Keystore: Allow user to set their own password on the keystore

[ph]

The current keystore currently uses a blank password "" and doesn't allow the user to configure the password on the keystore. The internal implementation has everything in place to support a user provided password.

Logstash is moving forward to allow user to setup an environment variable named LOGSTASH_KEYSTORE_PASS, that could be use to decrypt and create new keys in the keystore.

TODO

• Add password support to the keystore
• Add reading password for start scripts

Follow up issue from #5687

related issues: elastic/elasticsearch#22475

[ph]

This was discussed in a call with @joshbressers @jakelandis

@joshbressers Do we have more details about how ES is planning to do that? I just have found the meta issue.

I am interested about your opinion @andrewkroh

[ph]

Looking through Logstash documentation:

It should not be complicated to add support for user defined password via the environment, we already use an empty string as the password. We should probably follow the convention set by Logstash and use {beatname}_KEYSTORE_PASS.

[andrewkroh]

While it may not be completely avoidable, I'd prefer to keep secrets out of the environment as much as possible. I'd prefer reading from stdin where possible. This gives us more control over the memory where the secrets are stored. We can then do things to protect this memory and can wipe it when done.

I think we should consider using the "ASKPASS" scheme followed by other tools like SSH and Git. Basically we would read from the terminal if we can or use the tool specified in BEAT_ASKPASS if a terminal isn't present. (You can make the logic more smart than what I described.)

With systemd we should use systemd-ask-password to collect the password. It will use the appropriate means to collect the input from the user and output it to our process.

As we receive the password into memory we should consider adding some additional protections to the memory like ensuring that the password and any unencrypted secrets are not swapped to disk (mlock). We could also surround the data with some mprotect guard pages such that if something tries to read our protected memory that we wipe it and exit.

edit: And if the Beats needs a password we should get it early on because we want to add a seccomp filter that prevents execve and you want be able to invoke the ASKPASS program afterwards.

[joshbressers]

I filed an issue for elasticsearch around needing a password to unlock the keystore
elastic/elasticsearch#32691

[Ihaim-crypto]

Hello,
Is there an estimated version in which this is planned to be released?
according to the latest API (Filebeat f.e), you can't create a Keystore with user password
It is a valuable security concern for usage.