We are using VM’s in Azure to host Elasticsearch in a FedRAMP High (FIPS enabled) environment. The VM’s have their own disk space.
We are currently using the “zip” distribution type for Windows.
We install a Windows Service for each node by running the “.\bin\elasticsearch-service install node-name” command.
When Windows starts each of those Services it starts Java with “-Dcli.name=windows-service-daemon” and runs the CliToolLauncher.main() method.
That creates a WindowsServiceDaemon object and calls .execute() on it to start the service daemon.
The WindowsServiceDaemon.execute() method has this hard-coded in it:
var loadedSecrets = KeyStoreWrapper.bootstrap(env.configFile(), () -> new SecureString(new char[0]))
That parameter, () -> new SecureString(new char[0]), is the “passwordProvider”, which is hard-coded to pass in an empty string as the password for the elasticsearch.keystore file.
We need the daemon to do something like this, where it loads the password for elasticsearch.keystore from the process’s environment variables:
var envVars = processInfo.envVars();
var keystorePassword = envVars.get("ES_KEYSTORE_PASSWORD");
var loadedSecrets = KeyStoreWrapper.bootstrap(env.configFile(), () -> new SecureString(keystorePassword))
We can use Azure to set that environment variable from the Azure Key Vault so it’s present when the Service starts up.
I plan to submit a PR with this change. Any suggestions on things to watch out for? Is the name ES_KEYSTORE_PASSWORD ok?