Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mention other ways to set encryption key for saved objects #129671

Closed
dedemorton opened this issue Apr 6, 2022 · 3 comments · Fixed by #132828
Closed

Mention other ways to set encryption key for saved objects #129671

dedemorton opened this issue Apr 6, 2022 · 3 comments · Fixed by #132828
Assignees
@watson
Labels
docs impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. Team:Docs Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@dedemorton
Copy link
Contributor

dedemorton commented Apr 6, 2022
edited
Loading

Describe the feature:

The docs about setting an encryption key for saved objects should mention other ways to set the key (besides setting xpack.encryptedSavedObjects.encryptionKey in kibana.yml).

From what I understand, you can use the kibana-encryption-keys command, or Docker environment variables.

I've not personally used all these ways, so def confirm with the dev team.

Describe a specific use case for the feature:
Users who follow the UI link added here need to know there are other ways to set the encryption key.
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-docs (Team:Docs)

@watson
Copy link
Contributor

watson commented May 3, 2022
edited
Loading

The kibana-encryption-keys command is just for generating the encryption keys. When running the command the keys will be printed to the terminal and it's up to the person running the command to enter the keys into kibana.yml. I.e. this is not a different way of setting the keys, just a handy tool to generate them automatically.

But you're right that we of course should mention this tool on the "Secure saved objects" page, which we do not do currently.

For Docker you can set environment variables like:

XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY="min-32-byte-long-NEW-encryption-key"
XPACK_ENCRYPTEDSAVEDOBJECTS_KEYROTATION_DECRYPTIONONLYKEYS[0]="min-32-byte-long-OLD#1-encryption-key"
XPACK_ENCRYPTEDSAVEDOBJECTS_KEYROTATION_DECRYPTIONONLYKEYS[1]="min-32-byte-long-OLD#2-encryption-key"

@watson watson self-assigned this May 3, 2022
@watson watson added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label May 4, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@exalate-issue-sync exalate-issue-sync bot added the impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. label May 4, 2022
@watson watson mentioned this issue May 24, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@watson watson

Labels
docs impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. Team:Docs Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[docs] Improve Secure saved objects and kibana-encryption-keys docs watson/kibana
3 participants
@watson @dedemorton @elasticmachine