- a/shield/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java
+++ b/shield/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java
@@ -238,7 +238,7 @@ public abstract class AbstractSSLService extends AbstractComponent {
         }
 
         private KeyStore readKeystore(String path, String password) throws Exception {
-            try (InputStream in = Files.newInputStream(env.homeFile().resolve(path))) {
+            try (InputStream in = Files.newInputStream(env.binFile().getParent().resolve(path))) {
                 // Load TrustStore
                 KeyStore ks = KeyStore.getInstance("jks");
                 assert password != null;
diff --git a/shield/src/test/java/org/elasticsearch/shield/authc/support/DnRoleMapperTests.java b/shield/src/test/java/org/elasticsearch/shield/authc/support/DnRoleMapperTests.java
index 57f38327996..76e4caaf8a6 100644
--- a/shield/src/test/java/org/elasticsearch/shield/authc/support/DnRoleMapperTests.java
+++ b/shield/src/test/java/org/elasticsearch/shield/authc/support/DnRoleMapperTests.java
@@ -85,7 +85,7 @@ public class DnRoleMapperTests extends ElasticsearchTestCase {
     @Test
     public void testMapper_AutoReload() throws Exception {
         Path roleMappingFile = getDataPath("role_mapping.yml");
-        Path file = env.homeFile().resolve("test_role_mapping.yml");
+        Path file = env.binFile().getParent().resolve("test_role_mapping.yml");
         Files.copy(roleMappingFile, file, StandardCopyOption.REPLACE_EXISTING);
 
         final CountDownLatch latch = new CountDownLatch(1);
@@ -125,7 +125,7 @@ public class DnRoleMapperTests extends ElasticsearchTestCase {
     @Test
     public void testMapper_AutoReload_WithParseFailures() throws Exception {
         Path roleMappingFile = getDataPath("role_mapping.yml");
-        Path file = env.homeFile().resolve("test_role_mapping.yml");
+        Path file = env.binFile().getParent().resolve("test_role_mapping.yml");
         Files.copy(roleMappingFile, file, StandardCopyOption.REPLACE_EXISTING);
 
         final CountDownLatch latch = new CountDownLatch(1);
diff --git a/shield/src/test/java/org/elasticsearch/shield/crypto/tool/SystemKeyToolTests.java b/shield/src/test/java/org/elasticsearch/shield/crypto/tool/SystemKeyToolTests.java
index 44760b0ec60..8342242f900 100644
--- a/shield/src/test/java/org/elasticsearch/shield/crypto/tool/SystemKeyToolTests.java
+++ b/shield/src/test/java/org/elasticsearch/shield/crypto/tool/SystemKeyToolTests.java
@@ -38,7 +38,8 @@ public class SystemKeyToolTests extends CliToolTestCase {
     public void init() throws Exception {
         terminal = mock(Terminal.class);
         env = mock(Environment.class);
-        when(env.homeFile()).thenReturn(createTempDir());
+        Path tmpDir = createTempDir();
+        when(env.binFile()).thenReturn(tmpDir.resolve("bin"));
     }
 
     @Test
diff --git a/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java b/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java
index 6b220f20517..c03bd31f5da 100644
--- a/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java
+++ b/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java
@@ -226,7 +226,7 @@ public class HttpClient extends AbstractLifecycleComponent<HttpClient> {
         if (keyStore == null) {
             return null;
         }
-        Path path = env.homeFile().resolve(keyStore);
+        Path path = env.binFile().getParent().resolve(keyStore);
         if (Files.notExists(path)) {
             return null;
         }
@@ -249,7 +249,7 @@ public class HttpClient extends AbstractLifecycleComponent<HttpClient> {
             // Load TrustStore
             KeyStore ks = null;
             if (trustStore != null) {
-                Path trustStorePath = env.homeFile().resolve(trustStore);
+                Path trustStorePath = env.binFile().getParent().resolve(trustStore);
                 if (Files.exists(trustStorePath)) {
                     ks = readKeystore(trustStorePath, trustStorePassword);
                 }