The artifactory.key is a 128-Bit AES encryption key.
Prior to Artifactory 5.9, the encryption was PBEwithSHA1AndDESede.
The artifactory.key is being used to encrypt all passwords that are saved in the Global Configuration Descriptor. This includes configured passwords of remote repositories, replication servers, LDAP servers, etc.
Encrypted data will start with the string ‘AM’.
Example of an artifactory.key using 128-Bit AES encryption:
JS.2whsQ.AES128.93Mqdo3D2AeHxdK2T3AujrbSh
Example of an artifactory.key using outdated PBEwithSHA1AndDESede encryption:
JR2YxGPoiQWMe5LjB88jM6zCPHBf5zHCsebJyWwzaWCr1UH7XRipnT5LLPhNgrTSuvwVVVHxwUam3cX5AcrUj2XnY4WgV6qjUKNg8xoo5nbq5NPEgzAUme2sbqCYB74ugHuke6JidWYMBQqYdgd7tuQyrAdfQzrCwzS1PMYxUYeEneLv2WPYZK5V6MFCwgv5REcfzWeAaFvuJ9kAJLACxwvwWfD9utXbNtQoDqmiDVeptv9zZC7TZMXveRfBujCCEUATUm8AKe3y5cLrTWZUeuCut8VuPHGU3AatvU5EUeMKbRGDpDNyRQ6NQBgUwbASGq5ytoBCqv4j7RKM3CtheSB1bGN6a5wdH9JrLZDoBAXM63Mav6cZyDAwz6p2g8MkoRbF38DmwqwSx2cNUmLcHPa5gen1eqrVcePyY49Qy6p7pduXgJhWzfCAWMug8RnxPirFLuJ1RnHEiVtTcPZxtVDi5wa
JUHfDLxBPMe4YZbWLKdbams2ZTPq3rmG1zxgQfHBBoWV7wwZE38Yjd7vETvuDXGyzQn9Qb1yg8EVDBZG9veeUb7QXrdi4iCAp9ngCByvy94GLB9gPm9WRvaFYyPu8r5puviD4
There wasn’t an automatic migration to the new encryption, therefore if your system was upgraded from a version below 5.9 and still uses the PBEwithSHA1AndDESede encryption, you can move to the new 128-Bit AES encryption by using the Deactivate Artifactory Key Encryption REST API endpoint, and then re-enable it using the Activate Artifactory Key Encryption REST API.
Note: In the case of data corruption, the “Deactivate Artifactory Key Encryption” REST API may fail, and leave your system in an unhealthy state. Our recommendation will be to test the deactivation procedure first in a staging environment.
In case the artifactory.key is lost, the only way to recover is to override all encrypted data in the Configuration Descriptor with plain text.
Prior to Artifactory 5.9, the encryption was PBEwithSHA1AndDESede.
The artifactory.key is being used to encrypt all passwords that are saved in the Global Configuration Descriptor. This includes configured passwords of remote repositories, replication servers, LDAP servers, etc.
Encrypted data will start with the string ‘AM’.
Example of an artifactory.key using 128-Bit AES encryption:
JS.2whsQ.AES128.93Mqdo3D2AeHxdK2T3AujrbSh
Example of an artifactory.key using outdated PBEwithSHA1AndDESede encryption:
JR2YxGPoiQWMe5LjB88jM6zCPHBf5zHCsebJyWwzaWCr1UH7XRipnT5LLPhNgrTSuvwVVVHxwUam3cX5AcrUj2XnY4WgV6qjUKNg8xoo5nbq5NPEgzAUme2sbqCYB74ugHuke6JidWYMBQqYdgd7tuQyrAdfQzrCwzS1PMYxUYeEneLv2WPYZK5V6MFCwgv5REcfzWeAaFvuJ9kAJLACxwvwWfD9utXbNtQoDqmiDVeptv9zZC7TZMXveRfBujCCEUATUm8AKe3y5cLrTWZUeuCut8VuPHGU3AatvU5EUeMKbRGDpDNyRQ6NQBgUwbASGq5ytoBCqv4j7RKM3CtheSB1bGN6a5wdH9JrLZDoBAXM63Mav6cZyDAwz6p2g8MkoRbF38DmwqwSx2cNUmLcHPa5gen1eqrVcePyY49Qy6p7pduXgJhWzfCAWMug8RnxPirFLuJ1RnHEiVtTcPZxtVDi5wa
JUHfDLxBPMe4YZbWLKdbams2ZTPq3rmG1zxgQfHBBoWV7wwZE38Yjd7vETvuDXGyzQn9Qb1yg8EVDBZG9veeUb7QXrdi4iCAp9ngCByvy94GLB9gPm9WRvaFYyPu8r5puviD4
There wasn’t an automatic migration to the new encryption, therefore if your system was upgraded from a version below 5.9 and still uses the PBEwithSHA1AndDESede encryption, you can move to the new 128-Bit AES encryption by using the Deactivate Artifactory Key Encryption REST API endpoint, and then re-enable it using the Activate Artifactory Key Encryption REST API.
Note: In the case of data corruption, the “Deactivate Artifactory Key Encryption” REST API may fail, and leave your system in an unhealthy state. Our recommendation will be to test the deactivation procedure first in a staging environment.
In case the artifactory.key is lost, the only way to recover is to override all encrypted data in the Configuration Descriptor with plain text.