Hello,
So I tried setting xpack.encryptedSavedObjects.encryptionKey on an ECE Kibana deployment in User and settings and it appeared to have broken the builtin Fleet (message signing key error when opening Fleet)
But how can we safely put this setting without breaking something? The Elastic docs say this setting applies to ECE. But we don’t know the original key so replacing it always breaks Fleet. Also I tried to set it immediately after a fresh deployment, but this also broke Fleet.
Luckiliy it appears by removing this setting again, Fleet seems to be working correctly again. Does this mean this encryption key is saved somewhere in ECE? Can we retrieve it so we can use the keyRotation setting?
xpack.encryptedSavedObjects:
encryptionKey: "min-32-byte-long-NEW-encryption-key"
keyRotation:
decryptionOnlyKeys: ["min-32-byte-long-OLD#1-encryption-key", "min-32-byte-long-OLD#2-encryption-key"]
Any feedback on this topic is welcome. ![]()


