Setting WatcherField ENCRYPTION KEY SETTING getKey must be set in keystore – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 7.3-8.9

Before you dig into reading this guide, have you tried asking OpsGPT what this log means? You’ll receive a customized analysis of your log.

Try OpsGPT now for step-by-step guidance and tailored insights into your Elasticsearch operation.

Briefly, this error occurs when the encryption key for the Watcher feature in Elasticsearch is not set in the keystore. The keystore is a secure place to store sensitive settings such as passwords and encryption keys. To resolve this issue, you need to add the encryption key to the Elasticsearch keystore. You can do this by using the ‘elasticsearch-keystore add’ command followed by the key name. After adding the key, you need to restart Elasticsearch for the changes to take effect.

For a complete solution to your to your search operation, try for free AutoOps for Elasticsearch & OpenSearch . With AutoOps and Opster’s proactive support, you don’t have to worry about your search operation – we take charge of it. Get improved performance & stability with less hardware.

This guide will help you check for common problems that cause the log ” setting [” + WatcherField.ENCRYPTION_KEY_SETTING.getKey() + “] must be set in keystore ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “setting [” + WatcherField.ENCRYPTION_KEY_SETTING.getKey() + “] must be set in keystore” class name is We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 throw new IllegalArgumentException("invalid key length [" + keyLength + "]. value must be a multiple of 8");
 }  try (InputStream in = WatcherField.ENCRYPTION_KEY_SETTING.get(settings)) {
 if (in == null) {
 throw new ElasticsearchException("setting [" + WatcherField.ENCRYPTION_KEY_SETTING.getKey() + "] must be set in keystore");
 SecretKey systemKey = readSystemKey(in);
 try {
 encryptionKey = encryptionKey(systemKey; keyLength; keyAlgorithm);
 } catch (NoSuchAlgorithmException nsae) {


How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Get expert answers on Elasticsearch/OpenSearch