From e88a0d27f498c52ba185bdfc33edd8d2ece036e9 Mon Sep 17 00:00:00 2001 From: William Brafford Date: Thu, 9 Jan 2020 16:04:03 -0500 Subject: [PATCH 1/8] Add documentation for keystore startup prompting When a keystore is password-protected, Elasticsearch will prompt at startup. This commit adds documentation for this prompt for the archive, systemd, and Docker cases. --- docs/reference/setup/install/docker.asciidoc | 17 +++++++++++++++++ docs/reference/setup/install/systemd.asciidoc | 10 ++++++++++ .../setup/install/targz-daemon.asciidoc | 4 ++++ .../setup/install/targz-start.asciidoc | 4 ++++ .../setup/install/zip-windows-start.asciidoc | 4 ++++ docs/reference/setup/secure-settings.asciidoc | 2 ++ 6 files changed, 41 insertions(+) diff --git a/docs/reference/setup/install/docker.asciidoc b/docs/reference/setup/install/docker.asciidoc index 537dec2904070..d2bd6b3debb5e 100644 --- a/docs/reference/setup/install/docker.asciidoc +++ b/docs/reference/setup/install/docker.asciidoc @@ -360,6 +360,23 @@ IMPORTANT: The container **runs {es} as user `elasticsearch` using uid:gid `1000:0`**. Bind mounted host directories and files must be accessible by this user, and the data and log directories must be writable by this user. +[[docker-keystore-bind-mount]] +===== Mounting an {es} keystore + +If you want to use {ref}/secure-settings.html[secure settings] and password-protect +the keystore that stores them, you will need to use the `elasticsearch-keystore` utility +to create a password-protected keystore and bind-mount it to the container +as `/usr/share/elasticsearch/config/elasticsearch.keystore`. In order to provide +the Docker container with the password at startup, set the Docker environment +value `KEYSTORE_VALUE` to the value of your password. For example, a `docker run` +command might have the following options: + +[source, sh] +-------------------------------------------- +-v full_path_to/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore +-E KEYSTORE_PASSWORD=mypassword +-------------------------------------------- + [[_c_customized_image]] ===== Using custom Docker images In some environments, it might make more sense to prepare a custom image that contains diff --git a/docs/reference/setup/install/systemd.asciidoc b/docs/reference/setup/install/systemd.asciidoc index bf94e95fb63df..98f7e004534ba 100644 --- a/docs/reference/setup/install/systemd.asciidoc +++ b/docs/reference/setup/install/systemd.asciidoc @@ -21,6 +21,16 @@ These commands provide no feedback as to whether Elasticsearch was started successfully or not. Instead, this information will be written in the log files located in `/var/log/elasticsearch/`. +If you have password-protected your {es} keystore, you will need to provide +`systemd` with the keystore password using a local file and systemd environment +variables: + +----------------------------------------------------------------------------------- +echo "keystore_password" > /path/to/my_pwd_file.tmp +sudo systemctl set-environment ES_KEYSTORE_PASSPHRASE_FILE=/path/to/my_pwd_file.tmp +sudo systemctl start elasticsearch.service +----------------------------------------------------------------------------------- + By default the Elasticsearch service doesn't log information in the `systemd` journal. To enable `journalctl` logging, the `--quiet` option must be removed from the `ExecStart` command line in the `elasticsearch.service` file. diff --git a/docs/reference/setup/install/targz-daemon.asciidoc b/docs/reference/setup/install/targz-daemon.asciidoc index 1325503687a07..a2a093b15bf3c 100644 --- a/docs/reference/setup/install/targz-daemon.asciidoc +++ b/docs/reference/setup/install/targz-daemon.asciidoc @@ -8,6 +8,10 @@ the process ID in a file using the `-p` option: ./bin/elasticsearch -d -p pid -------------------------------------------- +If you have configured secure settings and password-protected the {es} +keystore, you will be prompted to enter the keystore's password before +the program enters daemon mode. + Log messages can be found in the `$ES_HOME/logs/` directory. To shut down Elasticsearch, kill the process ID recorded in the `pid` file: diff --git a/docs/reference/setup/install/targz-start.asciidoc b/docs/reference/setup/install/targz-start.asciidoc index 907b2a7317d79..c576d31aab551 100644 --- a/docs/reference/setup/install/targz-start.asciidoc +++ b/docs/reference/setup/install/targz-start.asciidoc @@ -7,6 +7,10 @@ Elasticsearch can be started from the command line as follows: ./bin/elasticsearch -------------------------------------------- +If you have configured secure settings and password-protected the {es} +keystore, you will be prompted to enter the keystore's password. See +{ref}/secure-settings.html[secure settings] for more details. + By default, Elasticsearch runs in the foreground, prints its logs to the standard output (`stdout`), and can be stopped by pressing `Ctrl-C`. diff --git a/docs/reference/setup/install/zip-windows-start.asciidoc b/docs/reference/setup/install/zip-windows-start.asciidoc index 7ecea449d2895..c910130b99c84 100644 --- a/docs/reference/setup/install/zip-windows-start.asciidoc +++ b/docs/reference/setup/install/zip-windows-start.asciidoc @@ -7,5 +7,9 @@ Elasticsearch can be started from the command line as follows: .\bin\elasticsearch.bat -------------------------------------------- +If you have configured secure settings and password-protected the {es} +keystore, you will be prompted to enter the keystore's password. See +{ref}/secure-settings.html[secure settings] for more details. + By default, Elasticsearch runs in the foreground, prints its logs to `STDOUT`, and can be stopped by pressing `Ctrl-C`. diff --git a/docs/reference/setup/secure-settings.asciidoc b/docs/reference/setup/secure-settings.asciidoc index ebab13c248078..695628b902f64 100644 --- a/docs/reference/setup/secure-settings.asciidoc +++ b/docs/reference/setup/secure-settings.asciidoc @@ -35,6 +35,8 @@ You will be prompted to enter the keystore password and the file `elasticsearch. NOTE: If you don't specify the `-p` flag or if you enter an empty password, the {es} keystore will be obfuscated but not password protected. +Once the keystore is password-protected, Elasticsearch will prompt for a password at startup. + [float] [[changing-keystore-password]] === Changing the password of the keystore From c8a5723d0c198279a5fd1ce989af091fc122ea4e Mon Sep 17 00:00:00 2001 From: William Brafford Date: Thu, 9 Jan 2020 17:16:58 -0500 Subject: [PATCH 2/8] Add language description to code block --- docs/reference/setup/install/systemd.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/reference/setup/install/systemd.asciidoc b/docs/reference/setup/install/systemd.asciidoc index 98f7e004534ba..5862ed744e0df 100644 --- a/docs/reference/setup/install/systemd.asciidoc +++ b/docs/reference/setup/install/systemd.asciidoc @@ -25,6 +25,7 @@ If you have password-protected your {es} keystore, you will need to provide `systemd` with the keystore password using a local file and systemd environment variables: +[source,sh] ----------------------------------------------------------------------------------- echo "keystore_password" > /path/to/my_pwd_file.tmp sudo systemctl set-environment ES_KEYSTORE_PASSPHRASE_FILE=/path/to/my_pwd_file.tmp From cc3dd4c63e8645a7714c2942055c5602c73f64b2 Mon Sep 17 00:00:00 2001 From: William Brafford Date: Fri, 10 Jan 2020 11:54:50 -0500 Subject: [PATCH 3/8] Respond to PR feedback --- docs/reference/setup/install/docker.asciidoc | 7 ++++--- docs/reference/setup/install/systemd.asciidoc | 4 +++- docs/reference/setup/install/targz-daemon.asciidoc | 8 ++++---- docs/reference/setup/install/targz-start.asciidoc | 6 +++--- docs/reference/setup/install/zip-windows-start.asciidoc | 5 ++--- docs/reference/setup/secure-settings.asciidoc | 2 +- 6 files changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/reference/setup/install/docker.asciidoc b/docs/reference/setup/install/docker.asciidoc index d2bd6b3debb5e..2909db9399359 100644 --- a/docs/reference/setup/install/docker.asciidoc +++ b/docs/reference/setup/install/docker.asciidoc @@ -363,9 +363,10 @@ and the data and log directories must be writable by this user. [[docker-keystore-bind-mount]] ===== Mounting an {es} keystore -If you want to use {ref}/secure-settings.html[secure settings] and password-protect -the keystore that stores them, you will need to use the `elasticsearch-keystore` utility -to create a password-protected keystore and bind-mount it to the container +By default, {es} will auto-generate a keystore file for secure settings. This file +is obfuscated but not encrypted. If you want to encrypt your <> +by password-protected the keystore that stores them, you must use the `elasticsearch-keystore` +utility to create a password-protected keystore and bind-mount it to the container as `/usr/share/elasticsearch/config/elasticsearch.keystore`. In order to provide the Docker container with the password at startup, set the Docker environment value `KEYSTORE_VALUE` to the value of your password. For example, a `docker run` diff --git a/docs/reference/setup/install/systemd.asciidoc b/docs/reference/setup/install/systemd.asciidoc index 5862ed744e0df..274a599e68f09 100644 --- a/docs/reference/setup/install/systemd.asciidoc +++ b/docs/reference/setup/install/systemd.asciidoc @@ -23,11 +23,13 @@ files located in `/var/log/elasticsearch/`. If you have password-protected your {es} keystore, you will need to provide `systemd` with the keystore password using a local file and systemd environment -variables: +variables. This local file should be protected while it exists and may be +safely deleted once Elasticsearch is up and running. [source,sh] ----------------------------------------------------------------------------------- echo "keystore_password" > /path/to/my_pwd_file.tmp +chmod 600 /path/to/my_pwd_file.tmp sudo systemctl set-environment ES_KEYSTORE_PASSPHRASE_FILE=/path/to/my_pwd_file.tmp sudo systemctl start elasticsearch.service ----------------------------------------------------------------------------------- diff --git a/docs/reference/setup/install/targz-daemon.asciidoc b/docs/reference/setup/install/targz-daemon.asciidoc index a2a093b15bf3c..2ccd0519945b4 100644 --- a/docs/reference/setup/install/targz-daemon.asciidoc +++ b/docs/reference/setup/install/targz-daemon.asciidoc @@ -8,9 +8,9 @@ the process ID in a file using the `-p` option: ./bin/elasticsearch -d -p pid -------------------------------------------- -If you have configured secure settings and password-protected the {es} -keystore, you will be prompted to enter the keystore's password before -the program enters daemon mode. +If you have password-protected the {es} keystore, you will be prompted +to enter the keystore's password. See <> for more +details. Log messages can be found in the `$ES_HOME/logs/` directory. @@ -18,7 +18,7 @@ To shut down Elasticsearch, kill the process ID recorded in the `pid` file: [source,sh] -------------------------------------------- -pkill -F pid +pkill -F pid -------------------------------------------- NOTE: The startup scripts provided in the <> and <> diff --git a/docs/reference/setup/install/targz-start.asciidoc b/docs/reference/setup/install/targz-start.asciidoc index c576d31aab551..cf90e05d173f6 100644 --- a/docs/reference/setup/install/targz-start.asciidoc +++ b/docs/reference/setup/install/targz-start.asciidoc @@ -7,9 +7,9 @@ Elasticsearch can be started from the command line as follows: ./bin/elasticsearch -------------------------------------------- -If you have configured secure settings and password-protected the {es} -keystore, you will be prompted to enter the keystore's password. See -{ref}/secure-settings.html[secure settings] for more details. +If you have password-protected the {es} keystore, you will be prompted +to enter the keystore's password. See <> for more +details. By default, Elasticsearch runs in the foreground, prints its logs to the standard output (`stdout`), and can be stopped by pressing `Ctrl-C`. diff --git a/docs/reference/setup/install/zip-windows-start.asciidoc b/docs/reference/setup/install/zip-windows-start.asciidoc index c910130b99c84..718259e4b77fc 100644 --- a/docs/reference/setup/install/zip-windows-start.asciidoc +++ b/docs/reference/setup/install/zip-windows-start.asciidoc @@ -7,9 +7,8 @@ Elasticsearch can be started from the command line as follows: .\bin\elasticsearch.bat -------------------------------------------- -If you have configured secure settings and password-protected the {es} -keystore, you will be prompted to enter the keystore's password. See -{ref}/secure-settings.html[secure settings] for more details. +If you have password-protected the {es} keystore, you will be prompted to +enter the keystore's password. See <> for more details. By default, Elasticsearch runs in the foreground, prints its logs to `STDOUT`, and can be stopped by pressing `Ctrl-C`. diff --git a/docs/reference/setup/secure-settings.asciidoc b/docs/reference/setup/secure-settings.asciidoc index 695628b902f64..b5ec67cb81a0d 100644 --- a/docs/reference/setup/secure-settings.asciidoc +++ b/docs/reference/setup/secure-settings.asciidoc @@ -35,7 +35,7 @@ You will be prompted to enter the keystore password and the file `elasticsearch. NOTE: If you don't specify the `-p` flag or if you enter an empty password, the {es} keystore will be obfuscated but not password protected. -Once the keystore is password-protected, Elasticsearch will prompt for a password at startup. +When the keystore is password-protected, {es} will require you to supply a password each time it starts. [float] [[changing-keystore-password]] From 5046a1b54650d4264dbf7e1dd447b9a8a13b37d4 Mon Sep 17 00:00:00 2001 From: William Brafford Date: Mon, 13 Jan 2020 09:44:44 -0500 Subject: [PATCH 4/8] Fix grammar errors --- docs/reference/setup/install/docker.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reference/setup/install/docker.asciidoc b/docs/reference/setup/install/docker.asciidoc index 2909db9399359..104dfb8b6f58d 100644 --- a/docs/reference/setup/install/docker.asciidoc +++ b/docs/reference/setup/install/docker.asciidoc @@ -365,11 +365,11 @@ and the data and log directories must be writable by this user. By default, {es} will auto-generate a keystore file for secure settings. This file is obfuscated but not encrypted. If you want to encrypt your <> -by password-protected the keystore that stores them, you must use the `elasticsearch-keystore` +by password-protecting the keystore that stores them, you must use the `elasticsearch-keystore` utility to create a password-protected keystore and bind-mount it to the container as `/usr/share/elasticsearch/config/elasticsearch.keystore`. In order to provide the Docker container with the password at startup, set the Docker environment -value `KEYSTORE_VALUE` to the value of your password. For example, a `docker run` +value `KEYSTORE_PASSWORD` to the value of your password. For example, a `docker run` command might have the following options: [source, sh] From 5af8fa753ae90e257993908e8857fbd1c9750491 Mon Sep 17 00:00:00 2001 From: William Brafford Date: Mon, 13 Jan 2020 10:08:23 -0500 Subject: [PATCH 5/8] Stylistic nit --- docs/reference/setup/install/docker.asciidoc | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/reference/setup/install/docker.asciidoc b/docs/reference/setup/install/docker.asciidoc index 104dfb8b6f58d..766c71d2840f4 100644 --- a/docs/reference/setup/install/docker.asciidoc +++ b/docs/reference/setup/install/docker.asciidoc @@ -363,14 +363,15 @@ and the data and log directories must be writable by this user. [[docker-keystore-bind-mount]] ===== Mounting an {es} keystore -By default, {es} will auto-generate a keystore file for secure settings. This file -is obfuscated but not encrypted. If you want to encrypt your <> -by password-protecting the keystore that stores them, you must use the `elasticsearch-keystore` -utility to create a password-protected keystore and bind-mount it to the container -as `/usr/share/elasticsearch/config/elasticsearch.keystore`. In order to provide +By default, {es} will auto-generate a keystore file for secure settings. This +file is obfuscated but not encrypted. If you want to encrypt your +<> with a password, you must use the +`elasticsearch-keystore` utility to create a password-protected keystore and +bind-mount it to the container as +`/usr/share/elasticsearch/config/elasticsearch.keystore`. In order to provide the Docker container with the password at startup, set the Docker environment -value `KEYSTORE_PASSWORD` to the value of your password. For example, a `docker run` -command might have the following options: +value `KEYSTORE_PASSWORD` to the value of your password. For example, a `docker +run` command might have the following options: [source, sh] -------------------------------------------- From 380fcce4603aac4a4b591a85fc6a6d3ade3583cb Mon Sep 17 00:00:00 2001 From: lcawl Date: Mon, 13 Jan 2020 13:55:49 -0800 Subject: [PATCH 6/8] [DOCS] Update keystore command --- docs/reference/commands/keystore.asciidoc | 79 ++++++++++++++++++++--- 1 file changed, 69 insertions(+), 10 deletions(-) diff --git a/docs/reference/commands/keystore.asciidoc b/docs/reference/commands/keystore.asciidoc index f9ce718d3b35f..75250a885c379 100644 --- a/docs/reference/commands/keystore.asciidoc +++ b/docs/reference/commands/keystore.asciidoc @@ -11,9 +11,9 @@ in the {es} keystore. [source,shell] -------------------------------------------------- bin/elasticsearch-keystore -([add ] [--stdin] | -[add-file ] | [create] | -[list] | [remove ] | [upgrade]) +([add ] [-f] [--stdin] | +[add-file ] | [create] [-p] | +[list] | [passwd] | [remove ] | [upgrade]) [-h, --help] ([-s, --silent] | [-v, --verbose]) -------------------------------------------------- @@ -26,6 +26,9 @@ IMPORTANT: This command should be run as the user that will run {es}. Currently, all secure settings are node-specific settings that must have the same value on every node. Therefore you must run this command on every node. +When the keystore is password-protected, you must supply the password each time +{es} starts. + Modifications to the keystore do not take effect until you restart {es}. Only some settings are designed to be read from the keystore. However, there @@ -38,15 +41,30 @@ keystore, see the setting reference. === Parameters `add `:: Adds settings to the keystore. By default, you are prompted -for the value of the setting. +for the value of the setting. If the keystore is password protected, you are +also prompted to enter the password. `add-file `:: Adds a file to the keystore. `create`:: Creates the keystore. +`-f`:: When used with the `add` parameter, the command overwrites existing +entries in the keystore. +//TBD: What happens to existing entries if you do not specify this option? Does the command fail with an error? + `-h, --help`:: Returns all of the command parameters. -`list`:: Lists the settings in the keystore. +`list`:: Lists the settings in the keystore. If the keystore is password +protected, you are prompted to enter the password. + +`-p`:: When used with the `create` parameter, the command prompts you to enter a +keystore password. If you don't specify the `-p` flag or if you enter an empty +password, the keystore is obfuscated but not password protected. + +`passwd`:: Changes or sets the keystore password. If the keystore is password +protected, you are prompted to enter the current password and the new one. You +can optionally use an empty string to remove the password. If the keystore is +not password protected, you can use this command to set a password. `remove :: Removes a setting from the keystore. @@ -71,11 +89,26 @@ To create the `elasticsearch.keystore`, use the `create` command: [source,sh] ---------------------------------------------------------------- -bin/elasticsearch-keystore create +bin/elasticsearch-keystore create -p +---------------------------------------------------------------- + +You are prompted to enter the keystore password. A password-protected +`elasticsearch.keystore` file is created alongside the `elasticsearch.yml` file. + +[discrete] +[[changing-keystore-password]] +==== Change the password of the keystore + +To change the password of the `elasticsearch.keystore`, use the `passwd` command: + +[source,sh] +---------------------------------------------------------------- +bin/elasticsearch-keystore passwd ---------------------------------------------------------------- -A `elasticsearch.keystore` file is created alongside the `elasticsearch.yml` -file. +If the {es} keystore is password protected, you are prompted to enter the +current password and then enter the new one. If it is not password protected, +you are prompted to set a password. [discrete] [[list-settings]] @@ -88,6 +121,9 @@ To list the settings in the keystore, use the `list` command. bin/elasticsearch-keystore list ---------------------------------------------------------------- +If the {es} keystore is password protected, you are prompted to enter the +password. + [discrete] [[add-string-to-keystore]] ==== Add settings to the keystore @@ -100,14 +136,31 @@ can be added with the `add` command: bin/elasticsearch-keystore add the.setting.name.to.set ---------------------------------------------------------------- -You are prompted to enter the value of the setting. To pass the value -through standard input (stdin), use the `--stdin` flag: +You are prompted to enter the value of the setting. If the {es} keystore is +password protected, you are also prompted to enter the password. + +To pass the setting value through standard input (stdin), use the `--stdin` flag: [source,sh] ---------------------------------------------------------------- cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set ---------------------------------------------------------------- +You can overwrite existing entries in the keystore by using the `-f` parameter: + +[source,sh] +---------------------------------------------------------------- +bin/elasticsearch-keystore add -f the.existing.setting.name.to.set +---------------------------------------------------------------- + +NOTE: The `-f` parameter will also force the creation of an obfuscated-only +keystore, if one doesn't already exist. + +//// +TBD: This NOTE is unclear. Why would you want both a password-protected and an +obfuscated-only keystore? Or does this mean that it creates the keystore if it +doesn't already exist? +//// [discrete] [[add-file-to-keystore]] ==== Add files to the keystore @@ -121,6 +174,9 @@ after the setting name. bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json ---------------------------------------------------------------- +If the {es} keystore is password protected, you are prompted to enter the +password. + [discrete] [[remove-settings]] ==== Remove settings from the keystore @@ -132,6 +188,9 @@ To remove a setting from the keystore, use the `remove` command: bin/elasticsearch-keystore remove the.setting.name.to.remove ---------------------------------------------------------------- +If the {es} keystore is password protected, you are prompted to enter the +password. + [discrete] [[keystore-upgrade]] ==== Upgrade the keystore From 06f4836b2777b13bc1771830ba54ac306d747ff6 Mon Sep 17 00:00:00 2001 From: lcawl Date: Mon, 13 Jan 2020 16:51:00 -0800 Subject: [PATCH 7/8] [DOCS] Clarifies -f behaviour --- docs/reference/commands/keystore.asciidoc | 27 +++++++---------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/docs/reference/commands/keystore.asciidoc b/docs/reference/commands/keystore.asciidoc index 75250a885c379..c7d5908b4840a 100644 --- a/docs/reference/commands/keystore.asciidoc +++ b/docs/reference/commands/keystore.asciidoc @@ -42,15 +42,19 @@ keystore, see the setting reference. `add `:: Adds settings to the keystore. By default, you are prompted for the value of the setting. If the keystore is password protected, you are -also prompted to enter the password. +also prompted to enter the password. If the setting already exists in the +keystore, you must confirm that you want to overwrite the current value. If the +keystore does not exist, you must confirm that you want to create a keystore. To +avoid these two confirmation prompts, use the `-f` parameter. `add-file `:: Adds a file to the keystore. `create`:: Creates the keystore. -`-f`:: When used with the `add` parameter, the command overwrites existing -entries in the keystore. -//TBD: What happens to existing entries if you do not specify this option? Does the command fail with an error? +`-f`:: When used with the `add` parameter, the command no longer prompts you +before overwriting existing entries in the keystore. Also, if you haven't +created a keystore yet, it creates a keystore that is obfuscated but not +password protected. `-h, --help`:: Returns all of the command parameters. @@ -146,21 +150,6 @@ To pass the setting value through standard input (stdin), use the `--stdin` flag cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set ---------------------------------------------------------------- -You can overwrite existing entries in the keystore by using the `-f` parameter: - -[source,sh] ----------------------------------------------------------------- -bin/elasticsearch-keystore add -f the.existing.setting.name.to.set ----------------------------------------------------------------- - -NOTE: The `-f` parameter will also force the creation of an obfuscated-only -keystore, if one doesn't already exist. - -//// -TBD: This NOTE is unclear. Why would you want both a password-protected and an -obfuscated-only keystore? Or does this mean that it creates the keystore if it -doesn't already exist? -//// [discrete] [[add-file-to-keystore]] ==== Add files to the keystore From 1a74d7cd210cc0ebf43451236535fd18b5e625c6 Mon Sep 17 00:00:00 2001 From: William Brafford Date: Tue, 14 Jan 2020 14:51:50 -0500 Subject: [PATCH 8/8] Fix quotation typo Co-Authored-By: Lisa Cawley --- docs/reference/commands/keystore.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/commands/keystore.asciidoc b/docs/reference/commands/keystore.asciidoc index c7d5908b4840a..085f8acb7adcb 100644 --- a/docs/reference/commands/keystore.asciidoc +++ b/docs/reference/commands/keystore.asciidoc @@ -70,7 +70,7 @@ protected, you are prompted to enter the current password and the new one. You can optionally use an empty string to remove the password. If the keystore is not password protected, you can use this command to set a password. -`remove :: Removes a setting from the keystore. +`remove `:: Removes a setting from the keystore. `-s, --silent`:: Shows minimal output.