How to add secrets to a Kibana keystore

Storing passwords, API keys, and encryption keys in /etc/kibana/kibana.yml leaves secrets readable in plain text and easily copied into backups, ticket systems, or version control. Adding sensitive settings to the Kibana keystore keeps those values out of the main configuration file while still allowing Kibana to start with the required credentials.

The kibana-keystore utility stores secure values in an encrypted keystore file in Kibana’s configuration directory (commonly /etc/kibana on package installs). Entries use the same setting names as kibana.yml, so a keystore key like elasticsearch.password supplies the value for elasticsearch.password at startup.

Keystore updates are only read when Kibana starts, so a service restart is required after changing entries. Ensure the keystore is created in the configuration directory used by the running service, and keep the keystore file readable by the account that runs kibana. Remove any matching plain-text settings from /etc/kibana/kibana.yml to avoid leaving secrets exposed.

Steps to add secrets to a Kibana keystore:

Add the secret setting to the keystore.
```
$ sudo /usr/share/kibana/bin/kibana-keystore add elasticsearch.password
Enter value for elasticsearch.password: ********
```
Use the same key name as the corresponding kibana.yml setting.

On non-package installs, set KBN_PATH_CONF to the intended configuration directory before running kibana-keystore so the correct keystore is updated.
Confirm the keystore entry exists.
```
$ sudo /usr/share/kibana/bin/kibana-keystore list
elasticsearch.password
```
The list output shows entry names only and does not reveal stored values.
Remove the matching plain-text setting from /etc/kibana/kibana.yml if present.
```
# elasticsearch.password: "plaintext-secret"
```
Leaving a secret in /etc/kibana/kibana.yml keeps it readable in plain text by anyone or anything that can read the file.
Restart the kibana service to load the updated keystore.
```
$ sudo systemctl restart kibana
```
If the restart fails, check ownership and permissions on /etc/kibana/kibana.keystore so the kibana service account can read it.

Related: How to manage the Kibana service with systemctl in Linux

Check the kibana service status for a clean start.

$ sudo systemctl status kibana --no-pager
● kibana.service - Kibana
     Loaded: loaded (/lib/systemd/system/kibana.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2026-01-05 10:15:01 UTC; 9s ago
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.