Dec 9th, 2021: [en] Getting started with security enabled by default in three easy steps

Elasticsearch 8.0 will come with security features enabled by default. This is a huge step forward to ensure that deployments are not unintentionally exposed to the world.

We already saw that too many times in the past. People create a local PoC on their test environment, and they don't focus to make it secure at that early stage. "Hey, it's just on our local network and we are using a sample dataset!" — they say. Then the project gains a lot of interest, and people start investing in it. After so much work, it is finally promoted to be a production deployment! Everyone is excited by the great result, and security is not top of mind.

We want to help our users to focus on their goals, and still guarantee that their data is safe. That's why authentication, authorization, and network encryption are automatically enabled since the first time you start Elasticsearch.

And we want the user experience to be easy for everyone.

Let's see now how to start a single-node cluster with Elasticsearch and Kibana properly secured. You can already try this by using the publicly available 8.0 Beta1 Preview Release.

Before we start

For this deployment, we will use a Debian machine with 8GB of memory. You can tune your environment based on your specific needs.

You also need Elasticsearch and Kibana tarballs, available at the following locations:

Step #1: Start Elasticsearch

Nothing new here! Unpack the tarball, move into the Elasticsearch folder, and run the usual binary to get started:


After some boot lines, you will see something similar to this message:

The generated password for the elastic built-in superuser is:

The enrollment token for Kibana instances, valid for the next 30 minutes:

The hex-encoded SHA-256 fingerprint of the generated HTTPS CA DER-encoded certificate:

You can complete the following actions at any time:
Reset the password of the elastic built-in superuser with 'bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with 'bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with 'bin/elasticsearch-create-enrollment-token -s node'.

Copy this information for future reference, you will need it later.

You can verify that everything is working by running the following command from the Elasticsearch folder on another terminal, and entering the password shown in the previous screen when prompted for it (in this example, SfblQVLFS*gvxT+*Ikwc):

curl --cacert config/tls_auto_config_*/http_ca.crt -u elastic https://localhost:9200/

If you get your cluster details, you're all good!

Step #2: Start Kibana

Now that Elasticsearch is up and running, it's time to connect Kibana. It now comes with a brand new auto-configuration flow included!

All you need to do is to unpack the Kibana tarball, move into its folder, and start the binary as usual:


You will see something like this message:

Kibana has not been configured.

Go to http://localhost:5601/?code=666585 to get started.

Step #3: Connect Kibana to the cluster

Now it's time to instruct Kibana how to securely interact with Elasticsearch. It needs to set up a secure connection over TLS, and to provide credentials that grant access to the required resources.

This is really easy. Click on the previous link in the terminal to access the following screen:

Copy and paste the Kibana enrollment token that you got when you started Elasticsearch, and click on Configure Elastic. Kibana will manage everything automatically for you.

Once the setup is complete, you will see the Kibana login screen and you can start using your brand new secure deployment. Congratulations!


This is just one of the new secure ways to spin up the Stack in 8.0.
Similar flows are available for other package types, like RPMs or Docker images. You can find further details in our Getting started with the Elastic Stack guide, including how to easily enroll new nodes to the cluster, how to set up Kibana HTTPS, and much more.

Stay safe (by default)!


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.