Loading

Set up security in self-managed deployments

Self Managed

This section explains how to perform the initial security setup for self-managed deployments, including configuring TLS certificates to secure Elasticsearch and Kibana endpoints, setting passwords for built-in users, and generating enrollment tokens to connect Kibana or additional Elasticsearch nodes to the cluster.

Self-managed deployments support two approaches for the initial setup: automatic and manual. Note that securing Kibana always requires some manual configuration.

For guidance on configuring additional security features, refer to Secure your cluster or deployment.

Since version 8.0, Elasticsearch automatically enables security features on first startup when the node is not part of an existing cluster and none of the incompatible settings have been explicitly configured.

The automatic configuration:

  • Generates TLS certificates for the transport and HTTP layers
  • Applies TLS configuration settings to elasticsearch.yml
  • Sets a password for the elastic superuser
  • Creates an enrollment token to securely connect Kibana to Elasticsearch

This automatic setup is the quickest way to get started and ensures your cluster is protected by default.

Warning

The automatic configuration does not enable TLS on the Kibana HTTP endpoint. To encrypt browser traffic to Kibana, follow the steps in Set up HTTPS > Encrypt traffic between your browser and Kibana.

Refer to Automatic security setup to learn more, including a list of automatically generated security certificates and keys, and cases where the security setup may be skipped.

If you’re securing an existing unsecured cluster, or prefer to use your own TLS certificates, follow the manual approach. It involves enabling different layers of protection in sequence, depending on your cluster architecture and security requirements.

  1. Set up minimal security: Enables password-based authentication for built-in users and configures Kibana to connect using credentials. Suitable for single-node clusters, but not sufficient for production or multi-node clusters.

  2. Configure transport TLS: Required for multi-node clusters running in production mode. Secures communication between nodes and prevents unauthorized nodes from joining the cluster.

  3. Configure HTTP TLS: Secures all client communications over HTTPS, including traffic between Kibana and Elasticsearch, and between browsers and Kibana. Recommended for all clusters, even single-node setups.

Each step builds on the previous one. For production environments, it’s strongly recommended to complete all three.

For additional TLS configuration options, refer to Manage TLS encryption in self-managed deployments.

Refer to Configure security in Kibana to learn how to implement the following security best practices for Kibana:

  • Set an encryption key for client sessions
  • Use secure HTTP headers
  • Require a Content Security Policy (CSP)