Briefly, this error occurs when Elasticsearch fails to generate a Key Encryption Key (KEK) to wrap the Data Encryption Key (DEK). This could be due to incorrect configuration or issues with the encryption algorithm. To resolve this, ensure that your encryption settings are correctly configured. Check the encryption algorithm being used and ensure it’s supported. Also, verify that the necessary permissions are in place for the process to generate and use the keys. If the problem persists, consider regenerating your DEK and KEK.
This guide will help you check for common problems that cause the log ” Failure to generate KEK to wrap the DEK [” + dekId + “] ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: repositories, plugin.
Overview
An Elasticsearch snapshot provides a backup mechanism that takes the current state and data in the cluster and saves it to a repository (read snapshot for more information). The backup process requires a repository to be created first. The repository needs to be registered using the _snapshot endpoint, and multiple repositories can be created per cluster. The following repository types are supported:
Repository types
| Repository type | Configuration type |
|---|---|
| Shared file system | Type: “fs” |
| S3 | Type : “s3” |
| HDFS | Type :“hdfs” |
| Azure | Type: “azure” |
| Google Cloud Storage | Type : “gcs” |
Examples
To register an “fs” repository:
PUT _snapshot/my_repo_01
{
"type": "fs",
"settings": {
"location": "/mnt/my_repo_dir"
}
}Notes and good things to know
- S3, HDFS, Azure and Google Cloud require a relevant plugin to be installed before it can be used for a snapshot.
- The setting, path.repo: /mnt/my_repo_dir needs to be added to elasticsearch.yml on all the nodes if you are planning to use the repo type of file system. Otherwise, it will fail.
- When using remote repositories, the network bandwidth and repository storage throughput should be high enough to complete the snapshot operations normally, otherwise you will end up with partial snapshots.
Log Context
Log “Failure to generate KEK to wrap the DEK [” + dekId + “]” class name is EncryptedRepository.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :
final SecretKey kek = AESKeyUtils.generatePasswordBasedKey(repositoryPassword; dekId);
final String kekId = AESKeyUtils.computeId(kek);
logger.debug("Repository [{}] computed KEK [{}] for DEK [{}]"; metadata.name(); kekId; dekId);
return new Tuple<>(kekId; kek);
} catch (GeneralSecurityException e) {
throw new RepositoryException(metadata.name(); "Failure to generate KEK to wrap the DEK [" + dekId + "]"; e);
}
} /**
* Called before the shard snapshot and finalize operations; on the data and master nodes. This validates that the repository
[ratemypost]
