How can I hide the ssl_key_passphrase?

Ihjaz · October 9, 2017, 10:22am

Hi All,

I have the following configuration

input {
  beats {
    host => "127.0.0.1"
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/logstash/certs/trust.pem"]
    ssl_certificate => "/etc/logstash/certs/cert.pem"
    ssl_key => "/etc/logstash/certs/p8key.pem"
    ssl_verify_mode => "force_peer"
    ssl_key_passphrase => "passphrase"
  }
}

I'm not supposed to show the passphrase in plain text here. How can I hide this?

magnusbaeck · October 10, 2017, 6:39pm

You can't. The beats input doesn't support encrypted key passphrases.

Badger · October 10, 2017, 7:10pm

You might be able to move the problem using an environment variable. Then you have the problem of how to get the passphrase into an environment variable without having it in plain text anywhere.

Topic		Replies	Views
Encrypting the certificate key for SSL Logstash	4	4369	October 19, 2017
Why is the ssl_key_passphrase missing in the plugins-outputs-elasticsearch? Logstash elastic-stack-security	7	317	November 27, 2023
Beats input plugin cannot read password protected ssl key Logstash	3	784	July 19, 2019
Password of the Encrypted Key for HTTP Output Logstash	2	35	August 13, 2024
Logstash 7.8 beats input with SSL throws error Logstash	4	897	September 3, 2020

How can I hide the ssl_key_passphrase?

Related topics