Is pasting a private key into the Jenkins web portal secure?
in situ
Using the web UI for this is probably secure enough for almost every use case, and is hard to beat with respect to convenience.
Nevertheless, generating private keys where they are needed is certainly good advice, and is definitely possible with Jenkins. One approach:
- SSH into the Jenkins server, and generate the keys
- Run some groovy in the script console to create the Jenkins credential
- Exfiltrate the public key
- Delete the generated keys on the server
In this example, on the Jenkins server both $HOME and $JENKINS_HOME point to /var/jenkins_home, and the keys are generated in ~/temp.
Generate the key on Jenkins server
ssh [email protected]
mkdir ~/temp
cd ~/temp
ssh-keygen -t rsa -b 4096 -C "some-meaningful-label" -f "./my-in-situ-key"
This creates my-in-situ-key and my-in-situ-key.pub in /var/jenkins_home/temp.
Create the Jenkins credential
In Jenkins script console:
import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey
import com.cloudbees.plugins.credentials.CredentialsScope
import com.cloudbees.plugins.credentials.domains.Domain
def domain = Domain.global()
def store = Jenkins.instance.getExtensionList('com.cloudbees.plugins.credentials.SystemCredentialsProvider')[0].getStore()
def privateKeyString = new File('/var/jenkins_home/temp/my-in-situ-key').text
def keySource = new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource(privateKeyString)
def privateKeyCredential = new BasicSSHUserPrivateKey(
CredentialsScope.GLOBAL,
"temp-stack-overflow-key", // id
"jenkins", // username
keySource, // private key
"", // passphrase
"Temporary Demo Key" // description
)
store.addCredentials(domain, privateKeyCredential)
"Credential Added"
Test the credential before cleaning up.
Clean up
Grab the public key and be sure to delete the private key on your way out the door.
cat ~/temp/my-in-situ-key.pub
rm -rf ~/temp
Relevant Javadoc