How to set Kibana encryption keys

Kibana encryption keys protect session data and stored secrets from disclosure, and keep logins stable across restarts. Setting explicit keys prevents unexpected session invalidation and avoids features silently disabling themselves due to missing encryption.

Kibana reads its encryption settings from /etc/kibana/kibana.yml on startup and uses them to encrypt different feature areas. xpack.security.encryptionKey secures security session information, xpack.encryptedSavedObjects.encryptionKey protects encrypted saved objects such as stored credentials, and xpack.reporting.encryptionKey encrypts reporting metadata.

All Kibana instances connected to the same Elasticsearch cluster must share the same key values, especially behind a load balancer. Changing keys invalidates existing sessions, and changing the encrypted saved objects key can prevent decryption of previously encrypted data unless old keys are retained for decryption during a planned rotation.

Steps to set Kibana encryption keys:

Generate three long random strings for the Kibana encryption keys.

$ openssl rand -hex 32
a7abc2f7ac495716239749c4081ed65be3e54fec5787d1fb5a206878ec32b923
$ openssl rand -hex 32
94732902c1e0d369e6657f7d675d548c79b2067a466695450bfd9b1c3c043ed6
$ openssl rand -hex 32
d2f236a5298375a9ed51665e9a6777c202961f3ba54378f86c711e837b1f2331

Each value must be at least 32 characters; 32 random bytes in hex produce 64 characters.

Add the generated values to /etc/kibana/kibana.yml.
```
xpack.security.encryptionKey: "a7abc2f7ac495716239749c4081ed65be3e54fec5787d1fb5a206878ec32b923"
xpack.encryptedSavedObjects.encryptionKey: "94732902c1e0d369e6657f7d675d548c79b2067a466695450bfd9b1c3c043ed6"
xpack.reporting.encryptionKey: "d2f236a5298375a9ed51665e9a6777c202961f3ba54378f86c711e837b1f2331"
```
Use identical key values on every Kibana instance connected to the same Elasticsearch cluster.

Changing encryption keys invalidates existing sessions, and changing xpack.encryptedSavedObjects.encryptionKey can prevent decryption of previously encrypted saved objects unless old keys are retained for decryption.
Restart the Kibana service to load the keys.
```
$ sudo systemctl restart kibana
```
Related: How to manage the Kibana service with systemctl in Linux

Confirm the Kibana service is running after the restart.

$ sudo systemctl status kibana --no-pager
● kibana.service - Kibana
     Loaded: loaded (/lib/systemd/system/kibana.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2026-01-05 09:18:22 UTC; 12s ago
   Main PID: 2384 (node)
      Tasks: 17 (limit: 19058)
     Memory: 312.4M
        CPU: 7.214s
##### snipped #####

Review recent Kibana logs for encryption warnings.

$ sudo journalctl --unit=kibana --no-pager --lines=50
Jan 05 09:18:21 server kibana[2384]: {"type":"log","@timestamp":"2026-01-05T09:18:21.104Z","tags":["info","plugins-system"],"message":"Setting up plugins"}
Jan 05 09:18:34 server kibana[2384]: {"type":"log","@timestamp":"2026-01-05T09:18:34.887Z","tags":["info","http"],"message":"http server running at http://0.0.0.0:5601"}
##### snipped #####

Warnings containing Generating a random key or encryptionKey is not set indicate missing configuration.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.