Encrypt or hide password from Jenkins.xml file: --httpsKeyStorePassword

Is there a way to encrypt or hide password from Jenkins.xml file. Adding password in the configuration file is not recommended. We have password setup in the jenkins.xml file.

-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar “C:\Program Files\Jenkins\jenkins.war” --httpPort=-1 --httpsPort=8443 --httpsKeyStore=“%ProgramData%\Jenkins.jenkins\secrets\jenkins-cert.jks” –httpsKeyStorePassword=******* --webroot=“%ProgramData%\Jenkins\war”

Is there any way to hide it.

Yes, storing sensitive information like plain text passwords is not recommended for security reasons.

In Jenkins, you can use the Jenkins Credential Plugin to manage credentials securely.

However, in your case, it seems like you are trying to secure the password of the HTTPS keystore used by Jenkins when it’s started as a Windows service, right?

This password is needed at startup, so it must be available in plain text form at that time as far as I know.

One not-so-good approach to improve the security could be to restrict the access to the jenkins.xml file itself.
You can set the file permissions such that only the user account that is used to run the Jenkins service can read this file.

That approach is far from perfect, but may work with PowerShell:

# Replace 'username' with the actual username of the account running the Jenkins service
$acl = Get-Acl 'C:\Program Files\Jenkins\jenkins.xml'
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('username', 'FullControl', 'Allow')
Set-Acl 'C:\Program Files\Jenkins\jenkins.xml' $acl

This script will remove all permissions for the jenkins.xml file and then add ‘FullControl’ permission for the specified user.

Of course, this does not encrypt or hide the password :cry: , but it does restrict who can see it. :person_shrugging:

If an attacker gains access to the account that runs the Jenkins service, they will still be able to read this file.

My :heavy_dollar_sign:0.02.

you can put the parameters of Jenkins in a separate file and just pass this with
java <javaopt> -jar jenkins.war --config=c:\tools\jenkins.args
That way you at least avoid that the password is part of the running command and visible in the process tree.
Depending on how the startup is actually implemented, jenkins could (via an init script maybe) delete the file afterwards. The startup process would need to ensure that the file is create each time before Jenkins starts.

1 Like