Jenkins stores all its state on disk, in the JENKINS_HOME directory. For example, $JENKINS_HOME is /var/jenkins_home if you're using the official Jenkins Docker image.
JENKINS_HOME/secrets
This directory contains encryption keys that protect secrets, such as credentials. For example:
$JENKINS_HOME/secrets $ ls -1 filepath-filters.d/ hudson.console.ConsoleNote.MAC hudson.util.Secret jenkins.model.Jenkins.crumbSalt master.key org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY whitelisted-callables.d
Sensitive data in other files are encrypted using the keys in secrets/. For example, API tokens in user configuration files are protected:
$ head $JENKINS_HOME/users/jsmith/config.xml <?xml version='1.0' encoding='UTF-8'?> <user> <fullName>John Smith</fullName> <properties> <jenkins.security.ApiTokenProperty> <apiToken>{AQAAABAAAAAw3HLwlE6JAj4Iq81oCccPe6F12p+garuVgD/2fdSD6LmchI77uBjQq+8sFOhSTd9LOwTBGWN5ZcHTpGNvxg1MDA==}</apiToken> </jenkins.security.ApiTokenProperty>
$JENKINS_HOME/secrets should be only readable by the user account used by the Jenkins process. Read access to this directory is equivalent to being a Jenkins admin user.
$JENKINS_HOME $ ls -ld secrets drwx------+ 10 jenkinsuser 340 Feb 26 13:52 secrets/
Other JENKINS_HOME directories
Depending on your Jenkins use case, you may also want to protect other directories in JENKINS_HOME.
For example, users can discover what jobs exist, and what they do, by looking at the jobs
directory.
$JENKINS_HOME $ ls jobs/ build_hello_world/ deploy_hello_world/ another_exciting_job/ $JENKINS_HOME $ less jobs/another_exciting_job/config.xml ... <builders> <hudson.tasks.Shell> <command>ls /</command> </hudson.tasks.Shell> </builders>
Users can also view build output when jobs run:
$JENKINS_HOME $ more jobs/another_exciting_job/builds/1/log Started by user John Smith Building in workspace /var/jenkins_home/jobs/another_exciting_job/workspace [workspace] $ /bin/sh -xe /tmp/jenkins1336326875197177937.sh + ls / bin dev etc home keys lib media mnt proc root run sbin srv sys tmp usr var Finished: SUCCESS
Jenkins may also have source code checkouts in JENKINS_HOME:
$JENKINS_HOME $ ls caches git-595a783332800bac6d7b275cab2eb84d/ $JENKINS_HOME $ cd caches/git-595a783332800bac6d7b275cab2eb84d/ $JENKINS_HOME/caches/git-595a783332800bac6d7b275cab2eb84d/ $ git remote -v origin http://example.com/hello_world.git (fetch) origin http://example.com/hello_world.git (push)
Hardening
If job configuration or output is sensitive, you may want to make all of JENKINS_HOME only readable by the user used by the Jenkins process. This will also protect your instance if/when there are plugin bugs that write unencrypted data to JENKINS_HOME.