IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

elasticsearch-keystore

edit

elasticsearch-keystore

edit

The elasticsearch-keystore command manages secure settings in the Elasticsearch keystore.

Synopsis

edit

bin/elasticsearch-keystore
([add <setting>] [--stdin] |
[add-file <setting> <path>] | [create] |
[list] | [remove <setting>] | [upgrade])
[-h, --help] ([-s, --silent] | [-v, --verbose])

Description

edit

This command should be run as the user that will run Elasticsearch.

Currently, all secure settings are node-specific settings that must have the same value on every node. Therefore you must run this command on every node.

Modifications to the keystore do not take effect until you restart Elasticsearch.

Only some settings are designed to be read from the keystore. However, there is no validation to block unsupported settings from the keystore and they can cause Elasticsearch to fail to start. To see whether a setting is supported in the keystore, see the setting reference.

Parameters

edit

add <setting>: Adds settings to the keystore. By default, you are prompted for the value of the setting.
add-file <setting> <path>: Adds a file to the keystore.
create: Creates the keystore.
-h, --help: Returns all of the command parameters.
list: Lists the settings in the keystore.
remove <setting>: Removes a setting from the keystore.
-s, --silent: Shows minimal output.
--stdin: When used with the add parameter, you can pass the setting value through standard input (stdin). See Add settings to the keystore.
upgrade: Upgrades the internal format of the keystore.
-v, --verbose: Shows verbose output.

Examples

edit

Create the keystore

edit

To create the elasticsearch.keystore, use the create command:

bin/elasticsearch-keystore create

A elasticsearch.keystore file is created alongside the elasticsearch.yml file.

List settings in the keystore

edit

To list the settings in the keystore, use the list command.

bin/elasticsearch-keystore list

Add settings to the keystore

edit

Sensitive string settings, like authentication credentials for Cloud plugins, can be added with the add command:

bin/elasticsearch-keystore add the.setting.name.to.set

You are prompted to enter the value of the setting. To pass the value through standard input (stdin), use the --stdin flag:

cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set

Add files to the keystore

edit

You can add sensitive files, like authentication key files for Cloud plugins, using the add-file command. Be sure to include your file path as an argument after the setting name.

bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json

Remove settings from the keystore

edit

To remove a setting from the keystore, use the remove command:

bin/elasticsearch-keystore remove the.setting.name.to.remove

Upgrade the keystore

edit

Occasionally, the internal format of the keystore changes. When Elasticsearch is installed from a package manager, an upgrade of the on-disk keystore to the new format is done during package upgrade. In other cases, Elasticsearch performs the upgrade during node startup. This requires that Elasticsearch has write permissions to the directory that contains the keystore. Alternatively, you can manually perform such an upgrade by using the upgrade command:

bin/elasticsearch-keystore upgrade

« Parameters elasticsearch-migrate »