search
Ctrlk
Start FreeLogin

Code encryption

Use your own Customer Managed Key (CMK) also known as Bring Your Own Key (BYOK) to provide extra security for encrypting your projects’ source code at rest.

This feature is available in the Enterprise planarrow-up-right.

hashtag
Overview

SonarQube Cloud stores the source code of analyzed projects to properly display analysis results. Code encryption with Customer Managed Key (CMK) also known as Bring your own key (BYOK) provides an additional level of security to help organizations comply with their regulatory and internal policies that require encryption keys to remain under the company’s control.

hashtag
AWS standard encryption

Independently of the plan and configuration, your source code is always protected using built-in AWS standard encryption. See Protecting data with encryptionarrow-up-right on AWS documentation website for more details.

hashtag
Code encryption with Customer Managed Key (CMK)

The code encryption configuration provides an additional method for user controlled encryption at rest using CMK ensuring that you retain full ownership and control of your most sensitive data, your code.

Benefits:

  • Encrypt code at rest: Use your own CMK created in AWS Key Management Service (KMS) to encrypt your source code for maximum security and compliance.

  • Meet compliance requirements: Satisfy regulatory or internal mandates to own and manage the encryption keys of your proprietary data.

  • Control key lifecycle (rotation/revocation): As an Enterprise Administrator you can rotate your CMK for proactive security, or immediately disable it in case of an incident to instantly block access to all encrypted data.

hashtag
How it works

With CMK, SonarQube uses a least privilege key model, providing you with full control over the lifecycle of your keys and limiting SonarQube’s access to the key usage. You generate and manage your AWS KMS keys and SonarQube only performs encryption and decryption functions using the CMK. You don’t have to grant SonarQube any administrative roles within the AWS KMS account.

The system utilizes envelope encryption (using AES-256) to ensure maximum security. Once an Enterprise Admin configures your AWS KMS Key ARN (Amazon Resource Name) in the Enterprise settings, SonarQube generates a unique Data Encryption Key (DEK) for each project. Your source code is encrypted with these project-specific DEKs, which are in turn protected by your CMK. This architecture ensures that you retain full control over the data lifecycle. If you revoke or disable your key in AWS, access to the encrypted source code within SonarQube Cloud is immediately blocked.

You manage your AWS KMS keys and SonarQube only performs encryption and decryption functions

hashtag
Caching of data keys

To enhance the performance of code encryption and decryption, and to reduce the reliance on AWS KMS requests, SonarQube's code encryption feature utilizes caching for project data keys. Unencrypted data keys are stored in this cache for a maximum duration of 5 minutes.

In case of key revocation, some projects might be still available for up to 5 minutes due to cached project data keys.

hashtag
Irreversibility of CMK code encryption

circle-exclamation

This feature is irreversible and once enabled, it cannot be disabled or reversed.

Before you enable code encryption with CMK on your enterprise, keep the following in mind:

  • Once code encryption with your CMK is enabled for your enterprise it cannot be undone or disabled.

  • Organizations that are part of the enterprise with the code encryption enabled cannot be downgraded. The only way to detach an organization from the enterprise is to remove it and re-create it elsewhere, which will result in the permanent loss of all historical data.

  • Once an organization is added to an enterprise with code encryption enabled, its projects automatically become encrypted.

hashtag
Other considerations

Before enabling CMK encryption on your enterprise, consider the following:

  • When using Agentic Analysis, the project context is collected and stored by SonarQube Cloud. This context, usually containing project dependencies, build artifacts, type information, and others, is not encrypted with CMK. See for more information.

  • When the Sonar analysis scanner uploads the analysis report to SonarQube Cloud, it is saved before the SonarQube processes it. Those reports are not encrypted with a CMK and are removed after 5 days.

hashtag
Permissions

The Administer Enterprise permission is required to set and manage code encryption for an enterprise. To change permissions, from the Account menu select Your Enterprise > Administration > Enterprise Permissions and switch the Administer Enterprise toggle on for specific users.

hashtag
Setting up CMK for code encryption

1

Creating CMK in AWS KMS

To set up code encryption, you must create a Symmetric CMK in AWS KMS under your AWS account. Ensure you are in the correct region for your SonarQube Cloud instance.

Please request the information about the SonarQube AWS Account ID and region from Sonar Help Centerarrow-up-right.

  1. In AWS KMS, create a Symmetric key.

  2. In the Key Policy step, switch to JSON view and add the following code to the Statement array replacing the [ACCOUNT_ID] with the SonarQube AWS Account ID under Principal.

2

Configuration in SonarQube Cloud enterprise

You can configure and rotate code encryption for a SonarQube Cloud enterprise.

Add encryption key

  1. Go to Account menu > your enterprise > Administration > Code Encryption

  2. Select Add encryption key and enter the key ARN (Amazon Resource Name) from AWS KMS.

  3. In the modal, select the checkboxes for:

    • I understand my responsibilities for key management and the risks of irreversible loss of access to data if keys are lost.

    • I understand that code encryption cannot be reverted.

Once the encryption is configured at the enterprise level, the encryption process of all existing projects starts, and all projects created afterward will be encrypted with their first analysis.

hashtag
Rotating CMK

You have two options for generating new cryptographic material for your CMK.

hashtag
Using SonarQube Cloud CMK rotation

Create a new AWS KMS key with a new ARN and then update the SQC configuration to utilize this new key. See the Code encryption section for more information on how to create a key.

Rotate encryption key

To rotate CMK:

  1. Go to Account menu > your enterprise > Administration > Code Encryption.

  2. Select the Rotate encryption key button.

  3. Enter the New key ARN (Amazon Resource Name).

  4. Select the checkbox for I understand my responsibilities for key management and the risks of irreversible loss of access to data if keys are lost.

  5. Select Rotate encryption key.

The new CMK is used to re-encrypt existing and future data keys, the source code is not re-encrypted. Both old and new CMK should be enabled during the rotation procedure. Upon completion, you can disable the old CMK, but we recommend keeping it for a 30-day retention period.

hashtag
Using AWS KMS key rotation

It’s possible to rotate the key material for an existing AWS KMS key by either enabling automatic key rotation or performing an on-demand rotation. Refer to AWS documentationarrow-up-right for more information. SonarQube Cloud operates transparently regarding AWS KMS key rotation, meaning no action is required on the SonarQube Cloud side when the keys are rotated.

hashtag
Revoking the encryption key in case of an incident

Should an incident occur, your security team can instantly block access to all encrypted data by revoking the CMK within AWS KMS. To do this, locate the key in the AWS KMS interface, open it, and select Disable under Key actions.

circle-info

Due to data keys caching, some projects might still be available for up to 5 minutes.

hashtag
Rotating data keys

After all projects are encrypted, you can manually initiate the rotation of projects’ data keys.

Rotating data keys

  1. Go to Account menu > Your Enterprise > Administration > Code Encryption

  2. Select Rotate data keys.

This process is resource-intensive as it requires the re-encryption of all project data. CMK rotation is not possible while data key rotation is in progress. This feature provides an extra layer of security that may be mandatory for some organizations.

hashtag
Audit logs

Key operations related to code encryption are securely recorded in the audit logs of the enterprise. The logged events are:

Event type
Description

enterprise.master_key_added

CMK added

enterprise.master_key_rotation_started

CMK rotation started

enterprise.master_key_rotation_completed

CMK rotation completed

enterprise.projects_encryption_started

Projects encryption started

enterprise.projects_encryption_completed

Projects encryption completed

enterprise.data_key_rotation_started

Data key rotation started

enterprise.data_key_rotation_completed

Data key rotation completed

See List of logged events for more information.

hashtag
CMK health status and troubleshooting

The CMK health indicator in the Encryption key section displays the status of your CMK. If the status is Unhealthy, it indicates that there’s a problem with the CMK, for example, the key is disabled or some required permissions are missing. When the key is Unhealthy, code from past analyses is still stored encrypted, while the new analyses will fail to store the code.

hashtag
Related page

PreviousAudit logsNextSSO and provisioning

Last updated

Was this helpful?