[[secure-settings]]
=== Secure settings

Some settings are sensitive, and relying on filesystem permissions to protect
their values is not sufficient. For this use case, Kibana provides a
keystore, and the `kibana-keystore` tool to manage the settings in the keystore.

[NOTE]
====
* Run all commands as the user who runs {kib}.
* Any valid {kib} setting can be stored in the keystore securely.
   Unsupported, extraneous or invalid settings will cause {kib} to fail to start up.
====

[float]
[[creating-keystore]]
=== Create the keystore

To create the `kibana.keystore`, use the `create` command:

[source,sh]
----------------------------------------------------------------
bin/kibana-keystore create
----------------------------------------------------------------

The file `kibana.keystore` will be created in the `config` directory defined by the
environment variable `KBN_PATH_CONF`.

To create a password protected keystore use the `--password` flag.

[float]
[[list-settings]]
=== List settings in the keystore

A list of the settings in the keystore is available with the `list` command:

[source,sh]
----------------------------------------------------------------
bin/kibana-keystore list
----------------------------------------------------------------

[float]
[[add-string-to-keystore]]
=== Add string settings

NOTE: Your input will be JSON-parsed to allow for object/array input configurations. 
      To enforce string values, use "double quotes" around your input.

Sensitive string settings, like authentication credentials for Elasticsearch
can be added using the `add` command:

[source,sh]
----------------------------------------------------------------
bin/kibana-keystore add the.setting.name.to.set
----------------------------------------------------------------

Once added to the keystore, these setting will be automatically applied
to this instance of Kibana when started. For example if you do

[source,sh]
----------------------------------------------------------------
bin/kibana-keystore add elasticsearch.username
----------------------------------------------------------------

you will be prompted to provide the value for elasticsearch.username.
(Your input will show as asterisks.)

The tool will prompt for the value of the setting. To pass the value
through stdin, use the `--stdin` flag:

[source,sh]
----------------------------------------------------------------
cat /file/containing/setting/value | bin/kibana-keystore add the.setting.name.to.set --stdin
----------------------------------------------------------------

[float]
[[remove-settings]]
=== Remove settings

To remove a setting from the keystore, use the `remove` command:

[source,sh]
----------------------------------------------------------------
bin/kibana-keystore remove the.setting.name.to.remove
----------------------------------------------------------------

[float]
[[read-settings]]
=== Read settings

To display the configured setting values, use the `show` command:

[source, sh]
----------------------------------------------------------------
bin/kibana-keystore show setting.key
----------------------------------------------------------------

[float]
[[change-password]]
=== Change password

To change the password of the keystore, use the `passwd` command: 

[source, sh]
----------------------------------------------------------------
bin/kibana-keystore passwd
----------------------------------------------------------------

[float]
[[has-password]]
=== Has password

To check if the keystore is password protected, use the `has-passwd` command.
An exit code of 0 will be returned if the keystore is password protected, 
and the command will fail otherwise.

[source, sh]
----------------------------------------------------------------
bin/kibana-keystore has-passwd
----------------------------------------------------------------