Can we use encrypted password in opensearch.yml for plugins.security.ssl.transport.keystore_password

[szwlhd]

I am using Keystore and truststore files to configure security plug-in. But while configuring it we have to provided the keystore and truststore password in plain text format like below. Can we use these password in encrypted format ?

I want to use encripted value of password "changeit"
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.keystore_type: pkcs12
plugins.security.ssl.transport.keystore_filepath: …/config/certs/my-keystore.p12
plugins.security.ssl.transport.keystore_password: changeit
plugins.security.ssl.transport.truststore_type: pkcs12
plugins.security.ssl.transport.truststore_filepath: …/config/certs/my-truststore.p12
plugins.security.ssl.transport.truststore_password: changeit

[chriswhite199]

I've asked something similar on the forums (no answers as of yet)

• https://forum.opensearch.org/t/secure-settings-opensearch-keystore/11667

To me it seems a trivial change to mark all the password settings in https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java#L319 as being SecureSetting.secureString rather than Setting.simpleString.

I'm happy to push a PR for this, but not sure of the wider ramifications in doing to (it would be a breaking change for any upgrades for example - but an alternative setting set could be introduced and the current ones logged as deprecated in the short term.

[peternied]

@chriswhite199 We'd love a pull request and could have discussion around a draft pull request of the change if you'd like.

Your concern is justified, we wouldn't want to break existing customers on an upgrade. Adding a new secure setting that is used if available would be a good alternative

[chriswhite199]

@peternied - I've started something but check the following approach so i don't go too far off course:

        // make current setting deprecated and enforce if secure config flag is set
        final Setting<SecureString> deprecatedSslHttpKeystorePasswordSetting = 
        SecureSetting.insecureString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD);
        
        // new secure config, that can fallback to the legacy setting, assuming that the 'opensearch.allow_insecure_settings' property is set to true (this would still be a somewhat breaking change as it defaults to false)
        // SECURITY_SSL_HTTP_KEYSTORE_PASSWORD_SECURE = "plugins.security.ssl.http.keystore_password_secure"
        settings.add(SecureSetting.secureString(
            SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD_SECURE, 
            deprecatedSslHttpKeystorePasswordSetting));
        

Then just need to update all references to SECURITY_SSL_HTTP_KEYSTORE_PASSWORD to use SECURITY_SSL_HTTP_KEYSTORE_PASSWORD_SECURE instead.

[peternied]

That looks like a good start

[chinawushuai]

Which version currently implements this feature？

[peternied]

Looks like this has been added, but not documented, created an issue [1] for adding the documentation.

• [1] [Documentation] Encrypted passwords in settings files #3320