Secure settings
editSecure settings
editSome settings are sensitive, and relying on filesystem permissions to protect
their values is not sufficient. For this use case, Kibana provides a
keystore, and the kibana-keystore
tool to manage the settings in the keystore.
- Run all commands as the user who runs Kibana.
- Any valid Kibana setting can be stored in the keystore securely. Unsupported, extraneous or invalid settings will cause Kibana to fail to start up.
Create the keystore
editTo create the kibana.keystore
, use the create
command:
bin/kibana-keystore create
The file kibana.keystore
will be created in the config
directory defined by the
environment variable KBN_PATH_CONF
.
To create a password protected keystore use the --password
flag.
List settings in the keystore
editA list of the settings in the keystore is available with the list
command:
bin/kibana-keystore list
Add string settings
editYour input will be JSON-parsed to allow for object/array input configurations. To enforce string values, use "double quotes" around your input.
Sensitive string settings, like authentication credentials for Elasticsearch
can be added using the add
command:
bin/kibana-keystore add the.setting.name.to.set
Once added to the keystore, these setting will be automatically applied to this instance of Kibana when started. For example if you do
bin/kibana-keystore add elasticsearch.username
you will be prompted to provide the value for elasticsearch.username. (Your input will show as asterisks.)
The tool will prompt for the value of the setting. To pass the value
through stdin, use the --stdin
flag:
cat /file/containing/setting/value | bin/kibana-keystore add the.setting.name.to.set --stdin
Remove settings
editTo remove a setting from the keystore, use the remove
command:
bin/kibana-keystore remove the.setting.name.to.remove
Read settings
editTo display the configured setting values, use the show
command:
bin/kibana-keystore show setting.key
Change password
editTo change the password of the keystore, use the passwd
command:
bin/kibana-keystore passwd
Has password
editTo check if the keystore is password protected, use the has-passwd
command.
An exit code of 0 will be returned if the keystore is password protected,
and the command will fail otherwise.
bin/kibana-keystore has-passwd