Hashing passwords in the Elasticsearch config?

security

#1

I've just installed Shield (1.3.3) on my two node Elasticsearch (1.7.2) cluster and was wondering if it was possible to mask/hash the Java KeyStore password in the elasticsearch.yml config file? Thanks in advance.


(Steve Kearns) #2

The most secure option is to use prompting support that was added to Elasticsearch:

https://www.elastic.co/guide/en/elasticsearch/reference/1.6/setup-configuration.html#styles

You can use ${prompt.secret} or ${prompt.text} in your elasticsearch.yml and ES will prompt you to enter these values at startup. This also allows you to wrap the ES startup and provide these values programmatically and securely at ES startup.


#3

Great! Thanks for the reply. I'll give it a shot and see how it goes.


(Steve Kearns) #4

Great. Let me know how it goes.

Note that if you're not interested in security, and you only want mild obfuscation, you could use quoted unicode escaping in the ES config file. For example:

shield.ssl.keystore.password: "\u0070\u0061\u0073\u0073\u0077\u006f\u0072\u0064"

Again, this isn't a secure approach like the one I mentioned above, but I wanted to mention it just in case it was useful.


(system) #5