# Settings encryption

You can encrypt any sonar property stored in `<sonarqubeHome>/conf/sonar.properties` (in case of a ZIP installation) or defined in SonarQube Server UI. The encryption algorithm used is AES with 256-bit keys.

The procedure below explains how to perform this in the case of a ZIP installation. See also [encrypting-helm-chart-sensitive-data](https://docs.sonarsource.com/sonarqube-server/2025.1/setup-and-upgrade/deploy-on-kubernetes/encrypting-helm-chart-sensitive-data "mention").

You must have the Administer System permission in SonarQube Server.

## Prerequisites <a href="#prerequisites" id="prerequisites"></a>

SonarQube Server must be up and running.

## Step 1: Create the encryption key <a href="#create-encryption-key" id="create-encryption-key"></a>

1. In SonarQube Server UI, go to **Administration > Configuration > Encryption**.
2. Select **Generate Secret Key**. An encryption key is generated.

You can use any other tool to generate the encryption key. It should be a Base64 Encoded AES-256 Key.

## Step 2: Store the encryption key in a secured file on disk <a href="#store-encryption-key" id="store-encryption-key"></a>

1. Copy the generated encryption key to a file on the machine hosting the SonarQube Server. The default location is `~/.sonar/sonar-secret.txt` . If you want to store it somewhere else, set its path through the `sonar.secretKeyPath` property in `<sonarqubeHome>/conf/sonar.properties`.
2. Restrict file permissions to the account running the SonarQube Server (ownership and read-access only).
3. Restart your SonarQube Server.

## Step 3: Encrypt the sensitive settings <a href="#encrypt-sensitive-settings" id="encrypt-sensitive-settings"></a>

To encrypt a property or setting:

1\. In SonarQube Server UI, go to **Administration > Configuration > Encryption**.

![](https://3560343708-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4FzELVjsPO4ijRo3jtBV%2Fuploads%2Fgit-blob-7d1f1b68265ad633fb489af114cef807321db7cd%2Fbcdfb5de6a6252b4240ff0c2430e1052ddde7f4a.png?alt=media)

2\. Enter the value of the property.

3\. Select the **Encrypt** button. The encrypted value of the property is generated.

4\. Select the copy tool to copy this value.

5\. You can now:

* * In `<sonarqubeHome>/conf/sonar.properties`, replace the value of the property with the copied encrypted value.

```css-79elbk
sonar.jdbc.password={aes-gcm}CCGCFg4Xpm6r+PiJb1Swfg==  # Encrypted DB password
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_encryption_key.txt
```

* * Or set the encrypted value in the corresponding SonarQuber Server UI’s field.