Mask Passwords Plugin

Skip to end of metadata
Go to start of metadata

This plugin allows masking passwords that may appear in the console

Plugin Information

Plugin ID mask-passwords Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
2.8 (archives)
Oct 18, 2015
Source Code
Issue Tracking
Pull Requests
Open Issues
Pull Requests
Romain Seguy (id: rseguy)
Usage Installations 2014-Nov 3961
2014-Dec 4068
2015-Jan 4228
2015-Feb 4418
2015-Mar 4741
2015-Apr 4842
2015-May 4890
2015-Jun 5264
2015-Jul 5442
2015-Aug 5608
2015-Sep 5754
2015-Oct 5919

About this plugin

This plugin allows masking passwords that may appear in the console, including the ones defined as build parameters. This often happens, for example, when you use build steps which can't handle passwords properly. Take a look at the following example.


Consider you're using an Invoke Ant build step to run an Ant target. This target requires a password to achieve its goal. You would end up having a job configuration like this:

Of course, you could have created a variable to store the password and use this variable in the build step configuration so that it doesn't appear as plain text. But you would still end with a console output like this:


When activating the Mask passwords option in a job, the builds' Password Parameters (or any other type of build parameters selected for masking in Manage Hudson > Configure System) are automatically masked from the console. Furthermore, you can also safely define a list of static passwords to be masked (you can also define a list of static password shared by all jobs in Jenkins' main configuration screen). As such, the passwords don't appear anymore as plain text in the job configuration (plus it is ciphered in the job configuration file):

Once done, new builds will have the passwords masked from the console output:

User guide

First, go to Jenkins' main configuration screen (Manage Hudson > Configure System) and select, in the Mask Passwords - Configuration section, which kind of build parameters have to be automatically masked from the console output:

Notice that, as of version 2.7, you can also define global passwords (defined as pairs of name/password) that can be accessed across all jobs.

Then, for a specific job, activate the Mask passwords option in the Build Environment section to mask passwords from the console:

  1. All the password parameters defined for the job will be automatically hidden.
  2. For each other kind of password (that is, static ones) that may appear in the console output, add an entry (by clicking on the Add button) and set the Password field.
    You may additionally set the Name field. If you do so, the password will then be available as a standard variable. It is then possible to refer to this password using this variable rather than keying it in a field which is not ciphered. Take a look at the screenshots above for an example.

Version history

Version 2.8 (18/10/2015)

  • Implement SimpleBuildWrapper in order to support Workflow project type (JENKINS-27392)

Version 2.7.4 (29/07/2015)

  • Password parameters were insensitive
  • "Mask passwords" build wrapper was generating insensitive environment variables

Fixed issues (to be investigated and updated):

  • Masking of global password parameters in EnvInject (JENKINS-25821)
  • Masked Passwords are shown as input parameters in Build pipeline plugin (JENKINS-16516)

Version 2.7.3 (29/04/2015)

  • Fixed JENKINS-12161: EnvInject vars could have been not masked because of plugins loading order
  • Fixed JENKINS-14687: password exposed unencrypted in HTML source

Version 2.7.2 (12/07/2011)

  • Fixed JENKINS-11934: Once a job config was submitted, new/updated global passwords were not masked
  • Implemented JENKINS-11924: Improved global passwords-related labels

Version 2.7.1 (10/27/2011)

  • Fixed JENKINS-11514: When migrating from an older version of the plugin, NullPointerExceptions were preventing the jobs using Mask Passwords to load
  • Fixed JENKINS-11515: Mask Passwords global config was not actually saved when no global passwords were defined

Version 2.7 (10/20/2011)

  • Implemented JENKINS-11399: It is now possible to define name/password pairs in Jenkins' main configuration screen (Manage Hudson > Configure System)

Version 2.6.1 (05/26/2011)

  • Fixed a bug which was emptying the console output if there was no password to actually mask

Version 2.6 (04/29/2011)

  • Added a new type of build parameter: Non-Stored Password Parameter
  • Blank passwords are no more masked, avoiding overcrowding the console with stars

Version 2.5 (03/11/2011)

  • New configuration screen (in Manage Hudson > Configure System) allowing to select which build parameters have to be masked (Password Parameter are selected by default)
  • Fixed a bug which was preventing to mask passwords containing regular expressions' meta-characters or escape sequences

Version 2.0 (02/23/2011)

  • Builds' Password Parameters are now automatically masked.

Version 1.0 (09/01/2010)

  • Initial release


plugin-misc plugin-misc Delete
plugin-buildwrapper plugin-buildwrapper Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.