[[security-minimal-setup]]
=== Set up minimal security for {es}
++++
<titleabbrev>Set up minimal security</titleabbrev>
++++

IMPORTANT: You only need to complete the following steps if you're running an
existing, unsecured cluster and want to enable the {es} {security-features}.

In {es} 8.0 and later, security is
<<configuring-stack-security,enabled automatically>> when you start {es} for the
first time.

If you're running an existing {es} cluster where security is disabled, you can
manually enable the {es} {security-features} and then create passwords for
built-in users. You can add more users later, but using the built-in users
simplifies the process of enabling security for your cluster.

include::../security-manual-configuration.asciidoc[tag=minimal-security-note]

==== Enable {es} security features

Enabling the {es} security features provides basic authentication so
that you can run a local cluster with username and password authentication.

. On *every* node in your cluster, stop both {kib} and {es} if they are running.

. On *every* node in your cluster, add the `xpack.security.enabled` setting to
the `$ES_PATH_CONF/elasticsearch.yml` file and set the value to `true`:
+
[source,yaml]
----
xpack.security.enabled: true
----
+
NOTE: The `$ES_PATH_CONF` variable is the path for the {es}
configuration files. If you installed {es} using archive distributions
(`zip` or `tar.gz`), the variable defaults to `$ES_HOME/config`. If you used
package distributions (Debian or RPM), the variable defaults to `/etc/elasticsearch`.

. If your cluster has a single node, add the `discovery.type` setting in the
`$ES_PATH_CONF/elasticsearch.yml` file and set the value to `single-node`. This
setting ensures that your node does not inadvertently connect to other clusters
that might be running on your network.
+
[source,yaml]
----
discovery.type: single-node
----

[[security-create-builtin-users]]
==== Set passwords for built-in users

To communicate with your cluster, you must configure a password for
the `elastic` and `kibana_system` built-in users. Unless you enable anonymous
access (not recommended), all requests that don’t include credentials are
rejected.

NOTE: You only need to set passwords for the `elastic` and `kibana_system` users
when enabling minimal or basic security.

. On *every* node in your cluster, start {es}. For example, if you installed
{es} with a `.tar.gz` package, run the following command from the `ES_HOME`
directory:
+
[source,shell]
----
./bin/elasticsearch
----

. On any node in your cluster, open another terminal window and set the password
for the `elastic` built-in user by running the
<<reset-password,`elasticsearch-reset-password`>> utility.
This command resets the password to an auto-generated value.
+
[source,shell]
----
./bin/elasticsearch-reset-password -u elastic
----
+
If you want to set the password to a specific value, run the command with the 
interactive (`-i`) parameter.
+
[source,shell]
----
./bin/elasticsearch-reset-password -i -u elastic
----

. Set the password for the `kibana_system` built-in user.
+
[source,shell]
----
./bin/elasticsearch-reset-password -u kibana_system
----

. Save the new passwords. In the next step, you'll add the the password for the
`kibana_system` user to {kib}.

*Next*: <<add-built-in-users,Configure {kib} to connect to {es} with a password>>

[[add-built-in-users]]
==== Configure {kib} to connect to {es} with a password

When the {es} security features are enabled, users must log in to {kib} with a
valid username and password.

You'll configure {kib} to use the built-in `kibana_system` user and the password that
you created earlier. {kib} performs some background tasks that require use of the
`kibana_system` user.

This account is not meant for individual users and does not have permission to log in
to {kib} from a browser. Instead, you'll log in to {kib} as the `elastic` superuser.

. Add the `elasticsearch.username` setting to the `KBN_PATH_CONF/kibana.yml`
file and set the value to the `kibana_system` user:
+
[source,yaml]
----
elasticsearch.username: "kibana_system"
----
+
NOTE: The `KBN_PATH_CONF` variable is the path for the {kib}
configuration files. If you installed {kib} using archive distributions
(`zip` or `tar.gz`), the variable defaults to `KIB_HOME/config`. If you used
package distributions (Debian or RPM), the variable defaults to `/etc/kibana`.

. From the directory where you installed {kib}, run the following commands
to create the {kib} keystore and add the secure settings:

   a. Create the {kib} keystore:
+
[source,shell]
----
./bin/kibana-keystore create
----

   b. Add the password for the `kibana_system` user to the {kib} keystore:
+
[source,shell]
----
./bin/kibana-keystore add elasticsearch.password
----
+
When prompted, enter the password for the `kibana_system` user.

. Restart {kib}. For example, if you installed {kib} with a `.tar.gz` package, run the following command from the {kib} directory:
+
[source,shell]
----
./bin/kibana
----

. Log in to {kib} as the `elastic` user. Use this superuser account to
{kibana-ref}/tutorial-secure-access-to-kibana.html[manage spaces, create new users, and assign roles]. If you're running {kib} locally, go to `http://localhost:5601` to view the login page.

[[minimal-security-whatsnext]]
==== What's next?

Congratulations! You enabled password protection for your local cluster to
prevent unauthorized access. You can log in to {kib} securely as the `elastic`
user and create additional users and roles. If you're running a <<single-node-discovery,single-node cluster>>, then you can stop here.

If your cluster has multiple nodes, then you must configure Transport Layer
Security (TLS) between nodes. <<dev-vs-prod-mode,Production mode>> clusters
will not start if you do not enable TLS.

<<security-basic-setup,Set up basic security for the {stack}>> to
secure all internal communication between nodes in your cluster.