github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[docs] Improve Secure saved objects and kibana-encryption-keys docs (#132828) (#132880)

Browse source 
(cherry picked from commit ef9e3c4265)

Co-authored-by: Thomas Watson <w@tson.dk>
This commit is contained in:
Kibana Machine 2022-05-24 23:44:40 -05:00 committed by GitHub
parent 60eaf4141f
commit 4d65fe9c92
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

42
docs/user/security/encryption-keys/index.asciidoc
View file

@ -1,39 +1,35 @@
[[kibana-encryption-keys]]
=== Set up encryption keys to protect sensitive information
The `kibana-encryption-keys` command helps you set up encryption keys that {kib} uses
The `kibana-encryption-keys` command helps you generate encryption keys that {kib} uses
to protect sensitive information.
[discrete]
=== Synopsis
[source,shell]
--------------------------------------------------
bin/kibana-encryption-keys generate
[-i, --interactive] [-q, --quiet]
[-f, --force] [-h, --help]
--------------------------------------------------
[discrete]
=== Description
{kib} uses encryption keys in several areas, ranging from encrypting data
in {kib} associated indices to storing session information. By defining these
encryption keys in your configuration, you'll ensure consistent operations
across restarts.
[discrete]
=== Usage
[source,shell]
--------------------------------------------------
bin/kibana-encryption-keys [command] [options]
--------------------------------------------------
[discrete]
[[encryption-key-parameters]]
=== Parameters
=== Commands
`generate`:: Randomly generates passwords to the console.
`-i, --interactive`:: Prompts you for which encryption keys to set and optionally
where to save a sample configuration file.
`-q, --quiet`:: Outputs the encryption keys without helper information.
`-f, --force`:: Shows help information.
`generate`:: Generate encryption keys.
+
Unless interactive mode (`-i`) is used, the generated encryption keys will be output to your console only.
From here, you should manually copy the keys into either `kibana.yml` or where else you're configurating {kib}.
+
`-i, --interactive`::: Prompts you for which encryption keys to set and optionally where to save a sample configuration file.
`-q, --quiet`::: Outputs the config options/encryption keys only (without helper information).
`-f, --force`::: Generates new keys for all settings. By default, only un-configured encryption keys will be generated.
`-h, --help`::: Shows help information.
[discrete]
=== Examples

19
docs/user/security/secure-saved-objects.asciidoc
View file

@ -19,6 +19,11 @@ xpack.encryptedSavedObjects:
If you don't specify an encryption key, {kib} might disable features that rely on encrypted saved objects.
============================================================================
[TIP]
============================================================================
For help generating the encryption key, refer to the <<kibana-encryption-keys, `kibana-encryption-keys`>> script.
============================================================================
[[encryption-key-rotation]]
==== Encryption key rotation
@ -45,3 +50,17 @@ You might also leverage this functionality if multiple {kib} instances connected
============================================================================
At some point, you might want to dispose of old encryption keys completely. Make sure there are no saved objects that {kib} encrypted with these encryption keys. You can use the <<saved-objects-api-rotate-encryption-key, rotate encryption key API>> to determine which existing saved objects require decryption-only keys and re-encrypt them with the primary key.
[[encryption-key-docker-configuration]]
==== Docker configuration
It's also possible to configure the encryption keys using <<environment-variable-config,Docker environment variables>>.
Docker environment variable examples:
[source,sh]
--------------------------------------------------------------------------------
XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY="min-32-byte-long-NEW-encryption-key"
XPACK_ENCRYPTEDSAVEDOBJECTS_KEYROTATION_DECRYPTIONONLYKEYS[0]="min-32-byte-long-OLD#1-encryption-key"
XPACK_ENCRYPTEDSAVEDOBJECTS_KEYROTATION_DECRYPTIONONLYKEYS[1]="min-32-byte-long-OLD#2-encryption-key"
--------------------------------------------------------------------------------