Setting WatcherField ENCRYPTION KEY SETTING getKey must be set in keystore – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 7.3-8.9

Briefly, this error occurs when the encryption key for the Watcher feature in Elasticsearch is not set in the keystore. The keystore is a secure place to store sensitive settings such as passwords and encryption keys. To resolve this issue, you need to add the encryption key to the Elasticsearch keystore. You can do this by using the ‘elasticsearch-keystore add’ command followed by the key name. After adding the key, you need to restart Elasticsearch for the changes to take effect.

This guide will help you check for common problems that cause the log ” setting [” + WatcherField.ENCRYPTION_KEY_SETTING.getKey() + “] must be set in keystore ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “setting [” + WatcherField.ENCRYPTION_KEY_SETTING.getKey() + “] must be set in keystore” class name is We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 throw new IllegalArgumentException("invalid key length [" + keyLength + "]. value must be a multiple of 8");
 }  try (InputStream in = WatcherField.ENCRYPTION_KEY_SETTING.get(settings)) {
 if (in == null) {
 throw new ElasticsearchException("setting [" + WatcherField.ENCRYPTION_KEY_SETTING.getKey() + "] must be set in keystore");
 SecretKey systemKey = readSystemKey(in);
 try {
 encryptionKey = encryptionKey(systemKey; keyLength; keyAlgorithm);
 } catch (NoSuchAlgorithmException nsae) {


How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?