Secure Settings

[rjernst]

This is a meta issue to track work on making sensitive settings secure in elasticsearch. The core infrastructure for this feature is added in #22335, which provides the elasticsearch-keystore tool. The following work is still necessary to consider the feature complete:

• Convert existing settings (eg aws keys) to new infrastructure
• Add password support to the keystore
• Add reading password for start scripts (init.d and systemd)
• Investigate best location for keystore file. Currently in config dir, which has read permissions for the life of the node, but could place somewhere with no SM permissions, since reading is done before SM is setup.

The following would be nice to haves:

• Investigate only allowing reading secure settings registered by plugins (eg not allowing reading other plugin's secure settings)
• [x ] Investigate setting explicit algorithm for PBE
• Add support for private keys
• Add support for certificates
• Add support to read secure settings from Vault instead of keystore