How to set Kibana encryption keys

Kibana encryption keys protect session data and stored secrets from disclosure, and keep logins stable across restarts. Setting explicit keys prevents unexpected session invalidation and avoids features silently disabling themselves due to missing encryption.

Kibana reads its encryption settings from /etc/kibana/kibana.yml on startup and uses them to encrypt different feature areas. xpack.security.encryptionKey secures security session information, xpack.encryptedSavedObjects.encryptionKey protects encrypted saved objects such as stored credentials, and xpack.reporting.encryptionKey encrypts reporting metadata.

All Kibana instances connected to the same Elasticsearch cluster must share the same key values, especially behind a load balancer. Changing keys invalidates existing sessions, and changing the encrypted saved objects key can prevent decryption of previously encrypted data unless old keys are retained for decryption during a planned rotation.

Steps to set Kibana encryption keys:

Generate three long random strings for the Kibana encryption keys.

$ sudo /usr/share/kibana/bin/kibana-encryption-keys generate --quiet --force
xpack.encryptedSavedObjects.encryptionKey: 79edf96caf96adbf07d1002ff9fc8a3b
xpack.reporting.encryptionKey: d4144f3e2058f453fc9ba79b29a80896
xpack.security.encryptionKey: 4953b8fa0eb72ae29ff1ee8d4c6a1fda

Each value must be at least 32 characters; 32 random bytes in hex produce 64 characters.

Add the generated values to /etc/kibana/kibana.yml.
```
xpack.security.encryptionKey: 4953b8fa0eb72ae29ff1ee8d4c6a1fda
xpack.encryptedSavedObjects.encryptionKey: 79edf96caf96adbf07d1002ff9fc8a3b
xpack.reporting.encryptionKey: d4144f3e2058f453fc9ba79b29a80896
```
Use identical key values on every Kibana instance connected to the same Elasticsearch cluster.

Changing encryption keys invalidates existing sessions, and changing xpack.encryptedSavedObjects.encryptionKey can prevent decryption of previously encrypted saved objects unless old keys are retained for decryption.
Restart the Kibana service to load the keys.
```
$ sudo systemctl restart kibana
```
Related: How to manage the Kibana service with systemctl in Linux

Confirm the Kibana service is running after the restart.

$ sudo systemctl status kibana --no-pager --full | head -n 12
● kibana.service - Kibana
     Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-01-08 00:22:45 UTC; 12min ago
       Docs: https://www.elastic.co
   Main PID: 57170 (node)
      Tasks: 11 (limit: 28486)
     Memory: 1011.9M (peak: 1.4G)
        CPU: 34.864s
##### snipped #####

Review recent Kibana logs for encryption warnings.
```
$ sudo journalctl -u kibana -n 200 --no-pager | rg -n "Generating a random key|encryption key is not set" || true
```
Warnings containing Generating a random key or encryption key is not set indicate missing configuration.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.