Use Elastic Keystore for Searchguard configs

Hi,

since I have setup searchguard for my elastic cluster already I would like to setup in production and I was wondering:

Can I use elasticsearch keystore where I saved my passphrases for private keys for search guard too? If not where can I store the passphrases for private key files in search guard?

Thanks

Can I use elasticsearch keystore where I saved my passphrases for private keys for search guard too?

Search Guard doesn’t access the Elasticsearch keystore while reading its TLS options values from the elasticsearch.yml.

But you can have your own keystore. Use keytool to create a keystore and truststore. Then configure the keystore and trustore in elasticsearch.yml.

If not where can I store the passphrases for private key files in search guard?

You can store the passwords in any keychain app, for example, macOS keychain, Avast passwords, Keeper, etc.

But you can have your own keystore. Use keytool to create a keystore and truststore. Then configure the keystore and trustore in elasticsearch.yml.

Ok. but where to I put the password for the keystore to? In the config? I was expecting that I can add the passphrases to the keystore too like I can do using elastic-keystore (https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html#tls-http)

For example I can:

bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

and add the passphrase for the private key into the keystore. Using this I do not need to provide in clear text in my config files. So I was hoping to reuse it for searchguard (since al the passwords are already there in my already existing elastic cluster) or to use something similar provided by search guard.

Right now I have the passphrases for the cluster certificates inside the elasticsearch.yml, which I do not like

Ok, now I see what you mean. You need to set password in the config file for now.

This problem is a good candidate for the feature queue. But I can’t give you the estimated time of arrival for this feature right now.

Thanks!

Maybe it is worth to think about if search guard could use already existing elasticearch keystore. It would be much easier for people who are implementing search guard into an existing or productive elasticsearch cluster.

Thank you for the feedback.

Please also have a look here, this chapter explicitely deals with passwords in config files and outlines some solutions: https://docs.search-guard.com/latest/configuration-password-handling