Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where's the encryption key stored in Jenkins?

I am trying to migrate the credentials from one Jenkins to another but usernames/passwords are hashed in ${JENKINS_HOME}/credentials.xml

I found this answer, but the problem is it doesn't explain where would someone find the encryption key in order to successfully migrate credentials.

Any help is greatly appreciated!

EDIT: More information.. my ${JENKINS_HOME} is on a separate volume which I detach and re-attach onto the new VM, and it still doesn't work with me.

like image 408
Fadi Avatar asked Jul 19 '16 17:07

Fadi


People also ask

Where is my Jenkins secret key?

Encryption of Secrets and Credentials. Jenkins uses AES to encrypt and protect secrets, credentials, and their respective encryption keys. These encryption keys are stored in $JENKINS_HOME/secrets/ along with the master key used to protect said keys.

Where are Jenkins passwords stored?

This password is stored inside the file initialAdminPassword , which is located inside your jenkins_home directory. The file, along with its full path, is displayed on the Jenkins page, as shown in the following screenshot: On Windows: You can find the file under C:\Program Files (x86)\Jenkins\secrets .

How are credentials stored in Jenkins?

To maximize security, credentials configured in Jenkins are stored in an encrypted form on the controller Jenkins instance (encrypted by the Jenkins instance ID) and are only handled in Pipeline projects via their credential IDs.


2 Answers

I found this analysis (link is dead as of June 2020, archived here) very helpful. In a nutshell:

Jenkins uses the master.key to encrypt the key hudson.util.Secret. This key is then used to encrypt the password in credentials.xml.

When I need to bootstrap new Jenkins instances with some default passwords, I use a template directory tree that contains

  • secrets/hudson.util.Secret and
  • secrets/master.key

This works fine.

like image 182
Alex O Avatar answered Nov 01 '22 08:11

Alex O


Regarding JENKINS migration, I recently experienced this situation and after few testings, my workaround worked for me.

Here is what I did:

  1. I moved below files and folders from Source Jenkins to target:

    • $JENKINS_HOME/secret.key
    • $JENKINS_HOME/secrets
    • $JENKINS-HOME/users
    • $JENKINS_HOME/credentials.xml
  2. Please note: These files are not required to move:

    • $JENKINS_HOME/identity.key.enc
    • $JENKINS_HOME/secrets/org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY

otherwise you will see below error after starting Jenkins:

java.lang.AssertionError: InstanceIdentity is missing its singleton
  1. Jenkins will automatically generate those two files. Once started, you should be good.
like image 24
Ashish K Srivastava Avatar answered Nov 01 '22 07:11

Ashish K Srivastava