How to create a Logstash keystore

The Logstash keystore keeps passwords and tokens out of plain-text configuration files, reducing accidental exposure through backups, version control, and diagnostics.

Keys stored in the keystore can be referenced in Logstash settings and pipeline configuration using ${KEY} substitution, and are resolved before regular environment variables when configurations are parsed.

The keystore file must live in the Logstash path.settings directory (the same directory as /etc/logstash/logstash.yml on typical RPM/DEB installs), and it must remain readable by the logstash service user. Creating a new keystore can overwrite an existing keystore after confirmation and permanently removes previously stored keys, and a password-protected keystore requires LOGSTASH_KEYSTORE_PASS to be available to both the keystore command and the running service.

Steps to create a Logstash keystore:

Create the Logstash keystore in the path.settings directory.

$ printf 'y\n' | sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
Using bundled JDK: /usr/share/logstash/jdk
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties

WARNING: The keystore password is not set. Please set the environment variable `LOGSTASH_KEYSTORE_PASS`. Failure to do so will result in reduced security. Continue without password protection on the keystore? [y/N] [2026-01-07T22:24:34,960][INFO ][org.logstash.secret.store.backend.JavaKeyStore] Created Logstash keystore at /etc/logstash/logstash.keystore
Created Logstash keystore at /etc/logstash/logstash.keystore

Overwriting an existing keystore clears all stored keys and secrets.

Set LOGSTASH_KEYSTORE_PASS before running the command to create a password-protected keystore, and preserve the variable through sudo.

Change the keystore file owner to the logstash service user.

$ sudo chown logstash:root /etc/logstash/logstash.keystore

Restrict keystore file permissions to owner-only access.
```
$ sudo chmod 0600 /etc/logstash/logstash.keystore
```

List keystore keys to confirm the keystore exists and is readable.

$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash list
Using bundled JDK: /usr/share/logstash/jdk
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties

es_pwd

Verify the keystore file path, owner, and mode.

$ sudo ls -l /etc/logstash/logstash.keystore
-rw------- 1 logstash root 865 Jan  7 22:25 /etc/logstash/logstash.keystore

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.