Encryption is mostly used to remove clear passwords from settings (database or SCM credentials for instance). The implemented solution is based on a symetric key algorithm. The keypoint key point is that the secret key is stored in a secured file on disk. This file must only be owned by and readable only by the system account that runs the SonarQube server, the analysis with SonarQube Runner, SonarQube Ant Task, Maven or from the Continuous Integration server.
A unique secret key must be shared between all parts of the SonarQube infrastructure (server and analyzers). To generate it, go to Settings > Configuration > General Settings > Security > Encryption and click on Generate secret key:
2. Store the secret key on the SonarQube server
Copy this the generated secret key in to a file:
Code Block title sonar-secret.txt language none
Store this file on the machine hosting the SonarQube server (default location:
~/.sonar/sonar-secret.txt). If you want to store it somewhere else, set its path through the
sonar.secretKeyPathproperty in SONARQUBE_HOME/conf/sonar.properties:
Code Block title SONARQUBE_HOME/conf/sonar.properties language none
... sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt ...
- Restrict its access to the system account running the SonarQube server (ownership and read-access only).
- Restart your SonarQube server.
3. Generate the encrypted values of your settings
Go back to Settings > Configuration > General Settings > Security > Encryption and generate the encrypted values or of your settings:
4. Use these encrypted values
Restart your SonarQube server.
Copy the secret key file on to the machine running the analysis.