[role="exclude"]
==== Start {es} with security enabled

When installing {es}, security features are enabled and configured by default.
When you install {es}, the following security configuration
occurs automatically:

* Authentication and authorization are enabled, and a password is generated for
the `elastic` built-in superuser.
* Certificates and keys for TLS are generated for the transport and HTTP layer,
and TLS is enabled and configured with these keys and certificates.

The password and certificate and keys are output to your terminal.

We recommend storing the `elastic` password as an environment variable in your shell. Example:

[source,sh]
----
export ELASTIC_PASSWORD="your_password"
----

===== Reconfigure a node to join an existing cluster

When you install {es}, the installation process configures a
single-node cluster by default. If you want a node to join an existing cluster
instead, generate an enrollment token on an existing node _before_ you start
the new node for the first time.

. On any node in your existing cluster, generate a node enrollment token:
+
[source, sh]
----
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
----

. Copy the enrollment token, which is output to your terminal.

. On your new {es} node, pass the enrollment token as a parameter to the
`elasticsearch-reconfigure-node` tool:
+
[source, sh]
----
/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <enrollment-token>
----
+
{es} is now configured to join the existing cluster.

. <<{distro}-running-systemd, Start your new node using `systemd`>>.