In a nutshell

Search Guard (®) is an Elasticsearch plugin that offers encryption, authentication, and authorization. It builds on Search Guard SSL and provides pluggable auth/auth modules in addition.

Search Guard offers all basic security features for free. If you need enterprise features, we offer a very flexible licensing model and support. Tailored to your needs if none of our packages fit.

Search Guard is an independent implementation of a security access layer for Elasticsearch. Search Guard is completely independent from Elasticsearch own security offerings. Elasticsearch, Kibana and Logstash are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV.

Download Overview PDF


Search Guard (®) is an alternative to other security solutions for Elasticsearch and offers the following features in addition :

OpenSSL support

You can choose whether to use Java Cryptography Extension (JCE) or native OpenSSL for SLL handling. OpenSSL is much faster than JCE, and offers a wider range of modern cipher suites, therefore we recommend using OpenSSL.

JWT support

Authenticate users by providing JSON web tokens.

Kerberos/SPNEGO support

Provide Single-Sign-On in any Kerberized environment.

HTTP Proxy Authentication

Some organisations already have a single-sign-on or authentication solutions in place, like CA single sign on or Citrix Netscaler. Any of these authentication solutions that make the authenticated user available in the HTTP header can be integrated with Search Guard by using our proxy authentication module.

Source code available

Worried about backdoors or hidden functionality? Want to check that Search Guard does not “call home”? Need to do an internal audit before using Search Guard in production? While some of our features require a commercial license, we will keep the complete code open source. Download, inspect, evaluate.

Download Overview PDF


Search Guard (®) is dual licensed. All core features are available free of charge under the Apache 2 license. You may obtain a copy of the License at

In order to use our enterprise features in commercial projects, you need to obtain an enterprise license. Licenses are issued per production cluster. The amount of nodes is not limited. Please visit our license & support page for further information.

You can use all enterprise features free of charge for personal and non-commercial projects.

Feature comparison

Feature Free Commercial
Node-to-node encryption through SSL/TLS
Secure REST layer through HTTPS (SSL/TLS)
REST management API
OpenSSL support
Flexible REST layer access control (User/Role based; on aliases, indices and types)
Flexible transport layer access control (User/Role based; on aliases, indices and types)
HTTP basic authentication
HTTP proxy authentication
HTTP SPNEGO/Kerberos authentication
HTTP SSL/CLIENT-CERT authentication
X-Forwarded-For (XFF) support
Internal authentication/authorization
LDAP/Active Directory authentication/authorization
JSON web token (JWT) support
Document level security (DLS): Retrieve only documents matching criterias
Field level security (FLS): Filter out fields/sourceparts from a search response
Audit logging
Anonymous login/unauthenticated access
User Impersonation
Works with Kibana, logstash and beats
Works with Kibi

Downloads, installation and documentation

Search Guard can be downloaded and installed from Maven Central like any other Elasticsearch plugin. Visit our Search Guard github repository, or read the documentation for further instructions.

Kibi certified

Search Guard is certified for Kibi, the data intelligence platform from Siren Solution. Kibi EE supports and ships with Elasticsearch security based on Search Guard. Kibi Access control eases the security configuration process by providing a plugin to manage roles and users with a graphical user interface.

floragunnSearch Guard