diff --git a/docs/en/commands/index.asciidoc b/docs/en/commands/index.asciidoc index 69f279f90ff..69811a9fc8d 100644 --- a/docs/en/commands/index.asciidoc +++ b/docs/en/commands/index.asciidoc @@ -9,10 +9,12 @@ * <> * <> +* <> * <> -- include::certgen.asciidoc[] include::setup-passwords.asciidoc[] +include::syskeygen.asciidoc[] include::users-command.asciidoc[] diff --git a/docs/en/commands/syskeygen.asciidoc b/docs/en/commands/syskeygen.asciidoc new file mode 100644 index 00000000000..be8708ecd37 --- /dev/null +++ b/docs/en/commands/syskeygen.asciidoc @@ -0,0 +1,60 @@ +[role="xpack"] +[[syskeygen]] +== syskeygen + +The `syskeygen` command creates a system key file in +`CONFIG_DIR/x-pack/system_key`. You can then copy the generated system key to +the rest of the nodes in the cluster. + +//TBD: Why? What's its purpose? + +IMPORTANT: The system key is a symmetric key, so the same key must be on every +node in the cluster. You must also ensure that the file permissions are set +such that the key can be read by the user that {es} runs as. + +[float] +=== Synopsis + +[source,shell] +-------------------------------------------------- +bin/x-pack/syskeygen +[-E ] [-h, --help] +([-s, --silent] | [-v, --verbose]) +-------------------------------------------------- + +[float] +=== Description + +Encryption of sensitive data requires a key. For example, if you enable the +<>, +//TBD: Can we clarify what type of sensitive data is encrypted when this is enabled? +you must also create a system key file and place it in the secure setting store. +After you run the `syskeygen` command, run the +`elasticsearch-keystore add-file xpack.watcher.encryption_key ` +command. Finally, remove the `system_key` file from the filesystem. Repeat these +steps on every node in the cluster. + +//TBD: Are there other scenarios where you could use this system file? + +[float] +=== Parameters + +`-E `:: Configures a setting. + +`-h, --help`:: Returns all of the command parameters. + +`-s, --silent`:: Shows minimal output. + +`-v, --verbose`:: Shows verbose output. + +//// +[float] +=== Examples + +//TBD: What's an example of a -E value that we might use in this command? + +[source, sh] +-------------------------------------------------- +bin/x-pack/syskeygen +-------------------------------------------------- +//// diff --git a/docs/en/settings/notification-settings.asciidoc b/docs/en/settings/notification-settings.asciidoc index 9432cf96b63..65d536e7e7c 100644 --- a/docs/en/settings/notification-settings.asciidoc +++ b/docs/en/settings/notification-settings.asciidoc @@ -5,10 +5,16 @@ {watcher} Settings ++++ -You configure `xpack.notification` settings in `elasticsearch.yml` to -send set up {watcher} and send notifications via <>, -<>, <>, and <>. +You configure {watcher} settings to set up {watcher} and send notifications via +<>, +<>, +<>, and +<>. + +All of these settings can be added to the `elasticsearch.yml` configuration file, +with the exception of the secure settings, which you add to the {es} keystore. +For more information about creating and updating the {es} keystore, see +<>. [float] [[general-notification-settings]] @@ -16,6 +22,20 @@ Slack>>, and <>. `xpack.watcher.enabled`:: Set to `false` to disable {watcher} on the node. +`xpack.watcher.encrypt_sensitive_data` (<>):: +Set to `true` to encrypt sensitive data. If this setting is enabled, you +must also specify the `xpack.watcher.encryption_key` setting. +//TBD: Can we be more specific about what type of watcher data it's encrypting? + +`xpack.watcher.encryption_key` (<>):: +Specifies the path to a file that contains a key for encrypting sensitive data. +If `xpack.watcher.encrypt_sensitive_data` is set to `true`, this setting is +required. For example, to generate the key file, run the <> tool. +Then import the key into the secure setting store with the +`elasticsearch-keystore add-file xpack.watcher.encryption_key ` +command. Finally, remove the system_key file from the filesystem. Repeat this on +every node in the cluster. + `xpack.watcher.history.cleaner_service.enabled`:: Set to `false` (default) to disable the cleaner service, which removes previous versions of {watcher} indices (for example, .watcher-history*) when it