Elasticsearch started by Windows Service needs keystore password

[stephen-tw]

Description

We are using VM’s in Azure to host Elasticsearch in a FedRAMP High (FIPS enabled) environment. The VM’s have their own disk space.

We are currently using the “zip” distribution type for Windows.

We install a Windows Service for each node by running the “.\bin\elasticsearch-service install node-name” command.

When Windows starts each of those Services it starts Java with “-Dcli.name=windows-service-daemon” and runs the CliToolLauncher.main() method.

That creates a WindowsServiceDaemon object and calls .execute() on it to start the service daemon.

The WindowsServiceDaemon.execute() method has this hard-coded in it:

var loadedSecrets = KeyStoreWrapper.bootstrap(env.configFile(), () -> new SecureString(new char[0]))

That parameter, () -> new SecureString(new char[0]), is the “passwordProvider”, which is hard-coded to pass in an empty string as the password for the elasticsearch.keystore file.

We need the daemon to do something like this, where it loads the password for elasticsearch.keystore from the process’s environment variables:

var envVars = processInfo.envVars();
String envKeystorePassword = envVars.get("ES_KEYSTORE_PASSWORD");
var keystorePassword = envKeystorePassword != null ? envKeystorePassword.toCharArray() : new char[0];
try (var loadedSecrets = KeyStoreWrapper.bootstrap(env.configFile(), () -> new SecureString(keystorePassword))) {
...

We can use Azure to set that environment variable from the Azure Key Vault so it’s present when the Service starts up.

I plan to submit a PR with this change. Any suggestions on things to watch out for? Is the name ES_KEYSTORE_PASSWORD ok?

[elasticsearchmachine]

Pinging @elastic/es-core-infra (Team:Core/Infra)

[rjernst]

I'm not a Windows expert, so this may not be an appropriate use, but I noticed windows has a PasswordVault (seems essentially like MacOS Keychain?). I wonder if this could be queried for a password from a service.