Where's the encryption key stored in Jenkins?

encryption jenkins migration credentials
Fadi picture Fadi · Jul 19, 2016 · Viewed 17.7k times · Source

I am trying to migrate the credentials from one Jenkins to another but usernames/passwords are hashed in ${JENKINS_HOME}/credentials.xml

I found this answer, but the problem is it doesn't explain where would someone find the encryption key in order to successfully migrate credentials.

Any help is greatly appreciated!

EDIT: More information.. my ${JENKINS_HOME} is on a separate volume which I detach and re-attach onto the new VM, and it still doesn't work with me.

Answer

Alex O picture Alex O · Jul 20, 2016

I found this analysis (link is dead as of June 2020, archived here) very helpful. In a nutshell:

Jenkins uses the master.key to encrypt the key hudson.util.Secret. This key is then used to encrypt the password in credentials.xml.

When I need to bootstrap new Jenkins instances with some default passwords, I use a template directory tree that contains

  • secrets/hudson.util.Secret and
  • secrets/master.key

This works fine.

Related questions

Encrypt and decrypt a string in C#?

How can I encrypt and decrypt a string in C#?

Read More
Encrypting & Decrypting a String in C#

What is the most modern (best) way of satisfying the following in C#? string encryptedString = SomeStaticClass.Encrypt(sourceString); string decryptedString = SomeStaticClass.Decrypt(encryptedString); BUT with a minimum of fuss involving salts, keys, mucking about with byte[], etc. Been Googling and …

Read More
Java 256-bit AES Password-Based Encryption

I need to implement 256 bit AES encryption, but all the examples I have found online use a "KeyGenerator" to generate a 256 bit key, but I would like to use my own passkey. How can I create my own key? I …

Read More