Start Free
Latest | Instance administration | Security | Settings encryption

Encrypting sensitive settings

On this page

Prerequisites Step 1: Create the encryption key Step 2: Store the encryption key in a secured file on disk Step 3: Encrypt the sensitive settings

You can encrypt any system property stored in <sonarqubeHome>/conf/sonar.properties or defined in SonarQube Server UI. The encryption algorithm used is AES with 256-bit keys.

In case of a Kubernetes deployment, see also Encrypting Helm chart sensitive data.

You must have the Administer System permission in SonarQube Server.

Prerequisites

SonarQube Server must be up and running.

Step 1: Create the encryption key

  1. In SonarQube Server UI, go to Administration > Configuration > Encryption.
  2. Select Generate Secret Key. An encryption key is generated.

Step 2: Store the encryption key in a secured file on disk

1. Copy the generated encryption key to a file on the machine hosting the SonarQube Server. The file location is defined through the sonar.secretKeyPath  property which can be set in  <sonarqubeHome>/conf/sonar.properties (see also Editing the sonar.properties file).

PropertyDefinition
sonar.secretKeyPath

Path to the file containing the key used to encrypt4) sensitive system properties in the UI or in sonar.properties.

Warning: The slashes have to be escaped.

Default value: ${user.home}/.sonar/sonar-secret.txt
where user.home refers to the user directory.
For example, if using the default value, sonar-secret.text may be stored in C:\Users\User1\.sonar or, if the service is registered and runs as the local system, in C:\Windows\System32\Config\systemprofile\.sonar

2. Restrict file permissions to the account running the SonarQube Server (ownership and read-access only).

3. Restart your SonarQube Server.

Step 3: Encrypt the sensitive settings

To encrypt a property or setting:

1. In SonarQube Server UI, go to Administration > Configuration > Encryption

2. Enter the value of the property.

3. Select the Encrypt button. The encrypted value of the property is generated.

4. Select the copy tool to copy this value.

5. You can now:

    • In <sonarqubeHome>/conf/sonar.properties, replace the value of the property with the copied encrypted value. 
sonar.jdbc.password={aes-gcm}CCGCFg4Xpm6r+PiJb1Swfg==  # Encrypted DB password
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_encryption_key.txt
    • Or set the encrypted value in the corresponding SonarQuber Server UI's field.

Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License