18

I am trying to migrate the credentials from one Jenkins to another but usernames/passwords are hashed in ${JENKINS_HOME}/credentials.xml

I found this answer, but the problem is it doesn't explain where would someone find the encryption key in order to successfully migrate credentials.

Any help is greatly appreciated!

EDIT: More information.. my ${JENKINS_HOME} is on a separate volume which I detach and re-attach onto the new VM, and it still doesn't work with me.

Community
  • 1
  • 1
Fadi
  • 1,329
  • 7
  • 22
  • 40

2 Answers2

34

I found this analysis (link is dead as of June 2020, archived here) very helpful. In a nutshell:

Jenkins uses the master.key to encrypt the key hudson.util.Secret. This key is then used to encrypt the password in credentials.xml.

When I need to bootstrap new Jenkins instances with some default passwords, I use a template directory tree that contains

  • secrets/hudson.util.Secret and
  • secrets/master.key

This works fine.

Alex O
  • 7,746
  • 2
  • 25
  • 38
  • I also had to template com.cloudbees.plugins.credentials.SecretBytes.KEY to make the things work. – Misko Jan 08 '21 at 10:53
  • What's the importance of secret.key and secret.not-so-secret key ? @Alex O – Kishor Unnikrishnan Dec 21 '21 at 08:17
  • 1
    @Kishor U, as far as I can see, `secret.key.not-so-secret` does not contain a key -- it's a boolean indicator file that's used to [fix a security issue](https://github.com/jenkinsci/jenkins/commit/3dc13b957b14cec649036e8dd517f0f9cb21fb04) – Alex O Dec 21 '21 at 09:11
  • Yeah, true. But even though I didn't copy my secret.key, I was able to copy my credentials from one machine to the other. – Kishor Unnikrishnan Dec 21 '21 at 10:57
  • 1
    @Kishor U, the key in `secret.key` is [deprecated](https://github.com/jenkinsci/jenkins/commit/a9aff088f327278a8873aef47fa8f80d3c5932fd) since 2013, so its content probably won't matter any more these days. – Alex O Dec 21 '21 at 11:36
8

Regarding JENKINS migration, I recently experienced this situation and after few testings, my workaround worked for me.

Here is what I did:

  1. I moved below files and folders from Source Jenkins to target:

    • $JENKINS_HOME/secret.key
    • $JENKINS_HOME/secrets
    • $JENKINS-HOME/users
    • $JENKINS_HOME/credentials.xml

  2. Please note: These files are not required to move:

    • $JENKINS_HOME/identity.key.enc
    • $JENKINS_HOME/secrets/org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY

otherwise you will see below error after starting Jenkins:

java.lang.AssertionError: InstanceIdentity is missing its singleton
  1. Jenkins will automatically generate those two files. Once started, you should be good.
Ashish K Srivastava
  • 89
  • 1
  • 3