Jenkins : Securing JENKINS_HOME

Jenkins stores all its state on disk, in the JENKINS_HOME directory. For example, $JENKINS_HOME is /var/jenkins_home if you're using the official Jenkins Docker image.

JENKINS_HOME/secrets

This directory contains encryption keys that protect secrets, such as credentials. For example:

$JENKINS_HOME/secrets $ ls -1
filepath-filters.d/
hudson.console.ConsoleNote.MAC
hudson.util.Secret
jenkins.model.Jenkins.crumbSalt
master.key
org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY
whitelisted-callables.d

Sensitive data in other files are encrypted using the keys in secrets/. For example, API tokens in user configuration files are protected:

$ head $JENKINS_HOME/users/jsmith/config.xml
<?xml version='1.0' encoding='UTF-8'?>
<user>
  <fullName>John Smith</fullName>
  <properties>
    <jenkins.security.ApiTokenProperty>
      <apiToken>{AQAAABAAAAAw3HLwlE6JAj4Iq81oCccPe6F12p+garuVgD/2fdSD6LmchI77uBjQq+8sFOhSTd9LOwTBGWN5ZcHTpGNvxg1MDA==}</apiToken>
    </jenkins.security.ApiTokenProperty>

$JENKINS_HOME/secrets should be only readable by the user account used by the Jenkins process. Read access to this directory is equivalent to being a Jenkins admin user.

$JENKINS_HOME $ ls -ld secrets
drwx------+ 10 jenkinsuser 340 Feb 26 13:52 secrets/

Other JENKINS_HOME directories

Depending on your Jenkins use case, you may also want to protect other directories in JENKINS_HOME.

For example, users can discover what jobs exist, and what they do, by looking at the jobs directory.

$JENKINS_HOME $ ls jobs/
build_hello_world/ deploy_hello_world/ another_exciting_job/
$JENKINS_HOME $ less jobs/another_exciting_job/config.xml
...
  <builders>
    <hudson.tasks.Shell>
      <command>ls /</command>
    </hudson.tasks.Shell>
  </builders>

Users can also view build output when jobs run:

$JENKINS_HOME $ more jobs/another_exciting_job/builds/1/log
Started by user John Smith
Building in workspace /var/jenkins_home/jobs/another_exciting_job/workspace
[workspace] $ /bin/sh -xe /tmp/jenkins1336326875197177937.sh
+ ls /
bin
dev
etc
home
keys
lib
media
mnt
proc
root
run
sbin
srv
sys
tmp
usr
var
Finished: SUCCESS

Jenkins may also have source code checkouts in JENKINS_HOME:

$JENKINS_HOME $ ls caches
git-595a783332800bac6d7b275cab2eb84d/
$JENKINS_HOME $ cd caches/git-595a783332800bac6d7b275cab2eb84d/
$JENKINS_HOME/caches/git-595a783332800bac6d7b275cab2eb84d/ $ git remote -v
origin    http://example.com/hello_world.git (fetch)
origin    http://example.com/hello_world.git (push)

Hardening

If job configuration or output is sensitive, you may want to make all of JENKINS_HOME only readable by the user used by the Jenkins process. This will also protect your instance if/when there are plugin bugs that write unencrypted data to JENKINS_HOME.