elastic · williamrandolph · Jan 14, 2020 · Jan 9, 2020 · Jan 9, 2020 · Jan 10, 2020
diff --git a/docs/reference/setup/install/docker.asciidoc b/docs/reference/setup/install/docker.asciidoc
@@ -360,6 +360,24 @@ IMPORTANT: The container **runs {es} as user `elasticsearch` using
 uid:gid `1000:0`**. Bind mounted host directories and files must be accessible by this user,
 and the data and log directories must be writable by this user.
 
+[[docker-keystore-bind-mount]]
+===== Mounting an {es} keystore
+
+By default, {es} will auto-generate a keystore file for secure settings. This file
+is obfuscated but not encrypted. If you want to encrypt your <<secure-settings,secure settings>>
+by password-protected the keystore that stores them, you must use the `elasticsearch-keystore`
+utility to create a password-protected keystore and bind-mount it to the container
+as `/usr/share/elasticsearch/config/elasticsearch.keystore`. In order to provide
+the Docker container with the password at startup, set the Docker environment
+value `KEYSTORE_VALUE` to the value of your password. For example, a `docker run`
+command might have the following options:
+
+[source, sh]
+--------------------------------------------
+-v full_path_to/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore
+-E KEYSTORE_PASSWORD=mypassword
+--------------------------------------------
+
 [[_c_customized_image]]
 ===== Using custom Docker images
 In some environments, it might make more sense to prepare a custom image that contains

diff --git a/docs/reference/setup/install/systemd.asciidoc b/docs/reference/setup/install/systemd.asciidoc
@@ -21,6 +21,19 @@ These commands provide no feedback as to whether Elasticsearch was started
 successfully or not. Instead, this information will be written in the log
 files located in `/var/log/elasticsearch/`.
 
+If you have password-protected your {es} keystore, you will need to provide
+`systemd` with the keystore password using a local file and systemd environment
+variables. This local file should be protected while it exists and may be
+safely deleted once Elasticsearch is up and running.
+
+[source,sh]
+-----------------------------------------------------------------------------------
+echo "keystore_password" > /path/to/my_pwd_file.tmp
+chmod 600 /path/to/my_pwd_file.tmp
+sudo systemctl set-environment ES_KEYSTORE_PASSPHRASE_FILE=/path/to/my_pwd_file.tmp
+sudo systemctl start elasticsearch.service
+-----------------------------------------------------------------------------------
+
 By default the Elasticsearch service doesn't log information in the `systemd`
 journal. To enable `journalctl` logging, the `--quiet` option must be removed
  from the `ExecStart` command line in the `elasticsearch.service` file.

diff --git a/docs/reference/setup/install/targz-daemon.asciidoc b/docs/reference/setup/install/targz-daemon.asciidoc
@@ -8,13 +8,17 @@ the process ID in a file using the `-p` option:
 ./bin/elasticsearch -d -p pid
 --------------------------------------------
 
+If you have password-protected the {es} keystore, you will be prompted
+to enter the keystore's password. See <<secure-settings>> for more
+details.
+
 Log messages can be found in the `$ES_HOME/logs/` directory.
 
 To shut down Elasticsearch, kill the process ID recorded in the `pid` file:
 
 [source,sh]
 --------------------------------------------
-pkill -F pid 
+pkill -F pid
 --------------------------------------------
 
 NOTE: The startup scripts provided in the <<rpm,RPM>> and <<deb,Debian>>

diff --git a/docs/reference/setup/install/targz-start.asciidoc b/docs/reference/setup/install/targz-start.asciidoc
@@ -7,6 +7,10 @@ Elasticsearch can be started from the command line as follows:
 ./bin/elasticsearch
 --------------------------------------------
 
+If you have password-protected the {es} keystore, you will be prompted
+to enter the keystore's password. See <<secure-settings>> for more
+details.
+
 By default, Elasticsearch runs in the foreground, prints its logs to the
 standard output (`stdout`), and can be stopped by pressing `Ctrl-C`.
 

diff --git a/docs/reference/setup/install/zip-windows-start.asciidoc b/docs/reference/setup/install/zip-windows-start.asciidoc
@@ -7,5 +7,8 @@ Elasticsearch can be started from the command line as follows:
 .\bin\elasticsearch.bat
 --------------------------------------------
 
+If you have password-protected the {es} keystore, you will be prompted to
+enter the keystore's password. See <<secure-settings>> for more details.
+
 By default, Elasticsearch runs in the foreground, prints its logs to `STDOUT`,
 and can be stopped by pressing `Ctrl-C`.
diff --git a/docs/reference/setup/secure-settings.asciidoc b/docs/reference/setup/secure-settings.asciidoc
@@ -35,6 +35,8 @@ You will be prompted to enter the keystore password and the file `elasticsearch.
 
 NOTE: If you don't specify the `-p` flag or if you enter an empty password, the {es} keystore will be obfuscated but not password protected.
 
+When the keystore is password-protected, {es} will require you to supply a password each time it starts.
+
 [float]
 [[changing-keystore-password]]
 === Changing the password of the keystore