Set encryption key as Jenkins Secret

src/main/java/io/jenkins/plugins/jfrog/CliEnvConfigurator.java

@@ -3,6 +3,7 @@
 import hudson.EnvVars;
 import io.jenkins.plugins.jfrog.actions.JFrogCliConfigEncryption;
 import io.jenkins.plugins.jfrog.configuration.JenkinsProxyConfiguration;
+import io.jenkins.plugins.jfrog.configuration.JenkinsSecretManager;
 import org.apache.commons.lang3.StringUtils;
 
 /**
@@ -43,8 +44,9 @@ static void configureCliEnv(EnvVars env, String jfrogHomeTempDir, JFrogCliConfig
             setupProxy(env);
         }
         if (encryptionKey.shouldEncrypt()) {
-            // Set up a random encryption key to make sure no raw text secrets are stored in the file system
-            env.putIfAbsent(JFROG_CLI_ENCRYPTION_KEY, encryptionKey.getKey());
+            // Set up a random encryption key and set as a Jenkins secret
+            JenkinsSecretManager js = new JenkinsSecretManager();
+            js.createSecret(JFROG_CLI_ENCRYPTION_KEY, encryptionKey.getKey(), "JFrog CLI encryption key");
         }
     }
 

src/main/java/io/jenkins/plugins/jfrog/Utils.java

@@ -4,6 +4,7 @@
 import hudson.model.Job;
 import hudson.model.TaskListener;
 import io.jenkins.plugins.jfrog.callables.TempDirCreator;
+import io.jenkins.plugins.jfrog.configuration.JenkinsSecretManager;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 
 import java.io.IOException;
@@ -62,4 +63,9 @@ public static FilePath createAndGetTempDir(final FilePath ws) throws IOException
     public static FilePath createAndGetJfrogCliHomeTempDir(final FilePath ws, String buildNumber) throws IOException, InterruptedException {
         return createAndGetTempDir(ws).child(buildNumber).child(".jfrog");
     }
+
+    public static void deleteEncryptionKeySecret() {
+        JenkinsSecretManager js = new JenkinsSecretManager();
+        js.deleteSecret(CliEnvConfigurator.JFROG_CLI_ENCRYPTION_KEY);
+    }
 }

src/main/java/io/jenkins/plugins/jfrog/WorkflowListener.java

@@ -29,6 +29,7 @@ public void onCompleted(@NonNull FlowExecution execution) {
         try {
             WorkflowRun build = getWorkflowRun(execution);
             Utils.deleteBuildJfrogHomeDir(getWorkspace(build.getParent()), String.valueOf(build.getNumber()), getTaskListener(execution));
+            Utils.deleteEncryptionKeySecret();
         } catch (IOException e) {
             throw new RuntimeException(e);
         }

src/main/java/io/jenkins/plugins/jfrog/configuration/JenkinsSecretManager.java

@@ -0,0 +1,74 @@
+package io.jenkins.plugins.jfrog.configuration;
+
+import com.cloudbees.plugins.credentials.Credentials;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
+import hudson.util.Secret;
+import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl;
+
+
+import java.io.IOException;
+import java.util.List;
+
+
+public class JenkinsSecretManager {
+
+    public void createSecret(String name, String value, String description) {
+        if (secretExists(name)) {
+            System.out.println("Secret with name " + name + " already exists.");
+            return;
+        }
+        StringCredentialsImpl secret = new StringCredentialsImpl(
+                CredentialsScope.USER,
+                name,
+                description,
+                Secret.fromString(value)
+        );
+        try {
+            SystemCredentialsProvider.getInstance().getCredentials().add(secret);
+            SystemCredentialsProvider.getInstance().save();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+
+    public void deleteSecret(String id) {
+        List<Credentials> credentials = SystemCredentialsProvider.getInstance().getCredentials();
+        Credentials toRemove = null;
+        for (Credentials credential : credentials) {
+            if (credential instanceof StringCredentialsImpl && ((StringCredentialsImpl) credential).getId().equals(id)) {
+                toRemove = credential;
+                break;
+            }
+        }
+        if (toRemove != null) {
+            try {
+                SystemCredentialsProvider.getInstance().getCredentials().remove(toRemove);
+                SystemCredentialsProvider.getInstance().save();
+            } catch (IOException e) {
+                e.printStackTrace();
+            }
+        }
+
+    }
+
+    public Secret getSecret(String name) {
+        List<Credentials> credentials = SystemCredentialsProvider.getInstance().getCredentials();
+        for (Credentials credential : credentials) {
+            if (credential instanceof StringCredentialsImpl && ((StringCredentialsImpl) credential).getId().equals(name)) {
+                return ((StringCredentialsImpl) credential).getSecret();
+            }
+        }
+        return null;
+    }
+
+    public boolean secretExists(String name) {
+        List<Credentials> credentials = SystemCredentialsProvider.getInstance().getCredentials();
+        for (Credentials credential : credentials) {
+            if (credential instanceof StringCredentialsImpl && ((StringCredentialsImpl) credential).getId().equals(name)) {
+                return true;
+            }
+        }
+        return false;
+    }
+}

src/test/java/io/jenkins/plugins/jfrog/CliEnvConfiguratorTest.java

@@ -3,6 +3,7 @@
 import hudson.EnvVars;
 import io.jenkins.plugins.jfrog.actions.JFrogCliConfigEncryption;
 import io.jenkins.plugins.jfrog.configuration.JenkinsProxyConfiguration;
+import io.jenkins.plugins.jfrog.configuration.JenkinsSecretManager;
 import jenkins.model.Jenkins;
 import org.junit.Before;
 import org.junit.Rule;
@@ -46,7 +47,7 @@ public void configEncryptionTest() {
         assertEquals(32, configEncryption.getKey().length());
 
         invokeConfigureCliEnv("a/b/c", configEncryption);
-        assertEnv(envVars, JFROG_CLI_ENCRYPTION_KEY, configEncryption.getKey());
+        assertEquals(configEncryption.getKey(), new JenkinsSecretManager().getSecret(JFROG_CLI_ENCRYPTION_KEY).getPlainText());
     }
 
     @Test
@@ -57,7 +58,7 @@ public void configEncryptionWithHomeDirTest() {
         invokeConfigureCliEnv("", configEncryption);
 
         assertFalse(configEncryption.shouldEncrypt());
-        assertFalse(envVars.containsKey(JFROG_CLI_ENCRYPTION_KEY));
+        assertNull(new JenkinsSecretManager().getSecret(JFROG_CLI_ENCRYPTION_KEY));
     }
 
     void assertEnv(EnvVars envVars, String key, String expectedValue) {