Elasticsearch Implementing Elasticsearch Encryption at Rest

By Opster Team

Updated: Jul 20, 2023

| 2 min read


Elasticsearch encryption at rest is a crucial security feature that protects sensitive data from unauthorized access. It ensures that data stored on disk is unreadable without the correct encryption keys. This article will delve into the details of implementing Elasticsearch encryption at rest, including the necessary configurations and best practices.

Understanding the Importance of Encryption at Rest

Encryption at rest is a critical aspect of data security. It protects your data from being accessed or stolen by unauthorized individuals when it’s stored, or “at rest”. This is particularly important for Elasticsearch clusters, which often hold sensitive data. Without encryption at rest, if an attacker gains physical access to the storage where data is held, they could potentially read and misuse it.

Configuring Elasticsearch for Encryption at Rest

Elasticsearch uses the Transparent Data Encryption (TDE) method for encryption at rest. This method encrypts data before it’s written to disk and decrypts it when read. To enable encryption at rest in Elasticsearch, you need to configure it in the Elasticsearch.yml file.

Here are the step-by-step instructions:

1. Open the Elasticsearch.yml file in a text editor. This file is usually located in the /etc/elasticsearch directory.

2. Add the following lines to the file:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

3. Save and close the file.

4. Restart Elasticsearch for the changes to take effect.

The above configuration enables SSL for transport between nodes in the cluster and specifies the path to the keystore and truststore files. These files contain the encryption keys used for encryption and decryption.

Generating Certificates for Encryption

To implement encryption at rest, you need to generate certificates that will be used for encryption. Elasticsearch provides a tool called elasticsearch-certutil for this purpose. Here’s how to use it:

1. Navigate to the Elasticsearch home directory.

2. Run the following command to generate a certificate:

./bin/elasticsearch-certutil cert --out certs/elastic-certificates.p12 --pass ""

This command generates a .p12 certificate file and stores it in the certs directory. The –pass “” option specifies that the certificate should not be password protected.

Best Practices for Elasticsearch Encryption at Rest

While implementing encryption at rest, it’s important to follow best practices to ensure optimal security. Here are some recommendations:

  • Regularly rotate encryption keys: Regularly changing encryption keys reduces the risk of an attacker decrypting your data.
  • Use strong encryption algorithms: Elasticsearch supports several encryption algorithms. Always choose the strongest one available.
  • Protect your encryption keys: Store your encryption keys securely and limit access to them. If an attacker gains access to your keys, they can decrypt your data.
  • Enable encryption at rest for all data: Make sure to encrypt all data, not just sensitive data. This provides an additional layer of security and makes it harder for an attacker to determine which data is valuable.


In conclusion, encryption at rest is a vital security measure for protecting data in Elasticsearch. By following the steps and best practices outlined in this article, you can effectively implement this feature and enhance the security of your Elasticsearch clusters.

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?