# Sensitive settings

You can encrypt any system property stored in `<sonarqubeHome>/conf/sonar.properties` or defined in SonarQube Server UI. The encryption algorithm used is AES with 256-bit keys.

In case of a Kubernetes deployment, see also [encrypting-helm-chart-sensitive-data](https://docs.sonarsource.com/sonarqube-server/2025.4/server-installation/on-kubernetes-or-openshift/encrypting-helm-chart-sensitive-data "mention").

You must have the Administer System permission in SonarQube Server.

## Prerequisites <a href="#prerequisites" id="prerequisites"></a>

SonarQube Server must be up and running.

## Step 1: Create the encryption key <a href="#create-encryption-key" id="create-encryption-key"></a>

1. In SonarQube Server UI, go to **Administration > Configuration > Encryption**.
2. Select **Generate Secret Key**. An encryption key is generated.

You can use any other tool to generate the encryption key. It should be a Base64 Encoded AES-256 Key.

## Step 2: Store the encryption key in a secured file on disk <a href="#store-encryption-key" id="store-encryption-key"></a>

1\. Copy the generated encryption key to a file on the machine hosting the SonarQube Server. The file location is defined through the `sonar.secretKeyPath` property which can be set in `<sonarqubeHome>/conf/sonar.properties` (see also [configuration-methods](https://docs.sonarsource.com/sonarqube-server/2025.4/server-installation/system-properties/configuration-methods "mention")).

<table><thead><tr><th width="183">Property</th><th>Definition</th></tr></thead><tbody><tr><td>sonar.secretKeyPath</td><td><p>Path to the file containing the key used to encrypt⁴⁾ sensitive system properties in the UI or in <code>sonar.properties</code>.</p><p><strong>Warning</strong>: The slashes have to be escaped.</p><p><strong>Default value</strong>: <code>${user.home}/.sonar/sonar-secret.txt</code><br>where <code>user.home</code> refers to the <a href="https://stackoverflow.com/questions/16239130/java-user-dir-property-what-exactly-does-it-mean/16239152?newreg=2755a93121994a388943703b774ee789">user directory</a>.<br>For example, if using the default value, <code>sonar-secret.text</code> may be stored in <code>C:\Users\User1\.sonar</code> or, if the service is registered and runs as the local system, in <code>C:\Windows\System32\Config\systemprofile\.sonar</code></p></td></tr></tbody></table>

2\. Restrict file permissions to the account running the SonarQube Server (ownership and read-access only).

3\. Restart your SonarQube Server.

## Step 3: Encrypt the sensitive settings <a href="#encrypt-sensitive-settings" id="encrypt-sensitive-settings"></a>

To encrypt a property or setting:

1. In SonarQube Server UI, go to **Administration > Configuration > Encryption**.

<figure><img src="https://512221655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyDv2XwTC1xoOKBYeCK45%2Fuploads%2Fgit-blob-7d1f1b68265ad633fb489af114cef807321db7cd%2Fbcdfb5de6a6252b4240ff0c2430e1052ddde7f4a.png?alt=media" alt="In Encryption, enter the value of the sensitive property and then select the Encrypt button"><figcaption></figcaption></figure>

2. Enter the value of the property.
3. Select the **Encrypt** button. The encrypted value of the property is generated.
4. Select the copy tool to copy this value.
5. You can now:
   * In `<sonarqubeHome>/conf/sonar.properties`, replace the value of the property with the copied encrypted value.

```properties
sonar.jdbc.password={aes-gcm}CCGCFg4Xpm6r+PiJb1Swfg==  # Encrypted DB password
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_encryption_key.txt
```

* Or set the encrypted value in the corresponding SonarQuber Server UI’s field.