A Kibana keystore keeps sensitive settings such as elasticsearch.password and encryption keys out of /etc/kibana/kibana.yml, reducing accidental exposure in backups, version control, or support bundles.
Kibana writes secure settings into a single kibana.keystore file created by the kibana-keystore command. On package-based installs, the file is stored in the configuration directory defined by KBN_PATH_CONF, which commonly maps to /etc/kibana.
The keystore is read during Kibana startup, so new or changed entries are not picked up until the next restart. Password protection is optional; when enabled, startup requires providing the passphrase through a supported mechanism such as KEYSTORE_PASSWORD or KBN_KEYSTORE_PASSPHRASE_FILE.
Steps to create a Kibana keystore:
- Create the Kibana keystore in the configured KBN_PATH_CONF directory.
$ sudo /usr/share/kibana/bin/kibana-keystore create Created Kibana keystore in /etc/kibana/kibana.keystore
Add --password to create a password-protected keystore:
$ sudo /usr/share/kibana/bin/kibana-keystore create --password
- Set keystore ownership to the kibana service account.
$ sudo chown kibana:kibana /etc/kibana/kibana.keystore
- Restrict the keystore file permissions to the owner only.
$ sudo chmod 0600 /etc/kibana/kibana.keystore
- List keystore entries as the kibana service account to confirm the keystore is readable.
$ sudo -u kibana /usr/share/kibana/bin/kibana-keystore list No entries found.
- Verify the keystore path, owner, and mode.
$ ls -l /etc/kibana/kibana.keystore -rw------- 1 kibana kibana 400 Jan 5 10:11 /etc/kibana/kibana.keystore
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
