Usage of Elasticsearch Keystore for Search Guard Supported?

Hi folks,

do you already support usage of elasticsearch keystore for storing secrets required for configuraiton in the elasticsearch.yml such as passphrases for certificates?

Can I configure here the path to elasticsaerch keystore file?

searchguard.ssl.transport.keystore_filepath

Thanks

Hi @Kosmonafft
Unfortunately Elasticsearch will not allow any values to be entered into elasticsearch-keystore that are not natively part of security. Therefore entering any settings to do with searchguard or any other external plugin with stop elasticsearch from starting.

Thanks for feedback.

Do you have a suggestion how I am able then to not have my private key passphrases in cleartext in elasticsearch.yaml:

searchguard.ssl.transport.pemkey_password: clear_text_password

There are two cases: passwords in Search Guard configuration files and passwords in Elasticsearch configuration files. In both cases, we recommend using environment variables.

In the case of SG configuration files, you can either use env variables on the nodes, or you can use env variables when uploading configuration changes with sgadmin:

Elasticsearch supports environment variables in the yaml configuration files as well:

Ok thanks for the info.

I guess having secretes in env variables is the same as having them in clear test in config file (unless you store your config files somewhere for example in git and you want to hide the secrets there of course).

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.