> For the complete documentation index, see [llms.txt](https://docs.sonarsource.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sonarsource.com/sonarqube-server/instance-administration/security/encrypting-settings.md).

# Sensitive settings

You can encrypt any system property stored in `<sonarqubeHome>/conf/sonar.properties` or defined in SonarQube Server UI. The encryption algorithm used is AES with 256-bit keys.

In case of a Kubernetes deployment, see also [Encrypting sensitive data](/sonarqube-server/server-installation/on-kubernetes-or-openshift/encrypting-helm-chart-sensitive-data.md).

You must have the Administer System permission in SonarQube Server.

## Prerequisites <a href="#prerequisites" id="prerequisites"></a>

SonarQube Server must be up and running.

## Step 1: Create the encryption key <a href="#create-encryption-key" id="create-encryption-key"></a>

<figure><img src="/files/sSbZkWFOgQO0nGsLcrOa" alt="Generating a secret key"><figcaption></figcaption></figure>

1. In SonarQube Server UI, go to **Administration > Configuration > Encryption**.
2. Select **Generate Secret Key**. An encryption key is generated.

You can use any other tool to generate the encryption key. It should be a Base64 Encoded AES-256 Key.

## Step 2: Store the encryption key in a secured file on disk <a href="#store-encryption-key" id="store-encryption-key"></a>

1. Copy the generated encryption key to a file on the machine hosting the SonarQube Server. The default location is `~/.sonar/sonar-secret.txt` .\
   If you want to store it somewhere else, set its path through the `sonar.secretKeyPath` system property. For more details about this setup, see [Configuration methods](/sonarqube-server/server-installation/system-properties/configuration-methods.md). For more details about this system property, see [List of properties common to all editions](/sonarqube-server/server-installation/system-properties/common-properties.md#general-properties).
2. Restrict file permissions to the account running the SonarQube Server (ownership and read-access only).
3. Restart your SonarQube Server.

## Step 3: Encrypt the sensitive settings <a href="#encrypt-sensitive-settings" id="encrypt-sensitive-settings"></a>

To encrypt a property or setting:

1. In SonarQube Server UI, go to **Administration > Configuration > Encryption**.
2. Enter the value of the property in the form.
3. Select the **Encrypt** button. The encrypted value of the property is generated.
4. Select the copy tool to copy this value.
5. You can now:
   * In `<sonarqubeHome>/conf/sonar.properties`, replace the value of the property with the copied encrypted value.

```properties
sonar.jdbc.password={aes-gcm}CCGCFg4Xpm6r+PiJb1Swfg==  # Encrypted DB password
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_encryption_key.txt
```

* Or set the encrypted value in the corresponding SonarQuber Server UI’s field.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-server/instance-administration/security/encrypting-settings.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.