- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.3
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Developer guide
Secure saved objects
editSecure saved objects
editKibana stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as saved objects, which are kept in a dedicated, internal Elasticsearch index. If such an object includes sensitive information, for example a PagerDuty integration key or email server credentials used by the alert action, Kibana encrypts it and makes sure it cannot be accidentally leaked or tampered with.
Encrypting sensitive information means that a malicious party with access to the Kibana internal indices won’t be able to extract that information without also knowing the encryption key.
Example kibana.yml
:
xpack.encryptedSavedObjects: encryptionKey: "min-32-byte-long-strong-encryption-key"
If you don’t specify an encryption key, Kibana might disable features that rely on encrypted saved objects.
Encryption key rotation
editMany policies and best practices stipulate that encryption keys should be periodically rotated to decrease the amount of content encrypted with one key and therefore limit the potential damage if the key is compromised. Kibana allows you to rotate encryption keys whenever there is a need.
When you change an encryption key, be sure to keep the old one for some time. Although Kibana only uses a new encryption key to encrypt all new and updated data, it still may need the old one to decrypt data that was encrypted using the old key. It’s possible to have multiple old keys used only for decryption. Kibana doesn’t automatically re-encrypt existing saved objects with the new encryption key. Re-encryption only happens when you update existing object or use the rotate encryption key API.
Here is how your kibana.yml
might look if you use key rotation functionality:
xpack.encryptedSavedObjects: encryptionKey: "min-32-byte-long-NEW-encryption-key" keyRotation: decryptionOnlyKeys: ["min-32-byte-long-OLD#1-encryption-key", "min-32-byte-long-OLD#2-encryption-key"]
The encryption key Kibana will use to encrypt all new or updated saved objects. This is known as the primary encryption key. |
|
A list of encryption keys Kibana will try to use to decrypt existing saved objects if decryption with the primary encryption key isn’t possible. These keys are known as the decryption-only or secondary encryption keys. |
You might also leverage this functionality if multiple Kibana instances connected to the same Elasticsearch cluster use different encryption keys. In this case, you might have a mix of saved objects encrypted with different keys, and every Kibana instance can only deal with a specific subset of objects. To fix this, you must choose a single primary encryption key for xpack.encryptedSavedObjects.encryptionKey
, move all other encryption keys to xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys
, and sync this configuration across all Kibana instances.
At some point, you might want to dispose of old encryption keys completely. Make sure there are no saved objects that Kibana encrypted with these encryption keys. You can use the rotate encryption key API to determine which existing saved objects require decryption-only keys and re-encrypt them with the primary key.
On this page