[JIRA] (JENKINS-58743) Remove need to store master key in filesystem

5 views
Skip to first unread message

boards@gmail.com (JIRA)

unread,
Jul 31, 2019, 4:05:02 PM7/31/19
to jenkinsc...@googlegroups.com
Matt Sicker created an issue
 
Jenkins / Improvement JENKINS-58743
Remove need to store master key in filesystem
Issue Type: Improvement Improvement
Assignee: Unassigned
Components: core
Created: 2019-07-31 20:04
Priority: Minor Minor
Reporter: Matt Sicker

The existing implementation of ConfidentialStore in Jenkins relies on a secret key that is stored inside JENKINS_HOME/secrets/master.key which is used for encrypting the keys used to encrypt various other secrets. This key file is really only required during startup as the key is loaded into memory and used for unlocking the confidential store which allows for encrypting and decrypting data elsewhere in Jenkins.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

msicker@cloudbees.com (JIRA)

unread,
Mar 4, 2020, 5:06:03 PM3/4/20
to jenkinsc...@googlegroups.com
Matt Sicker updated an issue
Change By: Matt Sicker
The existing implementation of ConfidentialStore in Jenkins relies on a secret key that is stored inside {{JENKINS_HOME/secrets/master.key}} which is used for encrypting the keys used to encrypt various other secrets. This key file is really only required during startup as the key is loaded into memory and used for unlocking the confidential store which allows for encrypting and decrypting data elsewhere in Jenkins.


This can potentially be improved in a couple ways:

# Add a CLI option or environment variable to specify the location of the master key file. This would make it simpler to locate it on removable file system or secret mount.
# Provide an unlock prompt similar to the admin password for uploading or specifying the master key on startup if there is no master key available to decrypt the confidential store.
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo

msicker@cloudbees.com (JIRA)

unread,
Mar 5, 2020, 3:45:02 PM3/5/20
to jenkinsc...@googlegroups.com
Matt Sicker commented on Improvement JENKINS-58743
 
Re: Remove need to store master key in filesystem

One thing I'm noticing is there's a potential ability to refactor the confidential store to use the KeyStore APIs which would allow for more standardized keystore maintenance.
Reply all
Reply to author
Forward
0 new messages