diff --git a/elasticsearch.yml b/elasticsearch.yml
index e31f474..6df812d 100644
--- a/elasticsearch.yml
+++ b/elasticsearch.yml
@@ -25,9 +25,7 @@ xpack.security.enabled: true
 xpack.security.transport.ssl.enabled: true
 xpack.security.transport.ssl.verification_mode: certificate
 xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
-xpack.security.transport.ssl.keystore.password: cloudron
 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
-xpack.security.transport.ssl.truststore.password: cloudron
 xpack.security.http.ssl.enabled: false
 xpack.security.authc.token.enabled: false
 xpack.security.authc.api_key.enabled: false
diff --git a/start.sh b/start.sh
index 4fa9d6e..6a7c65f 100644
--- a/start.sh
+++ b/start.sh
@@ -85,35 +85,19 @@ configure_elasticsearch() {
     chmod 755 $ES_PATH_CONF
     chown -R elasticsearch:elasticsearch $ES_PATH_CONF
     
-    # Handle keystore creation and password with proper error handling
-    if [ ! -f $ES_PATH_CONF/elasticsearch.keystore ] || [ "$1" = "force" ]; then
-        echo "Creating Elasticsearch keystore..."
-        
-        # Remove existing keystore if it exists to avoid permission issues
-        [ -f $ES_PATH_CONF/elasticsearch.keystore ] && rm -f $ES_PATH_CONF/elasticsearch.keystore
-        
-        # Pre-create the tmp file with correct permissions
-        touch $ES_PATH_CONF/elasticsearch.keystore.tmp
-        chown elasticsearch:elasticsearch $ES_PATH_CONF/elasticsearch.keystore.tmp
-        
-        # Try to create keystore with proper error handling
-        if ! su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore create" elasticsearch; then
-            echo "ERROR: Failed to create keystore. Checking permissions and trying again..."
-            find $ES_PATH_CONF -type f -exec ls -la {} \;
-            
-            # Try a more aggressive approach if the first attempt failed
-            chmod -R 777 $ES_PATH_CONF
-            if ! su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore create" elasticsearch; then
-                echo "CRITICAL ERROR: Could not create Elasticsearch keystore after multiple attempts."
-                echo "Current directory permissions:"
-                find /app/data -type d -exec ls -ld {} \;
-                exit 1
-            fi
-        fi
-    fi
-    
     # Add bootstrap password to keystore
     echo "Setting bootstrap password..."
+    
+    # Verify keystore exists before trying to add password
+    if [ ! -f $ES_PATH_CONF/elasticsearch.keystore ]; then
+        echo "ERROR: Keystore not found, cannot add bootstrap password. Creating keystore first..."
+        setup_keystore || {
+            echo "CRITICAL ERROR: Failed to create keystore, cannot proceed."
+            exit 1
+        }
+    fi
+    
+    # Now add the bootstrap password
     if ! printf "%s" "$ELASTIC_PASSWORD" | su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore add -f -x 'bootstrap.password' --stdin" elasticsearch; then
         echo "ERROR: Failed to add bootstrap password to keystore."
         exit 1
@@ -185,6 +169,10 @@ configure_elasticsearch() {
             
         chown elasticsearch:elasticsearch $ES_PATH_CONF/elastic-certificates.p12
         chmod 600 $ES_PATH_CONF/elastic-certificates.p12
+        
+        # Make sure we update the keystore with the correct password after generating certificates
+        echo "Updating keystore with the new certificate password..."
+        setup_keystore
     fi
     
     # Create users file if needed
@@ -316,6 +304,47 @@ set_system_limits() {
     fi
 }
 
+# Add secure settings to the keystore
+setup_keystore() {
+    echo "Setting up Elasticsearch keystore with secure settings..."
+    
+    # Create or recreate the keystore if needed
+    if [ ! -f $ES_PATH_CONF/elasticsearch.keystore ]; then
+        echo "Creating new Elasticsearch keystore..."
+        su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore create" elasticsearch
+        
+        # Verify keystore was created
+        if [ ! -f $ES_PATH_CONF/elasticsearch.keystore ]; then
+            echo "ERROR: Failed to create keystore!"
+            return 1
+        fi
+    fi
+    
+    # Add the certificate passwords to the keystore (as the elasticsearch user)
+    echo "Adding certificate passwords to keystore..."
+    echo "cloudron" | su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore add -f xpack.security.transport.ssl.keystore.secure_password --stdin" elasticsearch || {
+        echo "ERROR: Failed to add keystore password to keystore. Will try to recreate keystore."
+        rm -f $ES_PATH_CONF/elasticsearch.keystore
+        su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore create" elasticsearch
+        echo "cloudron" | su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore add -f xpack.security.transport.ssl.keystore.secure_password --stdin" elasticsearch || {
+            echo "CRITICAL ERROR: Could not add keystore password to keystore after recreation."
+            return 1
+        }
+    }
+    
+    echo "cloudron" | su -c "ES_PATH_CONF=$ES_PATH_CONF ES_JAVA_HOME=/app/data/jdk $ES_HOME/bin/elasticsearch-keystore add -f xpack.security.transport.ssl.truststore.secure_password --stdin" elasticsearch || {
+        echo "ERROR: Failed to add truststore password to keystore."
+        return 1
+    }
+    
+    # Verify keystore permissions
+    chmod 600 $ES_PATH_CONF/elasticsearch.keystore
+    chown elasticsearch:elasticsearch $ES_PATH_CONF/elasticsearch.keystore
+    
+    echo "✅ Elasticsearch keystore updated with secure settings"
+    return 0
+}
+
 # Configure JVM heap size
 configure_heap() {
     # Calculate optimal heap size (50% of available memory)
@@ -347,9 +376,6 @@ start_elasticsearch() {
     ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.verification_mode=certificate"
     ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.keystore.path=elastic-certificates.p12"
     ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.truststore.path=elastic-certificates.p12"
-    # Use "cloudron" as the dummy password for certificates (Elasticsearch doesn't accept empty passwords)
-    ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.keystore.secure_password=cloudron"
-    ES_START_CMD="$ES_START_CMD -E xpack.security.transport.ssl.truststore.secure_password=cloudron"
     ES_START_CMD="$ES_START_CMD -d -p /app/data/run/elasticsearch.pid"
     
     echo "Starting Elasticsearch..."
@@ -408,6 +434,7 @@ EOL
 # Main execution flow
 setup_password
 setup_java
+setup_keystore
 configure_elasticsearch
 [ ! -f /app/data/.initialized ] && touch /app/data/.initialized