[JENKINS-61406] Allow for use of password-based encryption of confidential store

[timja]

Related to JENKINS-58743, the confidential store could potentially be hardened by requiring a password to unlock it such as via PBEWithHmacSHA256AndAES_256 or potentially PBKDF2WithHmacSHA256 (not sure on the latter). Use of some form of authenticated encryption is preferred over plain encryption, and in this case, we can use EtM as mentioned in the OWASP guide.

In order for the password to be entered initially to unlock Jenkins, based on some exploratory testing, I've found that there is very little Jenkins functionality that can be relied upon at this point in the initialization process, so I have two initial suggested implementation ideas:

• Create a separate servlet and filter to prevent Jenkins from loading until the initial unlock password is submitted. This form could also potentially be used for implementing JENKINS-58743.
• Use System.console() to read a password. This is fairly low tech and doesn't require much more than a lock to initialize on demand. I'm still working on a PoC for this and will link in the comments.

---

Originally reported by jvz, imported from: Allow for use of password-based encryption of confidential store

• status: Open
• priority: Minor
• resolution: Unresolved
• imported: 2022/01/10

[timja]

jvz:

I'll note that based on some info I read on Wikipedia, PBKDF2 and PBEwithFooAndBar schemes seem to be somewhat weak due to ASIC attacks and such. Seems like the recommended alternative is some non-described combination of Argon2 (current recommended password hashing algorithm) as the input of an AES key.

Alternatively, if using PBKDF2, make sure to use a large number of iterations and a salt of like at least 128 bits.

[timja]

jvz:

Added link to incomplete proof of concept code.

[timja]

jvz:

Added link to working proof of concept: https://github.com/jvz/keystore-module