Sensitive settings
Encrypting SonarQube system properties.
You can encrypt any system property stored in <sonarqubeHome>/conf/sonar.properties or defined in SonarQube Server UI. The encryption algorithm used is AES with 256-bit keys.
In case of a Kubernetes deployment, see also Encrypting sensitive data.
You must have the Administer System permission in SonarQube Server.
Prerequisites
SonarQube Server must be up and running.
Step 1: Create the encryption key
- In SonarQube Server UI, go to Administration > Configuration > Encryption. 
- Select Generate Secret Key. An encryption key is generated. 
You can use any other tool to generate the encryption key. It should be a Base64 Encoded AES-256 Key.
Step 2: Store the encryption key in a secured file on disk
- Copy the generated encryption key to a file on the machine hosting the SonarQube Server. The default location is - ~/.sonar/sonar-secret.txt. If you want to store it somewhere else, set its path through the- sonar.secretKeyPathsystem property. For more details about this setup, see . For more details about this system property, see .
- Restrict file permissions to the account running the SonarQube Server (ownership and read-access only). 
- Restart your SonarQube Server. 
Step 3: Encrypt the sensitive settings
To encrypt a property or setting:
- In SonarQube Server UI, go to Administration > Configuration > Encryption. 
- Enter the value of the property in the form. 

- Select the Encrypt button. The encrypted value of the property is generated. 
- Select the copy tool to copy this value. 
- You can now: - In - <sonarqubeHome>/conf/sonar.properties, replace the value of the property with the copied encrypted value.
 
sonar.jdbc.password={aes-gcm}CCGCFg4Xpm6r+PiJb1Swfg==  # Encrypted DB password
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_encryption_key.txt- Or set the encrypted value in the corresponding SonarQuber Server UI’s field. 
Last updated
Was this helpful?

