[[secure-settings]]
=== Secure settings

Some settings are sensitive, and relying on filesystem permissions to protect
their values is not sufficient. For this use case, Elasticsearch provides a
keystore and the `elasticsearch-keystore` tool to manage the settings in the keystore.

NOTE: All commands here should be run as the user which will run Elasticsearch.

NOTE: Only some settings are designed to be read from the keystore. See
documentation for each setting to see if it is supported as part of the keystore.

NOTE: All the modifications to the keystore take affect only after restarting
Elasticsearch.

NOTE: The elasticsearch keystore currently only provides obfuscation. In the future,
password protection will be added.

These settings, just like the regular ones in the `elasticsearch.yml` config file,
need to be specified on each node in the cluster. Currently, all secure settings
are node-specific settings that must have the same value on every node.

[float]
[[creating-keystore]]
=== Creating the keystore

To create the `elasticsearch.keystore`, use the `create` command:

[source,sh]
----------------------------------------------------------------
bin/elasticsearch-keystore create
----------------------------------------------------------------

The file `elasticsearch.keystore` will be created alongside `elasticsearch.yml`.

[float]
[[list-settings]]
=== Listing settings in the keystore

A list of the settings in the keystore is available with the `list` command:

[source,sh]
----------------------------------------------------------------
bin/elasticsearch-keystore list
----------------------------------------------------------------

[float]
[[add-string-to-keystore]]
=== Adding string settings

Sensitive string settings, like authentication credentials for cloud
plugins, can be added using the `add` command:

[source,sh]
----------------------------------------------------------------
bin/elasticsearch-keystore add the.setting.name.to.set
----------------------------------------------------------------

The tool will prompt for the value of the setting. To pass the value
through stdin, use the `--stdin` flag:

[source,sh]
----------------------------------------------------------------
cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set
----------------------------------------------------------------

[float]
[[remove-settings]]
=== Removing settings

To remove a setting from the keystore, use the `remove` command:

[source,sh]
----------------------------------------------------------------
bin/elasticsearch-keystore remove the.setting.name.to.remove
----------------------------------------------------------------