Elasticsearch 8 Security Tutorial - Store credentials using keystore

In previous tutorials we configured security for making all elasticsearch communications secure using ssl. In previous tutorial we had configured elasticsearch.yml which stores sensitive information like keystore password in clear text. Such configurations require extra security measures, as standard filesystem permissions alone may not be enough. To address this, Elasticsearch offers a keystore feature along with the elasticsearch-keystore tool. It serves as a secure repository for sensitive configuration settings like passwords, API keys, and certificates. Operating like a vault, the keystore securely stores sensitive information in an encrypted format, protecting it from unauthorized access. This capability reduces the risk of accidental exposure or malicious exploitation of critical credentials. Elasticsearch uses the Java Cryptography Extension to encrypt the keystore, ensuring the highest level of data security. By utilizing the keystore, administrators can easily manage and update sensitive settings without having to modify configuration files directly. This approach reduces the likelihood of unintentional exposure, such as mistakenly committing secrets to version control systems or logs. One of the key advantages of Elasticsearch keystore is its ability to segregate sensitive information from the rest of the system. It compartmentalizes credentials in a dedicated location, minimizing the chances of leakage through inadvertent configuration errors or mismanagement.

Spring Boot 3 Security
Elasticsearch 8 Security Tutorial - Set password
Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS 
Elasticsearch 8 Security Tutorial - Store credentials using keystore

Implementation

In previous tutorial, we created the elasticsearch.yml as follows-

# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
xpack.security.http.ssl.client_authentication: required 

# configure tls
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: javainuse
xpack.security.transport.ssl.client_authentication: required

Not all properties mentioned above can be moved to elasticsearch keystore. Only the properties mentioned in the Security settings in Elasticsearch. In the security settings page, the property xpack.security.http.ssl.keystore.password is not mentioned as secure. There is another similar property xpack.security.http.ssl.keystore.secure_password which is mentioned as secure and so can be moved to keystore. The elasticsearch.yml will be as follows -

# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.secure_password: javainuse
xpack.security.http.ssl.client_authentication: required 

# configure tls
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.keystore.secure_password: javainuse
xpack.security.transport.ssl.client_authentication: required

Open the command prompt as an admin. Go to the elasticsearch bin folder and type the following command

elasticsearch.bat

We get the exception as follows which suggests us to move the secure properties to the keystore -

Let us add the secure property - xpack.security.http.ssl.keystore.secure_password to elasticsearch keystore

elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

Similarly add the secure property - xpack.security.transport.ssl.keystore.secure_password to elasticsearch keystore

elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

We can list the available properties stored in the keystore

elasticsearch-keystore list

Also now the elasticsearch.yml will not have the password properties. So they will be as follows-

# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional 

# configure tls
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.client_authentication: optional

If we now start elasticsearch instance as follows it start good.

elasticsearch.bat