diff --git a/docs/reference/setup.asciidoc b/docs/reference/setup.asciidoc
index 2608f461dba5..e616b444dc25 100644
--- a/docs/reference/setup.asciidoc
+++ b/docs/reference/setup.asciidoc
@@ -46,6 +46,8 @@ include::setup/configuration.asciidoc[]
 
 include::setup/important-settings.asciidoc[]
 
+include::setup/secure-settings.asciidoc[]
+
 include::setup/bootstrap-checks.asciidoc[]
 
 include::setup/sysconfig.asciidoc[]
diff --git a/docs/reference/setup/secure-settings.asciidoc b/docs/reference/setup/secure-settings.asciidoc
new file mode 100644
index 000000000000..d66360abf6cc
--- /dev/null
+++ b/docs/reference/setup/secure-settings.asciidoc
@@ -0,0 +1,65 @@
+[[secure-settings]]
+== Secure Settings
+
+Some settings are sensitive, and relying on filesystem permissions to protect
+their values is not sufficient. For this use case, elasticsearch provides a
+keystore, which may be password protected, and the `elasticsearch-keystore`
+tool to manage the settings in the keystore.
+
+NOTE: All commands here should be run as the user which will run elasticsearch.
+
+[float]
+[[creating-keystore]]
+=== Creating the keystore
+
+To create the `elasticsearch.keystore`, use the `create` command:
+
+[source,sh]
+----------------------------------------------------------------
+bin/elasticsearch-keystore create
+----------------------------------------------------------------
+
+The file `elasticsearch.keystore` will be created alongside `elasticsearch.yml`.
+
+[float]
+[[list-settings]]
+=== Listing settings in the keystore
+
+A list of the settings in the keystore is available with the `list` command:
+
+[source,sh]
+----------------------------------------------------------------
+bin/elasticsearch-keystore list 
+----------------------------------------------------------------
+
+[float]
+[[add-string-to-keystore]]
+=== Adding string settings
+
+Sensitive string settings, like authentication credentials for cloud
+plugins, can be adding using the `add` command:
+
+[source,sh]
+----------------------------------------------------------------
+bin/elasticsearch-keystore add the.setting.name.to.set
+----------------------------------------------------------------
+
+The tool will prompt for the value of the setting. To pass the value
+through stdin, use the `--stdin` flag:
+
+[source,sh]
+----------------------------------------------------------------
+cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set
+----------------------------------------------------------------
+
+[float]
+[[remove-settings]]
+=== Removing settings
+
+To remove a setting from the keystore, use the `remove` command:
+
+[source,sh]
+----------------------------------------------------------------
+bin/elasticsearch-keystore remove the.setting.name.to.remove
+----------------------------------------------------------------
+