Where's the encryption key stored in Jenkins?

Question

I am trying to migrate the credentials from one Jenkins to another but usernames/passwords are hashed in ${JENKINS_HOME}/credentials.xml

I found this answer, but the problem is it doesn't explain where would someone find the encryption key in order to successfully migrate credentials.

Any help is greatly appreciated!

EDIT: More information.. my ${JENKINS_HOME} is on a separate volume which I detach and re-attach onto the new VM, and it still doesn't work with me.

Answer 1

I found this analysis (link is dead as of June 2020, archived here) very helpful. In a nutshell:

Jenkins uses the master.key to encrypt the key hudson.util.Secret. This key is then used to encrypt the password in credentials.xml.

When I need to bootstrap new Jenkins instances with some default passwords, I use a template directory tree that contains

• secrets/hudson.util.Secret and
• secrets/master.key

This works fine.

Answer 2

Regarding JENKINS migration, I recently experienced this situation and after few testings, my workaround worked for me.

Here is what I did:

1. I moved below files and folders from Source Jenkins to target:

   • $JENKINS_HOME/secret.key
   • $JENKINS_HOME/secrets
   • $JENKINS-HOME/users
   • $JENKINS_HOME/credentials.xml

2. Please note: These files are not required to move:

   • $JENKINS_HOME/identity.key.enc
   • $JENKINS_HOME/secrets/org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY

otherwise you will see below error after starting Jenkins:

java.lang.AssertionError: InstanceIdentity is missing its singleton

3. Jenkins will automatically generate those two files. Once started, you should be good.