As of, checks notes, 2009, the US loosened its embargo on the export of cryptographic software significantly. This includes the key size restrictions on AES and RSA.
The following places inside Jenkins should be updated to use AES-256 and RSA-4096 keys along with appropriate migration code for data encrypted with older keys:
- jenkins.security.DefaultConfidentialStore.masterKey: upgrade to AES-256; should also try using a more standardized key file format like PKCS12 to allow it to be managed externally.
- jenkins.security.CryptoConfidentialKey.secret: upgrade to AES-256; would also be nice to use the standardized key file format like PKCS12.
- jenkins.security.RSAConfidentialKey: upgrade priv and pub to RSA-4096.