Elasticsearch Elasticsearch Keystore Path: Managing Secure Settings

By Opster Team

Updated: Jul 6, 2023

| 2 min read


In Elasticsearch, secure settings are used to store sensitive information such as passwords, API keys, and SSL certificates. These settings are stored in an encrypted format within the Elasticsearch keystore, which is a dedicated file that resides on each node in the cluster. This article will discuss the Elasticsearch keystore path, how to manage secure settings, and best practices for maintaining security. If you want to learn about how to secure an Elasticsearch cluster: TLS, SSL & CERTUTIL Certificates, check out this guide.

Locating the Elasticsearch Keystore

The Elasticsearch keystore is located in the Elasticsearch configuration directory, which is typically found at `$ES_HOME/config` or `/etc/elasticsearch` on Linux systems and `%ES_HOME%\config` on Windows systems. The keystore file is named `elasticsearch.keystore`.

Creating and Managing the Elasticsearch Keystore

To create a new Elasticsearch keystore, use the `elasticsearch-keystore` command-line tool, which is available in the `bin` directory of your Elasticsearch installation. The following command creates a new keystore:

./bin/elasticsearch-keystore create

If you want to protect your keystore with a password, you can do so with the following command and you will get prompted to input your password. Note that if you do not protect your keystore with a password and enter an empty password, the keystore will simply be obfuscated.

./bin/elasticsearch-keystore create -p

To list the contents of the keystore, use the `list` command:

./bin/elasticsearch-keystore list

Adding Secure Settings

To add a secure setting to the keystore, use the `add` command followed by the setting name. For example, to add a secure setting for a repository password, run:

./bin/elasticsearch-keystore add s3.client.default.access_key

You will be prompted to enter the value for the setting. The value will be encrypted and stored in the keystore.

Removing Secure Settings

To remove a secure setting from the keystore, use the `remove` command followed by the setting name. For example, to remove the previously added repository password, run:

./bin/elasticsearch-keystore remove s3.client.default.access_key

Updating Secure Settings

To update a secure setting, simply remove the existing setting and add the new value using the `remove` and `add` commands, as shown in the previous sections.

Reloading Secure Settings

In some cases, you may need to reload secure settings after making changes to the keystore. Make sure that the changes have been applied consistently on all your nodes before reloading the secure settings. To do this, use the Elasticsearch `_nodes/reload_secure_settings` API. For example, to reload secure settings on all nodes in the cluster, run:

POST _nodes/reload_secure_settings

If your secure settings is password protected, you also need to send the password in the command:

POST _nodes/reload_secure_settings
  "secure_settings_password": "keystore-password"

Best Practices for Managing Secure Settings

  1. Limit access to the Elasticsearch keystore: Ensure that only authorized users have access to the keystore file and the `elasticsearch-keystore` command-line tool. Set appropriate file permissions and restrict access to the Elasticsearch configuration directory.
  1. Use strong encryption: When adding sensitive information to the keystore, use strong encryption algorithms to protect the data. Elasticsearch uses the FIPS 140-2 approved AES algorithm with a 128-bit key length for encrypting keystore contents.
  1. Regularly audit keystore contents: Periodically review the contents of the Elasticsearch keystore to ensure that only necessary secure settings are stored. Remove any unused or outdated settings to minimize the risk of unauthorized access.
  1. Backup the keystore: Regularly backup the Elasticsearch keystore to ensure that secure settings can be restored in case of data loss or corruption. Store backups in a secure location with restricted access.
  1. Monitor and log keystore activity: Enable auditing and logging for Elasticsearch keystore operations to track changes and detect unauthorized access attempts. Review logs regularly and investigate any suspicious activity.


The Elasticsearch keystore provides a secure mechanism for storing sensitive settings within your Elasticsearch cluster. By understanding the keystore path, managing secure settings, and following best practices, you can maintain a high level of security for your Elasticsearch deployment.

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?