Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Encryption is mostly used to remove clear passwords from settings (database or SCM credentials for instance). The implemented solution is based on a symetric key algorithm. The keypoint is that the secret key is stored in a secured file on disk. This file must only be owned and readable by the system account that runs the SonarQube server, the analysis with SonarQube Runner, SonarQube Ant Task, Maven or from the Continuous Integration server.

The algorithm is AES 128 bits. Note that 256 bits cipher is not used because it's not supported by default on all Java Virtual Machines (see this article).

1. Generate the secret key

A unique secret key must be shared between all parts of the SonarQube infrastructure (server and analyzers). To generate it, go to Settings > Configuration > General Settings > Encryption and click on Generate secret key:

Image Added

2. Store the secret key on the SonarQube server

  1. Copy this secret key in a file:

    Code Block
    titlesonar-secret.txt
    languagenone
    bIOVA1TybepjqLH+uYxuNh==



  2. Store this file on the machine hosting the SonarQube server (default location:  ~/.sonar/sonar-secret.txt). If you want to store it somewhere else, set its path through the sonar.secretKeyPath property in SONARQUBE_HOME/conf/sonar.properties:

    Code Block
    titleSONARQUBE_HOME/conf/sonar.properties
    languagenone
    ...
    sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt
    ...



  3. Restrict its access to the system account running the SonarQube server (ownership and read-access only).
  4. Restart your SonarQube server.

3. Generate the encrypted values of your settings

Go back to Settings > Configuration > General Settings > Encryption and generate the encrypted values or your settings:

Image Added

4. Use these encrypted values

Server side

Simply copy these encrypted values into SONARQUBE_HOME/conf/sonar.properties:

Code Block
titleSONARQUBE_HOME/conf/sonar.properties
languagenone
sonar.jdbc.url=jdbc:oracle:thin:@172.16.199.130/XE
sonar.jdbc.username=sonar
sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg==     # Encrypted password for the database
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt

Restart your SonarQube server.

Batch side

Copy the secret key file on the machine running the analysis.

Copy these encrypted values into the analyzer configuration file: sonar-runner.properties, settings.xml, etc. Do not forget to define the path to your secret key as well.

Code Block
titlesonar-runner.properties
languagenone
...
sonar.jdbc.url=jdbc:oracle:thin:@localhost/XE
sonar.jdbc.username=postgres
sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg==
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt
...
Code Block
titlesettings.xml
languagehtml/xml
...
<profile>
  <id>sonar</id>
  <properties>
    <sonar.jdbc.url>jdbc:oracle:thin:@172.16.199.130/XE</sonar.jdbc.url>
    <sonar.jdbc.username>sonar</sonar.jdbc.username>
    <sonar.jdbc.password>{aes}CCGCFg4Xpm6r+PiJb1Swfg==</sonar.jdbc.password>
    ...
    <sonar.secretKeyPath>C:/path/to/my/secure/location/my_secret_key.txt</sonar.secretKeyPath>
  </properties>
</profile>
...
Note

The sonar.password property is only encryptable since SonarQube 3.7.