Encrypting Sensitive Data in Watcher - How?

This document talks about encrypting sensitive data in watcher. It only covers the configuration of the cluster but says nothing about how to actually encrypt the data or identify which data is sensitive.


We need to use the HTTP Input to call a secured endpoint and we want to make sure the username password is encrypted so that those viewing the watch data cannot easily be seen by them. In the future we'd like to encrypt other sensitive data for the same reasons.

I've searched the web and the documentation and i've not yet found how to do this.

So basically the question is, how does this work? I suspect there is more to it than just configuring watcher. I also suspect that this can be done in other areas of Elasticsearch besides watcher.

Hey Aaron,

sorry for the late reply. Let me try to answer your question until you're happy with the answer. The way it works is, that a secret is stored in the elasticsearch keystore. When storing a watch, we are parsing field by field, if we encounter a field that we consider sensitive, and this setting is enabled, we are encrypting the field contents and only then storing it. The encryption is symmetric, so we can decrypt it again using the same secret when the watch is executed.

The class doing the de- & encryption is called CryptoService.

The password from a basic authentication is indeed encrypted (for the http input, the webhook). The same applies for the reporting email attachment. You cannot pick the fields that should be encrypted though.

Happy to answer any further questions!


@spinscale thank you for your response.

i ended up having to reach out to support for this. Few things i found out from that was 1) there is no documentation that indicates which fields are considered sensitive 2) the documentation isn't clear that you can/cannot choose your own sensitive fields for both input and output, and 3) there is a bug in versions prior to 6.3 that prevents all this from working properly and that we need to upgrade to use this feature.


this is correct. I also opened https://github.com/elastic/elasticsearch/pull/31551 to clarify your points in the documentation.

Thanks a ton for your feedback, much appreciated!


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.