Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow the keystore to be password protected #32691

Open
joshbressers opened this issue Aug 7, 2018 · 4 comments

Comments

Projects
None yet
8 participants
@joshbressers
Copy link

commented Aug 7, 2018

Now that we have a keystore we need to add the ability to encrypt it with a secret. Ideally when a node starts up a secret must be passed in somehow.

Some questions we need to answer

  • What does this mean for reloading the keystore
  • How do we want to pass in the secret securely
  • What other secret storage technologies should we support (like vault)
  • What happens to node startup if the secret fails to unlock the keystore
@elasticmachine

This comment has been minimized.

Copy link

commented Aug 7, 2018

@elasticmachine

This comment has been minimized.

Copy link

commented Aug 7, 2018

@jasontedor jasontedor added team-discuss and removed discuss labels Aug 8, 2018

@albertzaharovits

This comment has been minimized.

Copy link
Contributor

commented Aug 8, 2018

I can answer the easy one:

What does this mean for reloading the keystore

As it stands the reload-secure-store API has a request body param that is used to convey the password, or the vault token, for that matter, to some node which will then broadcast it to the full cluster, during reloading. The password/token is never stored, and it is not obfuscated at any step.

@jasontedor

This comment has been minimized.

Copy link
Member

commented Aug 13, 2018

A few thoughts from a discussion in the @elastic/es-core-infra team meeting:

What does this mean for reloading the keystore

We should require HTTPS to be able to specify a password in the reload settings API. How exactly we do this is open to discussion, but we think that we should remove the ability to specify a password on the current reload settings API, and add a new API that allows specifying a password, and this API will require HTTPS. The idea here is that we want to avoid plaintext transmission of passwords.

How do we want to pass in the secret securely

With systemd there are built-in facilities for this that we can leverage, but that doesn't solve this for us on Sys V init, and the archive packages (e.g., on Windows). We can read from standard input or on an IPC socket (now that Windows is adding support for AF_UNIX), or via a named pipe. We lean towards avoiding environment variables.

What other secret storage technologies should we support (like vault)

We see this question as completely orthogonal to adding password support to the keystore.

What happens to node startup if the secret fails to unlock the keystore

We should fail the node.

@jasontedor jasontedor removed the help wanted label Oct 25, 2018

jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Jan 15, 2019

Add passphrase support to elasticsearch-keystore
- Subcommands of elasticsearch-keystore can handle (open and create)
passphrase protected keystores
- When reading a keystore, a user is only prompted for a passphrase
only if the keystore is passphrase protected.

Relates to: elastic#32691

@colings86 colings86 added the v7.2.0 label Apr 12, 2019

@colings86 colings86 added 7x v7.3.0 and removed v7.2.0 7x labels May 21, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.