Yes, alerting should work without security. It sounds like the encryption key is not being set; we'll need to see the log messages from kibana. Given the message you see in the browser, I'd expect you'll see the following message in the logs:
APIs are disabled due to the Encrypted Saved Objects plugin using an ephemeral encryption key.
Please set xpack.encryptedSavedObjects.encryptionKey in kibana.yml.
Can you paste the line in your kibana.yml with the xpack.encryptedSavedObjects.encryptionKey setting? You can replace the values in the key with X's if you want.
One note - the documentation notes the key should be 32 characters or longer. I'm not sure what happens if it's shorter, but it certainly won't used, and I would expect a separate log message about that.