Watches might have access to sensitive data such as HTTP basic authentication information or details about your SMTP email service. You can encrypt this data by generating a key and adding some secure settings on each node in your cluster.

Everypassword field that is used in your watch within an HTTP basic authentication block - for example within a webhook, an HTTP input or when using the reporting email attachment - will not be stored as plain text anymore. Also be aware, that there is no way to configure your own fields in a watch to be encrypted.

To encrypt sensitive data in Watcher:

1. Use theelasticsearch-syskeygen command to create a system key file.

2. Copy thesystem_key file to all of the nodes in your cluster.

   Important

   The system key is a symmetric key, so the same key must be used on every node in the cluster.

3. Set thexpack.watcher.encrypt_sensitive_data setting:

   xpack.watcher.encrypt_sensitive_data: true

4. Set thexpack.watcher.encryption_key setting in theElasticsearch keystore on each node in the cluster.

   For example, run the following command to import thesystem_key file on each node:

   bin/elasticsearch-keystore add-file xpack.watcher.encryption_key <filepath>/system_key

5. Delete thesystem_key file on each node in the cluster.