Elasticsearch Managing Secrets with OpenSearch Keystore

By Opster Team

Updated: Nov 8, 2023

| 2 min read

Introduction

OpenSearch Keystore is a secure method for storing sensitive data, such as passwords and API keys, used by OpenSearch clusters. It provides an additional layer of security by encrypting these sensitive data and preventing unauthorized access. This article will delve into the details of how to use and manage the OpenSearch Keystore.

Creating and Adding to the OpenSearch Keystore

The OpenSearch Keystore is automatically created when you install OpenSearch. However, you can also manually create it using the `opensearch-keystore create` command. This command will create a new keystore in the OpenSearch configuration directory.

To add a setting to the keystore, you can use the `opensearch-keystore add` command followed by the setting name. For example, to add a setting named `s3.client.default.access_key`, you would use the following command:

sudo ./bin/opensearch-keystore add s3.client.default.access_key
sudo ./bin/opensearch-keystore add s3.client.default.secret_key

You will then be prompted to enter the value for this setting. The value will be stored securely in the keystore and will not be displayed in plain text.

Listing and Removing Keystore Entries

You can list all the settings currently stored in the keystore using the `opensearch-keystore list` command. This command will display a list of all the setting names stored in the keystore.

To remove a setting from the keystore, you can use the `opensearch-keystore remove` command followed by the setting name. For example, to remove the `s3.client.default.access_key` setting, you would use the following command:

sudo ./bin/opensearch-keystore add s3.client.default.access_key
sudo ./bin/opensearch-keystore add s3.client.default.secret_key

Password-Protecting the OpenSearch Keystore

For additional security, you can password-protect the OpenSearch Keystore. To do this, you can use the `opensearch-keystore passwd` command. You will then be prompted to enter a new password for the keystore.

Once the keystore is password-protected, you will need to provide the password every time you want to add, remove, or list keystore entries. If you forget the password, you will not be able to access the keystore entries.

Using Keystore Settings in OpenSearch Configuration

Once a setting is stored in the keystore, you can use it in your OpenSearch configuration. To do this, you simply use the setting name as a placeholder in the configuration file. For example, if you have a setting named `s3.client.default.access_key` in the keystore, you can use it in the OpenSearch configuration file like this:

s3.client.default.access_key: ${s3.client.default.access_key}
s3.client.default.secret_key: ${s3.client.default.secret_key}

When OpenSearch reads the configuration file, it will automatically replace the placeholder with the actual value stored in the keystore.

For more information, you can check the official opensearch snapshot-restore documentation.

Conclusion

In conclusion, the OpenSearch Keystore is a powerful tool for managing sensitive data used by your OpenSearch clusters. It provides a secure way to store sensitive data and prevents unauthorized access. By understanding how to use and manage the OpenSearch Keystore, you can enhance the security of your OpenSearch clusters.