Encrypting sensitive settings

You can encrypt any sonar property stored in <sonarqubeHome>/conf/sonar.properties (in case of a ZIP installation) or defined in SonarQube Community Build UI. The encryption algorithm used is AES with 256-bit keys.

The procedure below explains how to perform this in the case of a ZIP installation. See also Encrypting Helm chart sensitive data.

You must have the Administer System permission in SonarQube Community Build.

Prerequisites

SonarQube Community Build must be up and running.

Step 1: Create the encryption key

1. In SonarQube Community Build UI, go to Administration > Configuration > Encryption.
2. Select Generate Secret Key. An encryption key is generated.

Step 2: Store the encryption key in a secured file on disk

1. Copy the generated encryption key to a file on the machine hosting the SonarQube Community Build. The default location is  ~/.sonar/sonar-secret.txt . If you want to store it somewhere else, set its path through the sonar.secretKeyPath  property in  <sonarqubeHome>/conf/sonar.properties.
2. Restrict file permissions to the account running the SonarQube Community Build (ownership and read-access only).
3. Restart your SonarQube Community Build.

Step 3: Encrypt the sensitive settings

To encrypt a property or setting:

1. In SonarQube Community Build UI, go to Administration > Configuration > Encryption. 

2. Enter the value of the property.

3. Select the Encrypt button. The encrypted value of the property is generated.

4. Select the copy tool to copy this value.

5. You can now:

• In <sonarqubeHome>/conf/sonar.properties, replace the value of the property with the copied encrypted value. 

sonar.jdbc.password={aes-gcm}CCGCFg4Xpm6r+PiJb1Swfg==  # Encrypted DB password
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_encryption_key.txt

• Or set the encrypted value in the corresponding SonarQuber Community Build UI's field.