Sensitive settings
Encrypting SonarQube system properties.
You can encrypt any system property stored in <sonarqubeHome>/conf/sonar.properties
or defined in SonarQube Server UI. The encryption algorithm used is AES with 256-bit keys.
In case of a Kubernetes deployment, see also Encrypting sensitive data.
You must have the Administer System permission in SonarQube Server.
Prerequisites
SonarQube Server must be up and running.
Step 1: Create the encryption key
In SonarQube Server UI, go to Administration > Configuration > Encryption.
Select Generate Secret Key. An encryption key is generated.
You can use any other tool to generate the encryption key. It should be a Base64 Encoded AES-256 Key.
Step 2: Store the encryption key in a secured file on disk
Copy the generated encryption key to a file on the machine hosting the SonarQube Server. The default location is
~/.sonar/sonar-secret.txt
. If you want to store it somewhere else, set its path through thesonar.secretKeyPath
system property. For more details about this setup, see . For more details about this system property, see .Restrict file permissions to the account running the SonarQube Server (ownership and read-access only).
Restart your SonarQube Server.
Step 3: Encrypt the sensitive settings
To encrypt a property or setting:
In SonarQube Server UI, go to Administration > Configuration > Encryption.
Enter the value of the property in the form.

Select the Encrypt button. The encrypted value of the property is generated.
Select the copy tool to copy this value.
You can now:
In
<sonarqubeHome>/conf/sonar.properties
, replace the value of the property with the copied encrypted value.
sonar.jdbc.password={aes-gcm}CCGCFg4Xpm6r+PiJb1Swfg== # Encrypted DB password
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_encryption_key.txt
Or set the encrypted value in the corresponding SonarQuber Server UI’s field.
Last updated
Was this helpful?