Deal with Jenkins password encryption when stored in a SCM
Got it! Here is the result of my research.
My initial JENKINS_HOME/.gitignore
file was as follows:
# Miscellaneous Jenkins litter*.log*.tmp*.old*.json# Generated Jenkins state/.owner/queue.xml/fingerprints//shelvedProjects//updates//logs/# Credentials/secrets/secret.key# Job statebuilds/workspace/modules/lastStablelastSuccessfulnextBuildNumber
But, taken from http://xn--thibaud-dya.fr/jenkins_credentials.html, Jenkins uses a JENKINS_HOME/secrets/master.key
to encrypt all passwords, whether in the global settings or in SCM crendentials.This made me think that the same master.key
file was used to decrypt passwords.
So I've tried to remove all credential-related entries from the .gitignore
file, thus allowing to push them in my Git repo and then pull them on the machine B (another brand new Jenkins master) and... it works well! All passwords are stored encrypted and since all masters share the same master.key
file, all passwords can be decrypted.
Hope it can help someone else!