Where's the encryption key stored in Jenkins?
I found this analysis (link is dead as of June 2020, archived here) very helpful. In a nutshell:
Jenkins uses the master.key to encrypt the key hudson.util.Secret. This key is then used to encrypt the password in credentials.xml.
When I need to bootstrap new Jenkins instances with some default passwords, I use a template directory tree that contains
secrets/hudson.util.Secretandsecrets/master.key
This works fine.
Regarding JENKINS migration, I recently experienced this situation and after few testings, my workaround worked for me.
Here is what I did:
I moved below files and folders from Source Jenkins to target:
- $JENKINS_HOME/secret.key
- $JENKINS_HOME/secrets
- $JENKINS-HOME/users
- $JENKINS_HOME/credentials.xml
Please note: These files are not required to move:
- $JENKINS_HOME/identity.key.enc
- $JENKINS_HOME/secrets/org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY
otherwise you will see below error after starting Jenkins:
java.lang.AssertionError: InstanceIdentity is missing its singleton
- Jenkins will automatically generate those two files. Once started, you should be good.