How to add a secret to a Kibana keystore

Keeping Kibana passwords, tokens, and encryption keys out of /etc/kibana/kibana.yml reduces the chance of leaking them through backups, copied configs, shell history, or support bundles. The Kibana keystore keeps those sensitive values out of the main config file while still letting Kibana read them at startup.

The kibana-keystore tool stores values in kibana.keystore under the configuration directory defined by KBN_PATH_CONF. On DEB and RPM installs that directory is usually /etc/kibana, and the package binary is typically /usr/share/kibana/bin/kibana-keystore. Any valid Kibana setting can be stored in the keystore by using the same setting name that would otherwise go in kibana.yml, such as elasticsearch.password or an xpack.encryptedSavedObjects.encryptionKey value.

Run keystore commands as the same user that runs Kibana so the active service can read the updated file, and restart Kibana after changing entries because the keystore is read at startup. When piping a value with –stdin, Kibana JSON-parses the input, so wrap values in double quotes when they must stay strings. Use only real Kibana setting names, because invalid or extraneous keys can make Kibana fail to start.

Steps to add a secret to a Kibana keystore:

Add the secret to the keystore with the exact Kibana setting name.
```
$ printf '%s' '"replace-with-kibana-system-password"' | sudo -u kibana env KBN_PATH_CONF=/etc/kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin --force
```
Replace /usr/share/kibana/bin/kibana-keystore with bin/kibana-keystore from the Kibana install directory when using an archive install.

Quoting the piped value forces Kibana to store it as a string. This matters when the secret might otherwise be parsed as JSON, such as true, 123, or ["token"].

Use only real Kibana settings. Elastic's current docs warn that invalid, unsupported, or extraneous settings in the keystore can prevent Kibana from starting.
List the stored entries to confirm the new key exists.
```
$ sudo -u kibana env KBN_PATH_CONF=/etc/kibana /usr/share/kibana/bin/kibana-keystore list
elasticsearch.password
```
kibana-keystore list shows entry names only and does not print secret values.
Remove any matching plain-text secret from /etc/kibana/kibana.yml.
```
# elasticsearch.password: "replace-with-kibana-system-password"
```
Leaving the same value in kibana.yml defeats the point of using the keystore because the secret remains readable on disk.
Restart the kibana service so it reloads the updated keystore.
```
$ sudo systemctl restart kibana
```
Keystore changes do not affect a running Kibana process until the next start.

Related: How to manage the Kibana service with systemctl in Linux

Check the kibana service status for a clean start.

$ sudo systemctl status kibana --no-pager --full | head -n 12
● kibana.service - Kibana
     Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-01-08 00:22:45 UTC; 12min ago
       Docs: https://www.elastic.co
   Main PID: 57170 (node)
      Tasks: 11 (limit: 28486)
     Memory: 1011.9M (peak: 1.4G)
        CPU: 34.864s
##### snipped #####

If Kibana fails to come back, inspect the recent service logs for keystore-path, permissions, or invalid-setting errors:

$ sudo journalctl -u kibana -n 50 --no-pager

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.