Where does Elaticsearch take the elasticsearch-keystore password from?

Question

I've been reading the little documentation Elastic provides, but it is just about how to operate it. And I don't really understand the fundamentals of it.

1. You initialise the keystore with a password: bin/elasticsearch-keystore passwd
2. You add a key-value to it bin/elasticsearch-keystore add mySecret (prompts for secret)
3. You refer to the key inside elasticsearch.yml i.e. ${mySecret}
4. Start Elasticsearch, and the value is magically extracted and replaced from the keystore.

My doubt is: how does Elasticsearch get the password to decrypt the keystore and use the values in the configuration file? Or is the keystore password stored somewhere?

If yes, where? In this case I don't see the benefit of using keystore at all?

Answer 1

Currently I am using elasticsearch v7.10. Its systemd service runs /usr/share/elasticsearch/bin/systemd-entrypoint as its ExecStart. By looking at it, you can see that it is trying to read keystore password from a file specified by environment variable ES_KEYSTORE_PASSPHRASE_FILE.

You can create a file, containing your passphrase, add an Environment directive in your service file and assign ES_KEYSTORE_PASSPHRASE_FILE to path of your file.

touch /var/elasticpassword
echo MY_STRONG_PASSWORD > /var/elasticpassword
vim /usr/lib/systemd/system/elasticsearch.service

in [service] section add the following line:

Environment=/var/elasticpassword

Reload systemctl and restart the service

systemctl daemon-reload
service elasticsearch restart