How to add xpack.encryptedSavedObjects.encryptionKey for Kibana deployments in ECE without breaking Fleet

Hello,

So I tried setting xpack.encryptedSavedObjects.encryptionKey on an ECE Kibana deployment in User and settings and it appeared to have broken the builtin Fleet (message signing key error when opening Fleet)

But how can we safely put this setting without breaking something? The Elastic docs say this setting applies to ECE. But we don’t know the original key so replacing it always breaks Fleet. Also I tried to set it immediately after a fresh deployment, but this also broke Fleet.

Luckiliy it appears by removing this setting again, Fleet seems to be working correctly again. Does this mean this encryption key is saved somewhere in ECE? Can we retrieve it so we can use the keyRotation setting?

xpack.encryptedSavedObjects:
encryptionKey: "min-32-byte-long-NEW-encryption-key"
keyRotation:
decryptionOnlyKeys: ["min-32-byte-long-OLD#1-encryption-key", "min-32-byte-long-OLD#2-encryption-key"]

Any feedback on this topic is welcome.

Hello @willemdh

On ECE , ELK 9.3.1 if i try to set these values see below message :

image602×415 16.8 KB

It does not allow me to set , could you please share what is your ELK version ?

Thanks!!

Hi @Tortoise

Thanks a lot for your answer.

ECE 4.0.3 Elastic 9.2.5.

So these settings are not supported by ECE. It would have been nice if the docs made this more clear. The docs Secure Kibana saved objects | Elastic Docs page clearly shows ECE:

(We are currently still on trial license)

Very weird that it shows you these settings are not allowed while for me it happily applied these settings….

image2224×283 19.5 KB

image2270×1328 274 KB