Hiding the keystore password

Hi,

How can I hide the keystore and truststore password so that it is not shown in plain text in the elasticsearch.yml file?

######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: ./certs/keystore.jks

searchguard.ssl.transport.truststore_filepath: ./certs/truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.keystore_password: passw0rd1!

searchguard.ssl.transport.truststore_password: passw0rd1!

put them into a env variable for example

https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html

···

Am 09.10.2017 um 14:41 schrieb ihjaz Mohamed <ihjazmohamed@gmail.com>:

Hi,

How can I hide the keystore and truststore password so that it is not shown in plain text in the elasticsearch.yml file?

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: ./certs/keystore.jks
searchguard.ssl.transport.truststore_filepath: ./certs/truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.keystore_password: passw0rd1!
searchguard.ssl.transport.truststore_password: passw0rd1!

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1024840b-7c21-4f80-8714-3c940a206543%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I’m starting the elasticsearch as a service using systemctl and I need to specify the environment variable in the systemd folder. So I end up specifying the environment variable as below in the systemd folder which again can be seen in plain text. Is there a way to set the value, start the service and the unset the value?

[Service]
Environment=“PASSPHRASE=passw0rd1!”

``

···

On Monday, October 9, 2017 at 6:12:52 PM UTC+5:30, Search Guard wrote:

put them into a env variable for example

https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html

Am 09.10.2017 um 14:41 schrieb ihjaz Mohamed ihjazm...@gmail.com:

Hi,

How can I hide the keystore and truststore password so that it is not shown in plain text in the elasticsearch.yml file?

######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: ./certs/keystore.jks

searchguard.ssl.transport.truststore_filepath: ./certs/truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.keystore_password: passw0rd1!

searchguard.ssl.transport.truststore_password: passw0rd1!


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1024840b-7c21-4f80-8714-3c940a206543%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

thats a general linux question and not SG specific/related

Beside env var and system properties there is currently no other way to specify properties.
For mid term solution we plan to add support for Hashicorp Vault, but thats not on short term

···

Am 09.10.2017 um 15:14 schrieb ihjaz Mohamed <ihjazmohamed@gmail.com>:

I'm starting the elasticsearch as a service using systemctl and I need to specify the environment variable in the systemd folder. So I end up specifying the environment variable as below in the systemd folder which again can be seen in plain text. Is there a way to set the value, start the service and the unset the value?

[Service]
Environment="PASSPHRASE=passw0rd1!"

On Monday, October 9, 2017 at 6:12:52 PM UTC+5:30, Search Guard wrote:
put them into a env variable for example

https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html

> Am 09.10.2017 um 14:41 schrieb ihjaz Mohamed <ihjazm...@gmail.com>:
>
> Hi,
>
> How can I hide the keystore and truststore password so that it is not shown in plain text in the elasticsearch.yml file?
>
> ######## Start Search Guard Demo Configuration ########
> searchguard.ssl.transport.keystore_filepath: ./certs/keystore.jks
> searchguard.ssl.transport.truststore_filepath: ./certs/truststore.jks
> searchguard.ssl.transport.enforce_hostname_verification: false
> searchguard.ssl.transport.keystore_password: passw0rd1!
> searchguard.ssl.transport.truststore_password: passw0rd1!
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1024840b-7c21-4f80-8714-3c940a206543%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bd74b3f3-f735-48b0-a3b0-6eb0b86102a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.