Kibana 7.5.1 Unable to use Kibana Keystore due to Permissions Problem

I installed Kibana on an Ubuntu 16.04.6 VM using a user with sudo permissions (basically, a user with root-like permissions). I have enabled and started kibana with systemctl. I have security enabled, the built-in users configured, and Kibana is connected to my 7.5.1 elasticsearch cluster which also has security enabled and the TLS transport configured. I can log into kibana with a custom user via a browser. However, I want to move the built-in kibana username and password to the kibana keystore as well as various encryption keys. To add the keys to the kibana keystore I use the same user with sudo permissions I used to install and configure Kibana. Therefore, the permissions of the keystore I created are:

opslogs@zcolo-ops-es-kibana-1:~$ ls -l /var/lib/kibana/
total 16
-rw-r--r-- 1 root root 130 Jan 14 14:45 kibana.keystore

When I add a key with "sudo" and the flag --allow-root, kibana fails to start with this error message:
{"type":"log","@timestamp":"2020-01-14T01:20:18Z","tags":["fatal","root"],"pid":1262,"message":"{ Error: "K_USER" and "K_SEC_ENCRYPTKEY" settings were not applied.
Check for spelling errors and ensure that expected plugins are installed.\n
at KbnServer._default (/usr/share/kibana/src/legacy/server/config/complete.js:90:17) code: 'InvalidConfig', processExitCode: 64 }"}

I verified the spelling by cutting and pasting K_SEC_ENCRYPTKEY. I don't even need to use the K_SEC_ENCRYPTKEY in kibana.yml file for it to fail, though it fails in both cases.

Even though the persmission are "root root" I tried to add a key to the kibana keystore without using sudo. I got this error:

opslogs@zcolo-ops-es-kibana-1:~$ /usr/share/kibana/bin/kibana-keystore list

Babel could not write cache to file: /usr/share/kibana/optimize/.babel_register_cache.json
due to a permission issue. Cache is disabled.

I experimented by changing the permission of the keystore to "kibana kibana" or "root kibana" (/var/lib/kibana/kibana.keystore), the problems as described above remained.

It seems that I need to change permissions of various files that the keystore uses so the kibana user can access them; however, I don't know what these are. The Kibana keystore documentation has no information about this. In addition, I don't have this problem with elasticsearch 7.5.1. I used an identical user with the same root-like permissions to install ES and add add TLS transport keys to its keystore with no problems. Note that ES automatically creates the keystore for me upon installation and places it in /etc/elasticsearch with permissions:
-rw-rw---- 1 root elasticsearch 395 Jan 9 17:37 elasticsearch.keystore

To my mind, manually changing permissions on a file like the kibana keystore is probably an unorthodox and problematic approach to resolving this problem, so I'd like help figuring out how to use the keystore in 7.5.1. There was an earlier question about this a few months ago, but the answer basically said I had to use the --allow-root flag and use "service kibana start" to run Kibana, or systemctl, which I have done. So I'd like some more input.