Default Secret Encryption Key

ahmad.hashem · October 15, 2024, 1:41pm

Default Secret Encryption Key
After upgrade Nexus sso from 3.72 to 3.73
I get Default Secret Encryption Key
Nexus was not configured with an encryption key and is using the Default key.
Is there aguide to fix that?

mpiggott · October 16, 2024, 1:44pm

https://help.sonatype.com/en/re-encryption-in-nexus-repository.html

ahmad.hashem · October 17, 2024, 1:49pm

Thanks for your response, I have read this Guide, But it is totally non-understandable to me.

alexey.stepanov · October 18, 2024, 1:35pm

I think this instruction is for cloud installations

ahmad.hashem · October 18, 2024, 1:47pm

I have my own pnpremis installation

mpiggott · October 18, 2024, 2:18pm

The instructions are for on premise.

lemonsterfy · October 21, 2024, 12:57pm

Based on my experience, you can follow the steps below for configuring an encryption key for Nexus using two different methods: using an environment variable or using a property in the nexus.properties file. Each method includes updating the configuration through the Nexus web interface.

Method 1: Using the NEXUS_SECRETS_KEY_FILE Environment Variable

Step 1: Create the JSON Configuration File

Create the secrets JSON file:
Create a file, e.g., /path/to/nexus.secrets.json, with the following content:
```
{
  "active": "your-key-id",
  "keys": [
    {
      "id": "your-key-id",
      "key": "your-encryption-key"
    }
  ]
}
```
- Replace “your-key-id” with your desired key ID.
- Replace “your-encryption-key” with your generated encryption key (e.g., a 32-byte Base64 encoded string).
Secure the file:
Set appropriate file permissions to prevent unauthorized access:
```
chmod 600 /path/to/nexus.secrets.json
```

Step 2: Configure Nexus Service File

Edit the Nexus systemd service file (typically located at /etc/systemd/system/nexus.service). Add the following line in the [Service] section:
```
[Service]
Environment="NEXUS_SECRETS_KEY_FILE=/path/to/nexus.secrets.json"
```
Replace /path/to/nexus.secrets.json with the actual path to your secrets JSON file.

Reload systemd and restart Nexus:

sudo systemctl daemon-reload
sudo systemctl restart nexus

Step 3: Verify the Configuration

Check Nexus startup logs for any errors or warnings related to the encryption key configuration:
```
sudo journalctl -u nexus
```
Log in to the Nexus UI and verify that the previous warnings about using the default encryption key are no longer present.

Step 4: Update Encryption Settings via Web Interface

Log in to the Nexus web interface using the admin account.
Navigate to:
System > API > Security Management: Secrets Encryption
Update the configuration with the following JSON:
```
{
  "secretKeyId": "your-key-id",
  "notifyEmail": "your-email@example.com"
}
```
- Replace “your-key-id” with the ID of the key you want to activate (the same ID specified in the JSON file).
- Replace “your-email@example.com” with the email address to receive notifications.
Execute the update to apply the new encryption settings.

Method 2: Using the nexus.secrets.file Property in nexus.properties

Step 1: Create the JSON Configuration File

Create the secrets JSON file:

As in Method 1, create a file, e.g., /path/to/nexus.secrets.json, with the following content:
```
{
  "active": "your-key-id",
  "keys": [
    {
      "id": "your-key-id",
      "key": "your-encryption-key"
    }
  ]
}
```
- Replace “your-key-id” with your desired key ID.
- Replace “your-encryption-key” with your generated encryption key (e.g., a 32-byte Base64 encoded string).
Secure the file:
Set appropriate file permissions to prevent unauthorized access:
```
chmod 600 /path/to/nexus.secrets.json
```

Step 2: Edit nexus.properties

Locate the nexus.properties file, typically found in the custom directory at /your-path/sonatype-work/nexus3/etc/nexus.properties.
Add the following line to specify the secrets file location:
```
nexus.secrets.file=/path/to/nexus.secrets.json
```
Replace /path/to/nexus.secrets.json with the path to your secrets JSON file.

Step 3: Restart Nexus

After modifying nexus.properties, restart Nexus to apply the changes:

sudo systemctl restart nexus

Step 4: Verify the Configuration

Check Nexus startup logs for any errors or warnings related to the encryption key configuration:
```
sudo journalctl -u nexus
```
Log in to the Nexus UI and verify that the previous warnings about using the default encryption key are no longer present.

Step 5: Update Encryption Settings via Web Interface

Log in to the Nexus web interface using the admin account.
Navigate to:
System > API > Security Management: Secrets Encryption
Update the configuration with the following JSON:
```
{
  "secretKeyId": "your-key-id",
  "notifyEmail": "your-email@example.com"
}
```
- Replace “your-key-id” with the ID of the key you want to activate (the same ID specified in the JSON file).
- Replace “your-email@example.com” with the email address to receive notifications.
Execute the update to apply the new encryption settings.

By following either of these methods, you can configure a custom encryption key for Nexus, apply it either through an environment variable or a properties file, and ensure that the configuration is updated through the Nexus web interface.

ahmad.hashem · October 21, 2024, 12:57pm

OK, Thanks, But the instructions still not understandable to me, how and where to run these commands.

ahmad.hashem · October 22, 2024, 1:27pm

Thanks for excellent guide. It works as charm