mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-25 07:37:19 -04:00
255c9a7f95
**Problem:** For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. **Solution:** - Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory - Update doc snippet tests to use security Rel: https://github.com/elastic/platform-docs-team/issues/208
55 lines
1.9 KiB
Text
55 lines
1.9 KiB
Text
[role="xpack"]
|
|
[[encrypting-data]]
|
|
== Encrypting sensitive data in {watcher}
|
|
|
|
Watches might have access to sensitive data such as HTTP basic authentication
|
|
information or details about your SMTP email service. You can encrypt this
|
|
data by generating a key and adding some secure settings on each node in your
|
|
cluster.
|
|
|
|
Every `password` field that is used in your watch within an HTTP basic
|
|
authentication block - for example within a webhook, an HTTP input or when using
|
|
the reporting email attachment - will not be stored as plain text anymore. Also
|
|
be aware, that there is no way to configure your own fields in a watch to be
|
|
encrypted.
|
|
|
|
To encrypt sensitive data in {watcher}:
|
|
|
|
. Use the <<syskeygen,elasticsearch-syskeygen>> command to create a system key file.
|
|
|
|
. Copy the `system_key` file to all of the nodes in your cluster.
|
|
+
|
|
--
|
|
IMPORTANT: The system key is a symmetric key, so the same key must be used on
|
|
every node in the cluster.
|
|
|
|
--
|
|
|
|
. Set the <<notification-settings,`xpack.watcher.encrypt_sensitive_data` setting>>:
|
|
+
|
|
--
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
xpack.watcher.encrypt_sensitive_data: true
|
|
----------------------------------------------------------------
|
|
--
|
|
|
|
. Set the
|
|
<<notification-settings,`xpack.watcher.encryption_key` setting>> in the
|
|
<<secure-settings,{es} keystore>> on each node in the cluster.
|
|
+
|
|
--
|
|
For example, run the following command to import the `system_key` file on
|
|
each node:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore add-file xpack.watcher.encryption_key <filepath>/system_key
|
|
----------------------------------------------------------------
|
|
--
|
|
|
|
. Delete the `system_key` file on each node in the cluster.
|
|
|
|
NOTE: Existing watches are not affected by these changes. Only watches that you
|
|
create after following these steps have encryption enabled.
|