diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja
index 00b3e6007..3457b8384 100644
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -240,6 +240,7 @@
 
   {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
     {% do allowed_states.append('kibana') %}
+    {% do allowed_states.append('kibana.secrets') %}
   {% endif %}
 
   {% if grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja
index c34dbfbb8..99fee8471 100644
--- a/salt/kibana/config.map.jinja
+++ b/salt/kibana/config.map.jinja
@@ -6,4 +6,8 @@
   {% do KIBANACONFIG.kibana.config.update({'xpack': {'security': {'authc': {'providers': {'anonymous': {'anonymous1': {'order': 0, 'credentials': 'elasticsearch_anonymous_user'}}}}}}}) %}
 {% endif %}
 
+{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
+  {% do KIBANACONFIG.kibana.config.update({'xpack': {'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey'] }}}) %}
+{% endif %}
+
 {% set KIBANACONFIG = salt['pillar.get']('kibana:config', default=KIBANACONFIG.kibana.config, merge=True) %}
diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml
index 959be6a34..feb49f654 100644
--- a/salt/kibana/defaults.yaml
+++ b/salt/kibana/defaults.yaml
@@ -30,5 +30,3 @@ kibana:
     xpack:
       ml:
         enabled: False
-      encryptedSavedObjects:
-        encryptionKey: {{ pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey'] }}
diff --git a/salt/kibana/secrets.sls b/salt/kibana/secrets.sls
index 1e5c224e1..52bb5d54c 100644
--- a/salt/kibana/secrets.sls
+++ b/salt/kibana/secrets.sls
@@ -1,3 +1,6 @@
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+
 {% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %}
 
 kibana_pillar_directory:
@@ -15,3 +18,11 @@ kibana_secrets_pillar:
             encryptedSavedObjects:
               encryptionKey: {{ kibana_encryptedSavedObjects_encryptionKey }}
     - show_changes: False
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}