How to set Kibana encryption keys
Setting fixed Kibana encryption keys keeps logins, reporting jobs, and stored secrets usable across restarts instead of relying on random in-memory keys that change whenever the process starts.
Kibana uses three separate settings to protect different data paths. xpack.security.encryptionKey encrypts session state, xpack.encryptedSavedObjects.encryptionKey protects sensitive saved object fields such as connector secrets, and xpack.reporting.encryptionKey protects reporting metadata and queued report jobs.
Self-managed deployments should keep the same values on every Kibana instance connected to the same deployment. Changing the security or reporting keys invalidates existing sessions or pending reports, and changing the saved objects key requires the previous value to remain available in xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys until older objects no longer need it for decryption.
Related: How to configure Kibana session timeouts
Related: How to enable Kibana reporting
Steps to set Kibana encryption keys:
- Generate paste-ready encryption keys with the kibana-encryption-keys utility.
$ sudo /usr/share/kibana/bin/kibana-encryption-keys generate --quiet --force xpack.encryptedSavedObjects.encryptionKey: 8e5236642ea6867e3109b98955ac09d998f1d45e8c538de751a17d7beda28c95 xpack.reporting.encryptionKey: c0fbb0cc32b228b9b95537e9ec04480abd5509d78ebf6d0d9bbfe624cb021656 xpack.security.encryptionKey: 3b2bb2da7265332eccc48ddbd6bca6bb9dc61f19d3133deaea2509c27a9f1134
Use --quiet to print paste-ready YAML lines and --force to generate fresh values for all supported key settings.
- Add the generated values to the active Kibana configuration.
xpack.security.encryptionKey: 3b2bb2da7265332eccc48ddbd6bca6bb9dc61f19d3133deaea2509c27a9f1134 xpack.encryptedSavedObjects.encryptionKey: 8e5236642ea6867e3109b98955ac09d998f1d45e8c538de751a17d7beda28c95 xpack.reporting.encryptionKey: c0fbb0cc32b228b9b95537e9ec04480abd5509d78ebf6d0d9bbfe624cb021656
Package installs typically keep these settings in /etc/kibana/kibana.yml, but Kibana also accepts them from its keystore when secrets should stay out of clear text.
Use the same key values on every Kibana instance in the same deployment or load-balanced group.
- Keep the previous saved-objects key available during a key rotation.
xpack.encryptedSavedObjects.encryptionKey: 8e5236642ea6867e3109b98955ac09d998f1d45e8c538de751a17d7beda28c95 xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys: - beb330408fc0951c7f655ac968f81dcc65e8098039afcdcb8a59ad59dc9e16b1
Use decryptionOnlyKeys only when replacing an existing xpack.encryptedSavedObjects.encryptionKey value; first-time setups do not need this stanza.
Removing the old key too early can leave connectors, rules, and other encrypted saved objects unreadable.
- Restart the Kibana service to load the configured keys.
$ sudo systemctl restart kibana
Changing xpack.security.encryptionKey signs out active sessions, and changing xpack.reporting.encryptionKey can invalidate pending report jobs.
- Confirm the Kibana service returned to the active (running) state.
$ sudo systemctl status kibana --no-pager --full | head -n 12 ● kibana.service - Kibana Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: enabled) Active: active (running) since Thu 2026-01-08 00:22:45 UTC; 12min ago Docs: https://www.elastic.co Main PID: 57170 (node) Tasks: 11 (limit: 28486) Memory: 1011.9M (peak: 1.4G) CPU: 34.864s ##### snipped #####Kibana can take a short warm-up period before the web UI is fully ready.
- Search recent logs for missing-key warnings.
$ sudo journalctl -u kibana -n 200 --no-pager | rg -n "Generating a random key|encryption key is not set|ephemeral encryption key" || true
No output means recent log lines do not include the common warnings Kibana emits when it falls back to random or missing encryption keys.