[JENKINS-72585] Using JENKINS_HTTPS_KEYSTORE_PASSWORD exposes keystore password in process list

[jenkins-infra-bot]

If Jenkins is installed from RPM and systemd unit has JENKINS_HTTPS_KEYSTORE_PASSWORD set, this exposes keystore password in the process list.

https://www.jenkins.io/doc/book/installing/initial-settings/#miscellaneous-parameters talks about sensitive parameters, specifically about --httpsKeystorePassword, and recommends the use of --paramsFromStdIn
 but Jenkins' own systemd starter doesn't follow that.

IMO, Jenkins systemd starter script should use --paramsFromStdIn if JENKINS_HTTPS_KEYSTORE_PASSWORD is set.

---

Originally reported by vilius, imported from: Using JENKINS_HTTPS_KEYSTORE_PASSWORD exposes keystore password in process list

• status: Open
• priority: Major
• component(s): packaging
• resolution: Unresolved
• votes: 0
• watchers: 1
• imported: 2025-11-26

Raw content of original issue

If Jenkins is installed from RPM and systemd unit has JENKINS_HTTPS_KEYSTORE_PASSWORD set, this exposes keystore password in the process list.

https://www.jenkins.io/doc/book/installing/initial-settings/#miscellaneous-parameters talks about sensitive parameters, specifically about --httpsKeystorePassword, and recommends the use of --paramsFromStdIn
 but Jenkins' own systemd starter doesn't follow that.

IMO, Jenkins systemd starter script should use --paramsFromStdIn if JENKINS_HTTPS_KEYSTORE_PASSWORD is set.

environment

Rocky Linux 9.3<br/>
Jenkins 2.441 installed from RPM