[[encrypting-data]] == Encrypting Sensitive Data in {watcher} Watches might have access to sensitive data such as HTTP basic authentication information or details about your SMTP email service. You can encrypt this data by generating a key and adding some secure settings on each node in your cluster. Every `password` field that is used in your watch within an HTTP basic authentication block - for example within a webhook, an HTTP input or when using the reporting email attachment - will not be stored as plain text anymore. Also be aware, that there is no way to configure your own fields in a watch to be encrypted. To encrypt sensitive data in {watcher}: . Use the {ref}/syskeygen.html[elasticsearch-syskeygen] command to create a system key file. . Copy the `system_key` file to all of the nodes in your cluster. + -- IMPORTANT: The system key is a symmetric key, so the same key must be used on every node in the cluster. -- . Set the {ref}/notification-settings.html[`xpack.watcher.encrypt_sensitive_data` setting]: + -- [source,sh] ---------------------------------------------------------------- xpack.watcher.encrypt_sensitive_data: true ---------------------------------------------------------------- -- . Set the {ref}/notification-settings.html[`xpack.watcher.encryption_key` setting] in the {ref}/secure-settings.html[{es} keystore] on each node in the cluster. + -- For example, run the following command to import the `system_key` file on each node: [source,sh] ---------------------------------------------------------------- bin/elasticsearch-keystore add-file xpack.watcher.encryption_key /system_key ---------------------------------------------------------------- -- . Delete the `system_key` file on each node in the cluster. NOTE: Existing watches are not affected by these changes. Only watches that you create after following these steps have encryption enabled.