Secure settings

edit

Some settings are sensitive, and relying on filesystem permissions to protect their values is not sufficient. For this use case, Kibana provides a keystore, and the kibana-keystore tool to manage the settings in the keystore.

  • Run all commands as the user who runs Kibana.
  • Any valid Kibana setting can be stored in the keystore securely. Unsupported, extraneous or invalid settings will cause Kibana to fail to start up.

Create the keystore

edit

To create the kibana.keystore, use the create command:

bin/kibana-keystore create

The file kibana.keystore will be created in the config directory defined by the environment variable KBN_PATH_CONF.

To create a password protected keystore use the --password flag.

List settings in the keystore

edit

A list of the settings in the keystore is available with the list command:

bin/kibana-keystore list

Add string settings

edit

Your input will be JSON-parsed to allow for object/array input configurations. To enforce string values, use "double quotes" around your input.

Sensitive string settings, like authentication credentials for Elasticsearch can be added using the add command:

bin/kibana-keystore add the.setting.name.to.set

Once added to the keystore, these setting will be automatically applied to this instance of Kibana when started. For example if you do

bin/kibana-keystore add elasticsearch.username

you will be prompted to provide the value for elasticsearch.username. (Your input will show as asterisks.)

The tool will prompt for the value of the setting. To pass the value through stdin, use the --stdin flag:

cat /file/containing/setting/value | bin/kibana-keystore add the.setting.name.to.set --stdin

Remove settings

edit

To remove a setting from the keystore, use the remove command:

bin/kibana-keystore remove the.setting.name.to.remove

Read settings

edit

To display the configured setting values, use the show command:

bin/kibana-keystore show setting.key

Change password

edit

To change the password of the keystore, use the passwd command:

bin/kibana-keystore passwd

Has password

edit

To check if the keystore is password protected, use the has-passwd command. An exit code of 0 will be returned if the keystore is password protected, and the command will fail otherwise.

bin/kibana-keystore has-passwd