Encrypt SSL Keystore/Truststore Password Properties in opensearch.yml

ARK · June 29, 2023, 9:53pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch v1.3.10

Describe the issue:

Looking solution on how to encrypt SSL keystore/Truststore password properties in opensearch.yml

Configuration:

Following are the properties needs to be encrypted:
plugins.security.ssl.transport.keystore_password:******
plugins.security.ssl.transport.truststore_password:******
plugins.security.ssl.http.keystore_password:******
plugins.security.ssl.http.truststore_password:******

Relevant Logs or Screenshots:

Let me if you have solution that can be applied in v.1.3.10 or let me have any feature request created for the same

pablo · June 30, 2023, 3:39pm

@ARK How do you deploy your cluster?

ARK · July 3, 2023, 1:47pm

We do only have single node OS configured and that was manually deployed. We don’t use any container level deployment

pablo · July 3, 2023, 6:35pm

@ARK As far as I know you could use only environment variables. There is no encryption available for keystore/truststore passwords.

Maybe in the long term, you should consider k8s deployment and use secrets with etcd encryption to hide the passwords.

ARK · July 3, 2023, 7:00pm

Thank you @pablo for the input! Sure, I will take a look that solution.

Topic		Replies	Views
Can we use encrypted password in opensearch.yml for plugins.security.ssl.transport.keystore_password Security	2	655	January 3, 2022
Secure Settings / opensearch-keystore Security	2	823	December 6, 2022
Set simple password Security configure	3	420	July 22, 2022
Is Keystore and Truststore works with Opensearch dashboards Security configure	5	1693	March 2, 2022
K8s: Define SSL certificates via secrets Security configure	37	3593	February 8, 2024

Encrypt SSL Keystore/Truststore Password Properties in opensearch.yml

Related Topics