Elasticsearch Implementing Elasticsearch Encryption at Rest

By Opster Team

Updated: Jul 20, 2023

| 2 min read

Before you dig into the details of this technical guide, have you tried asking OpsGPT?

You'll receive concise answers that will help streamline your Elasticsearch/OpenSearch operations.

Try OpsGPT now for step-by-step guidance and tailored insights into your Elasticsearch/ OpenSearch operation.

To manage all aspects of your Elasticsearch operation, you can use Opster’s Management Console (OMC). The OMC makes it easy to orchestrate and manage Elasticsearch in any K8 environment. Using the OMC you can deploy multiple clusters, configure node roles, scale cluster resources, manage certificates and more – all from a single interface, for free. Check it out here.

You can also try AutoOps for Elasticsearch. It will detect issues and improve your Elasticsearch performance by analyzing your shard sizes, threadpools, memory, snapshots, disk watermarks and more. Try it for free.


Elasticsearch encryption at rest is a crucial security feature that protects sensitive data from unauthorized access. It ensures that data stored on disk is unreadable without the correct encryption keys. This article will delve into the details of implementing Elasticsearch encryption at rest, including the necessary configurations and best practices.

Understanding the Importance of Encryption at Rest

Encryption at rest is a critical aspect of data security. It protects your data from being accessed or stolen by unauthorized individuals when it’s stored, or “at rest”. This is particularly important for Elasticsearch clusters, which often hold sensitive data. Without encryption at rest, if an attacker gains physical access to the storage where data is held, they could potentially read and misuse it.

Configuring Elasticsearch for Encryption at Rest

Elasticsearch uses the Transparent Data Encryption (TDE) method for encryption at rest. This method encrypts data before it’s written to disk and decrypts it when read. To enable encryption at rest in Elasticsearch, you need to configure it in the Elasticsearch.yml file.

Here are the step-by-step instructions:

1. Open the Elasticsearch.yml file in a text editor. This file is usually located in the /etc/elasticsearch directory.

2. Add the following lines to the file:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

3. Save and close the file.

4. Restart Elasticsearch for the changes to take effect.

The above configuration enables SSL for transport between nodes in the cluster and specifies the path to the keystore and truststore files. These files contain the encryption keys used for encryption and decryption.

Generating Certificates for Encryption

To implement encryption at rest, you need to generate certificates that will be used for encryption. Elasticsearch provides a tool called elasticsearch-certutil for this purpose. Here’s how to use it:

1. Navigate to the Elasticsearch home directory.

2. Run the following command to generate a certificate:

./bin/elasticsearch-certutil cert --out certs/elastic-certificates.p12 --pass ""

This command generates a .p12 certificate file and stores it in the certs directory. The –pass “” option specifies that the certificate should not be password protected.

Best Practices for Elasticsearch Encryption at Rest

While implementing encryption at rest, it’s important to follow best practices to ensure optimal security. Here are some recommendations:

  • Regularly rotate encryption keys: Regularly changing encryption keys reduces the risk of an attacker decrypting your data.
  • Use strong encryption algorithms: Elasticsearch supports several encryption algorithms. Always choose the strongest one available.
  • Protect your encryption keys: Store your encryption keys securely and limit access to them. If an attacker gains access to your keys, they can decrypt your data.
  • Enable encryption at rest for all data: Make sure to encrypt all data, not just sensitive data. This provides an additional layer of security and makes it harder for an attacker to determine which data is valuable.


In conclusion, encryption at rest is a vital security measure for protecting data in Elasticsearch. By following the steps and best practices outlined in this article, you can effectively implement this feature and enhance the security of your Elasticsearch clusters.

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Get expert answers on Elasticsearch/OpenSearch