Default Secret Encryption Key

Sonatype Nexus Repository
,
7

Based on my experience, you can follow the steps below for configuring an encryption key for Nexus using two different methods: using an environment variable or using a property in the nexus.properties file. Each method includes updating the configuration through the Nexus web interface.

Method 1: Using the NEXUS_SECRETS_KEY_FILE Environment Variable

Step 1: Create the JSON Configuration File

  1. Create the secrets JSON file:
    Create a file, e.g., /path/to/nexus.secrets.json, with the following content:

    {
  "active": "your-key-id",
  "keys": [
    {
      "id": "your-key-id",
      "key": "your-encryption-key"
    }
  ]
}
    • Replace “your-key-id” with your desired key ID.
    • Replace “your-encryption-key” with your generated encryption key (e.g., a 32-byte Base64 encoded string).

  2. Secure the file:
    Set appropriate file permissions to prevent unauthorized access:

    chmod 600 /path/to/nexus.secrets.json

Step 2: Configure Nexus Service File

  1. Edit the Nexus systemd service file (typically located at /etc/systemd/system/nexus.service). Add the following line in the [Service] section:

    [Service]
Environment="NEXUS_SECRETS_KEY_FILE=/path/to/nexus.secrets.json"

    Replace /path/to/nexus.secrets.json with the actual path to your secrets JSON file.

  2. Reload systemd and restart Nexus:

    sudo systemctl daemon-reload
sudo systemctl restart nexus

Step 3: Verify the Configuration

  1. Check Nexus startup logs for any errors or warnings related to the encryption key configuration:

    sudo journalctl -u nexus

  2. Log in to the Nexus UI and verify that the previous warnings about using the default encryption key are no longer present.

Step 4: Update Encryption Settings via Web Interface

  1. Log in to the Nexus web interface using the admin account.

  2. Navigate to:
    System > API > Security Management: Secrets Encryption

  3. Update the configuration with the following JSON:

    {
  "secretKeyId": "your-key-id",
  "notifyEmail": "your-email@example.com"
}
    • Replace “your-key-id” with the ID of the key you want to activate (the same ID specified in the JSON file).
    • Replace “your-email@example.com” with the email address to receive notifications.

  4. Execute the update to apply the new encryption settings.

Method 2: Using the nexus.secrets.file Property in nexus.properties

Step 1: Create the JSON Configuration File

  1. Create the secrets JSON file:

    As in Method 1, create a file, e.g., /path/to/nexus.secrets.json, with the following content:

    {
  "active": "your-key-id",
  "keys": [
    {
      "id": "your-key-id",
      "key": "your-encryption-key"
    }
  ]
}
    • Replace “your-key-id” with your desired key ID.
    • Replace “your-encryption-key” with your generated encryption key (e.g., a 32-byte Base64 encoded string).

  2. Secure the file:
    Set appropriate file permissions to prevent unauthorized access:

    chmod 600 /path/to/nexus.secrets.json

Step 2: Edit nexus.properties

  1. Locate the nexus.properties file, typically found in the custom directory at /your-path/sonatype-work/nexus3/etc/nexus.properties.

  2. Add the following line to specify the secrets file location:

    nexus.secrets.file=/path/to/nexus.secrets.json

    Replace /path/to/nexus.secrets.json with the path to your secrets JSON file.

Step 3: Restart Nexus

After modifying nexus.properties, restart Nexus to apply the changes:

sudo systemctl restart nexus

Step 4: Verify the Configuration

  1. Check Nexus startup logs for any errors or warnings related to the encryption key configuration:

    sudo journalctl -u nexus

  2. Log in to the Nexus UI and verify that the previous warnings about using the default encryption key are no longer present.

Step 5: Update Encryption Settings via Web Interface

  1. Log in to the Nexus web interface using the admin account.

  2. Navigate to:
    System > API > Security Management: Secrets Encryption

  3. Update the configuration with the following JSON:

    {
  "secretKeyId": "your-key-id",
  "notifyEmail": "your-email@example.com"
}
    • Replace “your-key-id” with the ID of the key you want to activate (the same ID specified in the JSON file).
    • Replace “your-email@example.com” with the email address to receive notifications.

  4. Execute the update to apply the new encryption settings.

By following either of these methods, you can configure a custom encryption key for Nexus, apply it either through an environment variable or a properties file, and ensure that the configuration is updated through the Nexus web interface.

2 Likes