How to create a Kibana keystore

Sensitive Kibana settings such as elasticsearch.password, service account tokens, and encryption keys are safer in a keystore than in plain-text /etc/kibana/kibana.yml. Creating the keystore is the first step toward keeping those values out of copied configs, backups, and troubleshooting bundles.

The kibana-keystore tool creates an encrypted kibana.keystore file in the configuration directory selected by KBN_PATH_CONF. On current deb and rpm installs that directory is usually /etc/kibana, while archive installs use the config directory inside the Kibana home tree. Kibana reads the keystore only when it starts, and any valid Kibana setting can be stored there, but invalid or unsupported setting names can still prevent Kibana from starting.

Examples use the packaged Linux layout with KBN_PATH_CONF=/etc/kibana and the standard binary path /usr/share/kibana/bin/kibana-keystore. Create or manage the keystore with the same configuration directory used by the running service, and if password protection is enabled, provide the passphrase at startup through KBN_KEYSTORE_PASSPHRASE_FILE or KEYSTORE_PASSWORD so systemd can unlock it non-interactively.

Related: How to add a secret to a Kibana keystore
Related: How to connect Kibana to Elasticsearch

Steps to create a Kibana keystore:

  1. Create the keystore in the same configuration directory used by the running Kibana service. 
    $ sudo env KBN_PATH_CONF=/etc/kibana /usr/share/kibana/bin/kibana-keystore create
Created Kibana keystore in /etc/kibana/kibana.keystore

    Add --password to create a password-protected keystore. The command prompts interactively for the passphrase in the terminal.

    On archive installs, replace /etc/kibana with the active KBN_PATH_CONF directory.

  2. Verify that the keystore file was written to the expected path. 
    $ sudo ls -l /etc/kibana/kibana.keystore
-rw-r--r-- 1 root root 186 Apr  2 21:29 /etc/kibana/kibana.keystore

    The owner and mode can differ between package layouts, archive installs, and local umask settings. The critical check here is the path: the keystore must sit beside the kibana.yml file used by the running instance.

  3. If the keystore was created as root, return ownership to the kibana service account before managing entries with that account. 
    $ sudo chown kibana:kibana /etc/kibana/kibana.keystore

    Elastic's current guidance is to run keystore commands as the same user that runs Kibana. Reassigning ownership avoids permission failures during later add, remove, or list operations.

  4. Confirm that the kibana service account can open the new keystore. 
    $ sudo -u kibana env KBN_PATH_CONF=/etc/kibana /usr/share/kibana/bin/kibana-keystore list

    A newly created keystore prints no setting names yet. That empty result is normal and still confirms the file is readable and valid.

    Related: How to add a secret to a Kibana keystore

  5. If the keystore was created with --password, verify the protected state. 
    $ sudo env KBN_PATH_CONF=/etc/kibana /usr/share/kibana/bin/kibana-keystore has-passwd
Keystore is password-protected

    Configure KBN_KEYSTORE_PASSPHRASE_FILE or KEYSTORE_PASSWORD before starting or restarting Kibana, or the service cannot unlock the keystore automatically.

    Related: How to manage the Kibana service with systemctl in Linux