Introduced long ago as a way to manage secrets, ConfidentialStore and ConfidentialKey largely duplicate the API provided by Java's KeyStore class. Jenkins should migrate toward using a proper keystore for storing secret keys, private keys, and certificates. This would allow for the use of a standardized file format (PKCS12), pluggable key store implementations (e.g., on macOS, there's a KeyStore provider that uses the macOS Keychain), and more secure management of keys (allows for third party tools to be used to easily rotate keys and other manipulations).
Implementing this would go well with JENKINS-61406, though the features can be implemented separately.
- relates to
-
JENKINS-61406 Allow for use of password-based encryption of confidential store
-
- Open
-