How to create a Logstash keystore

Keeping Elasticsearch passwords, API keys, and similar secrets out of Logstash configuration reduces the chance of leaking them through copied pipeline files, repository commits, backups, or troubleshooting bundles. A Logstash keystore stores the sensitive value locally so the config keeps only a placeholder instead of the plain-text secret.

The keystore lives in the directory defined by path.settings, which is typically /etc/logstash on current DEB and RPM installs. Each secret uses an arbitrary key name such as ES_PWD, and Logstash resolves ${KEY} references from the keystore before falling back to environment variables when it parses logstash.yml or pipeline configuration.

Create the keystore against the same path.settings directory used by the running service, or Logstash will read a different file at startup. If you want password protection, export LOGSTASH_KEYSTORE_PASS before running the command and make the same variable available to the service later. Running create against an existing keystore prompts before overwriting it, and accepting that prompt permanently clears the stored secrets already in that file.

Related: How to add a secret to a Logstash keystore

Steps to create a Logstash keystore:

  1. Create the keystore in the active path.settings directory. 
    $ printf 'y\n' | sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
Using bundled JDK: /usr/share/logstash/jdk

WARNING: The keystore password is not set. Please set the environment variable `LOGSTASH_KEYSTORE_PASS`. Failure to do so will result in reduced security. Continue without password protection on the keystore? [y/N] [2026-04-08T00:14:08,405][INFO ][org.logstash.secret.store.backend.JavaKeyStore] Created Logstash keystore at /etc/logstash/logstash.keystore
Created Logstash keystore at /etc/logstash/logstash.keystore

    Overwriting an existing keystore clears all stored keys and secrets.

    Set LOGSTASH_KEYSTORE_PASS before running the command to create a password-protected keystore, and preserve the variable through sudo -E.

  2. Return the keystore file to the logstash service account and restrict it to owner-only access. 
    $ sudo chown logstash:root /etc/logstash/logstash.keystore && sudo chmod 0600 /etc/logstash/logstash.keystore

    Elastic's current keystore docs still call out this ownership model because the file must stay protected while remaining readable to the logstash user.

  3. Verify the keystore file path, owner, and mode. 
    $ sudo ls -l /etc/logstash/logstash.keystore
-rw------- 1 logstash root 554 Apr  8 00:14 /etc/logstash/logstash.keystore

    The exact file size can vary by release, but the path, owner, and 0600 mode should match the service account and the active path.settings directory.

  4. Confirm that Logstash can open the new keystore. 
    $ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash list

    A newly created keystore prints no key names yet. That empty result is normal and still confirms that the file is readable and valid.

    Related: How to add a secret to a Logstash keystore