Search Guard is an Open Source Elasticsearch plugin that offers encryption, authentication, and authorisation.
Switch branches/tags
ves-6.3-compliance-2-api ves-6.3-22.3-api ves-6.2.4-compliance-rc1 ves-6.2.4-compliance-rc1-api ves-6.2.4-compliance-enterprise-1 ves-6.2.4-compliance-api-1 ves-6.2.4-compliance-1 ves-6.2.4-31.2 ves-6.2.4-31.1 ves-6.2.4-22.1 ves-6.2.3-compliance-enterprise-1 ves-6.2.3-compliance-1 ves-6.2.3-31.2 ves-6.2.3-31.1 ves-6.2.3-31.0 ves-6.2.3-22.3 ves-6.2.3-22.1 ves-6.2.3-22.0 ves-6.2.2-compliance-enterprise-1 ves-6.2.2-compliance-beta1 ves-6.2.2-compliance-beta-1 ves-6.2.2-compliance-beta-1-api ves-6.2.2-compliance-1 ves-6.2.2-31.2 ves-6.2.2-31.1 ves-6.2.2-31.0 ves-6.2.2-30.0 ves-6.2.2-22.1 ves-6.2.2-22.0 ves-6.2.2-21.0 ves-6.2.1-compliance-enterprise-1 ves-6.2.1-compliance-api-1 ves-6.2.1-compliance-1 ves-6.2.1-31.2 ves-6.2.1-31.1 ves-6.2.1-31.0 ves-6.2.1-22.1 ves-6.2.1-22.0 ves-6.2.1-21.0 ves-6.2-compliance-2-api ves-6.2-30.0 ves-6.2-22.3-api ves-6.1.4-22.2 ves-6.1.4-22.1 ves-6.1.4-22.0 ves-6.1.3-22.2 ves-6.1.3-22.1 ves-6.1.3-22.0 ves-6.1.3-21.0 ves-6.1.2-22.2 ves-6.1.2-22.1 ves-6.1.2-22.0 ves-6.1.2-21.0 ves-6.1.2-20.1 ves-6.1.1-22.2 ves-6.1.1-22.1 ves-6.1.1-22.0 ves-6.1.1-21.0 ves-6.1.1-20.1 ves-6.1.0-22.3 ves-6.1.0-22.2 ves-6.1.0-22.1 ves-6.1.0-22.0 ves-6.1.0-21.0 ves-6.1.0-20.1 ves-6.1.0-20.0 ves-6.1.0- ves-6.1-22.3-api ves-6.1-20.0-api ves-6.0.0-17.beta1 ves-6.0.0-17.beta1api ves-5.6.9-19 ves-5.6.8-19 ves-5.6.7-19 ves-5.6.6-18 ves-5.6.5-18 ves-5.6.5-17 ves-5.6.4-18 ves-5.6.4-17 ves-5.6.4-16 ves-5.6.3-18 ves-5.6.3-17 ves-5.6.3-16 ves-5.6.2-18 ves-5.6.2-17 ves-5.6.2-16 ves-5.6.0-18 ves-5.6.0-17 ves-5.6.0-16 ves-5.5.3-16 ves-5.5.2-16 ves-5.5.2-15 ves-5.5.1-16 ves-5.5.1-15 ves-5.5.1-14 ves-5.5.0-16 ves-5.5.0-15 ves-5.5.0-14 ves-5.4.3-16 ves-5.4.3-15
Nothing to show
Clone or download

Search Guard - Security for Elasticsearch


Search Guard(®) is an Elasticsearch plugin that offers encryption, authentication, and authorization. It supports authentication via Active Directory, LDAP, Kerberos, JSON web tokens and many more, and includes fine grained role-based access control to clusters, indices, documents and fields. Enjoy true multi tenancy in Kibana, and stay compliant with GDPR, HIPAA, PCI, SOX and ISO by using audit logging.

Search Guard supports OpenSSL for maximum performance and security. The complete code is Open Source.

Community Edition

Search Guard offers all basic security features for free. The Community Edition of Search Guard can be used for all projects, including commercial projects, at absolutely no cost. The Community Edition includes:

  • Full data in transit encryption
  • Node-to-node encryption
  • Index level access control
  • Document type based access control
  • User-, role- and permission management
  • HTTP basic authentication
  • User Impersonation
  • Proxy support

Please see here for a feature comparison.

Enterprise Edition

The Enterprise Edition on Search Guard adds:

  • Active Directory / LDAP
  • Kerberos / SPNEGO
  • JSON web token (JWT)
  • Document-level security
  • Field-level security
  • Audit logging to stay compliant with security compliance regulations
  • True Kibana Multi Tenancy
  • REST management API

Please see here for a feature comparison.

If you want to use our enterprise features in production, you need to obtain a license. We offer a very flexible licensing model, based on productive clusters with an unlimited number of nodes. Non-productive systems like Development, Staging or QA are covered by the license at no additional cost.

Trial license

You can test all enterprise modules for 60 days. A trial license is automatically created when you first install Search Guard. You do not have to install the trial license manually. Just install Search Guard and you're good to go!


Please refer to the Official documentation for detailed information on installing and configuring Search Guard.

Quick Start

<ES directory>/bin/elasticsearch-plugin install \
  -b com.floragunn:search-guard-6:6.0.0-17.beta1
  • cd into <ES directory>/plugins/search-guard-<version>/tools

  • Execute ./, chmod the script first if necessary. This will generate all required TLS certificates and add the Search Guard configuration to your elasticsearch.yml file.

  • Start Elasticsearch

  • Test the installation by visiting https://localhost:9200. When prompted, use admin/admin as username and password. This user has full access to the cluster.

  • Display information about the currently logged in user by visiting https://localhost:9200/_searchguard/authinfo.

  • Deep dive into all Search Guard features by reading the Search Guard documentation

Config hot reloading

The Search Guard configuration is stored in a dedicated index in Elasticsearch itself. Changes to the configuration are pushed to this index via the sgadmin command line tool. This will trigger a reload of the configuration on all nodes automatically. This has several advantages over configuration via elasticsearch.yml:

  • Configuration is stored in a central place
  • No configuration files on the nodes necessary
  • Configuration changes do not require a restart
  • Configuration changes take effect immediately



Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries.

Elasticsearch, Kibana and Logstash are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.

floragunn GmbH is not affiliated with Elasticsearch BV.