elasticsearch-keystoreedit
The elasticsearch-keystore
command manages secure settings
in the Elasticsearch keystore.
Synopsisedit
bin/elasticsearch-keystore ([add <settings>] [-f] [--stdin] | [add-file (<setting> <path>)+] | [create] [-p] | [list] | [passwd] | [remove <setting>] | [upgrade]) [-h, --help] ([-s, --silent] | [-v, --verbose])
Descriptionedit
This command should be run as the user that will run Elasticsearch.
Currently, all secure settings are node-specific settings that must have the same value on every node. Therefore you must run this command on every node.
When the keystore is password-protected, you must supply the password each time Elasticsearch starts.
Modifications to the keystore do not take effect until you restart Elasticsearch.
Only some settings are designed to be read from the keystore. However, there is no validation to block unsupported settings from the keystore and they can cause Elasticsearch to fail to start. To see whether a setting is supported in the keystore, see the setting reference.
Parametersedit
-
add <settings>
-
Adds settings to the keystore. Multiple setting names can be
specified as arguments to the
add
command. By default, you are prompted for the values of the settings. If the keystore is password protected, you are also prompted to enter the password. If a setting already exists in the keystore, you must confirm that you want to overwrite the current value. If the keystore does not exist, you must confirm that you want to create a keystore. To avoid these two confirmation prompts, use the-f
parameter. -
add-file (<setting> <path>)+
- Adds files to the keystore.
-
create
- Creates the keystore.
-
-f, --force
-
When used with the
add
parameter, the command no longer prompts you before overwriting existing entries in the keystore. Also, if you haven’t created a keystore yet, it creates a keystore that is obfuscated but not password protected. -
-h, --help
- Returns all of the command parameters.
-
list
- Lists the settings in the keystore. If the keystore is password protected, you are prompted to enter the password.
-
-p
-
When used with the
create
parameter, the command prompts you to enter a keystore password. If you don’t specify the-p
flag or if you enter an empty password, the keystore is obfuscated but not password protected. -
passwd
- Changes or sets the keystore password. If the keystore is password protected, you are prompted to enter the current password and the new one. You can optionally use an empty string to remove the password. If the keystore is not password protected, you can use this command to set a password.
-
remove <settings>
-
Removes settings from the keystore. Multiple setting
names can be specified as arguments to the
remove
command. -
-s, --silent
- Shows minimal output.
-
-x, --stdin
-
When used with the
add
parameter, you can pass the settings values through standard input (stdin). Separate multiple values with carriage returns or newlines. See Add settings to the keystore. -
upgrade
- Upgrades the internal format of the keystore.
-
-v, --verbose
- Shows verbose output.
Examplesedit
Create the keystoreedit
To create the elasticsearch.keystore
, use the create
command:
bin/elasticsearch-keystore create -p
You are prompted to enter the keystore password. A password-protected
elasticsearch.keystore
file is created alongside the elasticsearch.yml
file.
Change the password of the keystoreedit
To change the password of the elasticsearch.keystore
, use the passwd
command:
bin/elasticsearch-keystore passwd
If the Elasticsearch keystore is password protected, you are prompted to enter the current password and then enter the new one. If it is not password protected, you are prompted to set a password.
List settings in the keystoreedit
To list the settings in the keystore, use the list
command.
bin/elasticsearch-keystore list
If the Elasticsearch keystore is password protected, you are prompted to enter the password.
Add settings to the keystoreedit
Sensitive string settings, like authentication credentials for Cloud plugins,
can be added with the add
command:
bin/elasticsearch-keystore add the.setting.name.to.set
You are prompted to enter the value of the setting. If the Elasticsearch keystore is password protected, you are also prompted to enter the password.
You can also add multiple settings with the add
command:
bin/elasticsearch-keystore add \ the.setting.name.to.set \ the.other.setting.name.to.set
You are prompted to enter the values of the settings. If the Elasticsearch keystore is password protected, you are also prompted to enter the password.
To pass the settings values through standard input (stdin), use the --stdin
flag:
cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set
Values for multiple settings must be separated by carriage returns or newlines.
Add files to the keystoreedit
You can add sensitive files, like authentication key files for Cloud plugins,
using the add-file
command. Settings and file paths are specified in pairs
consisting of setting path
.
bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json
You can add multiple files with the add-file
command:
bin/elasticsearch-keystore add-file \ the.setting.name.to.set /path/example-file.json \ the.other.setting.name.to.set /path/other-example-file.json
If the Elasticsearch keystore is password protected, you are prompted to enter the password.
Remove settings from the keystoreedit
To remove a setting from the keystore, use the remove
command:
bin/elasticsearch-keystore remove the.setting.name.to.remove
You can also remove multiple settings with the remove
command:
bin/elasticsearch-keystore remove \ the.setting.name.to.remove \ the.other.setting.name.to.remove
If the Elasticsearch keystore is password protected, you are prompted to enter the password.
Upgrade the keystoreedit
Occasionally, the internal format of the keystore changes. When Elasticsearch is
installed from a package manager, an upgrade of the on-disk keystore to the new
format is done during package upgrade. In other cases, Elasticsearch performs the upgrade
during node startup. This requires that Elasticsearch has write permissions to the
directory that contains the keystore. Alternatively, you can manually perform
such an upgrade by using the upgrade
command:
bin/elasticsearch-keystore upgrade