.
Overview:
From version 3.73 nexus provides option to use custom key for encrypting sensitive details, like credentials. Our doc link has more details about this feature.
Nexus UI may report below Health Check Warning.
This article explains how to configure the secrets file and re-encrypt the credentials in HA environment to fix the above warning.
Note: Once sensitive data is re-encrypted with custom key, nexus needs the json file to be available on every restart. Encryption cannot be reverted back to default.
Configure nexus secrets file
-
Create the secrets json file.
For nexus HA, make sure the active key is set to null
$ cat nx-secrets.json
{
"active": "null",
"keys": [
{
"id": "initial",
"key": null
},
{
"id": "master",
"key": "sajdlkasJuI7sdaasz0kYu"
}
]
}2. Update deployments
2.1 For new deployments we can use below helm options to configure secrets for nexus-secrets file.
$ helm install nxha1 --set secret.nexusSecret.enabled=true --set-file secret.nexusSecret.secretKeyfile="nx-secrets.json" -f values-nxsecrets.yaml sonatype/nxrm-ha
2.2 For existing nexus HA deployment / upgrade from older version, we can use helm upgrade options.
Options :
values.yaml file : Specify the same values.yaml file used for deployment
nxha1 : helm release name
$ helm upgrade -f values.yaml --set secret.nexusSecret.enabled=true --set-file secret.nexusSecret.secretKeyfile="nx-secrets.json" nxha1 sonatype/nxrm-ha Release "nxha1" has been upgraded. Happy Helming! NAME: nxha1 LAST DEPLOYED: Mon Aug 4 14:22:41 2025 NAMESPACE: default STATUS: deployed REVISION: 2 TEST SUITE: None NOTES: Thank you for installing nxrm-ha.
Confirm that helm upgrade is completed
$ helm history nxha1 REVISION UPDATED STATUS CHART APP VERSION DESCRIPTION 1 Mon Aug 4 13:25:07 2025 superseded nxrm-ha-82.0.0 3.82.0 Install complete 2 Mon Aug 4 14:22:41 2025 deployed nxrm-ha-82.0.0 3.82.0 Upgrade complete
3. Verify the configuration
3.1 Check the kubernetes secrets is created
$ kubectl get secrets -n nexusrepo nexus-secret.json
NAME TYPE DATA AGE
nexus-secret.json Opaque 1 52m
$ kubectl get secrets -n nexusrepo nexus-secret.json -o jsonpath='{.data}'
{"nexus-secret.json":"ewogICAgImFjdGl2ZSI6ICJudWxsIiwKICAgICJrZXlzIjogWwogICAgICAgIHsKICAgICAgICAgICAgImlkIjogImluaXRpYWwiLAogICAgICAgICAgICAia2V5IjogbnVsbAogICAgICAgIH0sCiAgICAgICAgewogICAgICAgICAgICAiaWQiOiAibWFzdGVyIiwKICAgICAgICAgICAgImtleSI6ICJzYWpkbGthc0p1STdzZGFhc3owa1l1IgogICAgICAgIH0KICAgIF0KfQo="}3.2 Confirm that nexus statefulset is also updated, ,verify NEXUS_SECRETS_KEY_FILE environment variable is populated.
$ kubectl describe -n nexusrepo sts/nxha1-nxrm-ha
Name: nxha1-nxrm-ha
Namespace: nexusrepo
CreationTimestamp: Mon, 04 Aug 2025 13:25:07 +1000
;
;
Environment:
DB_NAME: kind_nxha77db
DB_PASSWORD: <set to the key 'db-password' in secret 'nxrm-ha-dbsecret'> Optional: false
DB_USER: <set to the key 'db-user' in secret 'nxrm-ha-dbsecret'> Optional: false
DB_HOST: <set to the key 'db-host' in secret 'nxrm-ha-dbsecret'> Optional: false
NEXUS_SECURITY_INITIAL_PASSWORD: <set to the key 'nexus-admin-password' in secret 'nxrm-ha-adminsecret'> Optional: false
NEXUS_SECURITY_RANDOMPASSWORD: false
NEXUS_ZERO_DOWNTIME_ENABLED: false
NEXUS_SECRETS_KEY_FILE: /var/nexus-repo-secrets/nexus-secret.json
LICENSE_FILE: /var/nexus-repo-license/nexus-repo-license.lic
Perform Re-encryption
Use the curl command to perform the re-encryption of sensitive data using the master key.
$ curl -u "admin" -X 'PUT' \
'http://nxha.mydomain/service/rest/v1/secrets/encryption/re-encrypt' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"secretKeyId": "master",
"notifyEmail": "admin@nexus.org"
}'
Enter host password for user 'admin':
{
"status" : 202,
"message" : "Task submitted. ID: 84f65370-6e56-41b8-ba56-f089c6a63c86"
Check the nexus.log file for the task completion
$ kubectl logs -n nexusrepo nxha1-nxrm-ha-0 | tail -5 Defaulted container "nxrm-app" out of: nxrm-app, request-log, audit-log, tasks-log, chown-nexusdata-owner-to-nexus-and-init-log-dir (init) 2025-08-04 05:45:22,197+0000 INFO [qtp513324936-25] admin org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Admin - Re-encrypt secrets with the specified key' [security.secrets.re-encrypt] : state=RUNNING 2025-08-04 05:45:22,203+0000 INFO [qtp513324936-25] admin com.sonatype.nexus.distributed.internal.tasks.ClusteredTaskSchedulerImpl - Task 'Admin - Re-encrypt secrets with the specified key' [security.secrets.re-encrypt] scheduled: now 2025-08-04 05:45:22,210+0000 INFO [quartz-7-thread-6] *TASK org.sonatype.nexus.internal.security.secrets.tasks.ReEncryptTask - Task log: /opt/sonatype/sonatype-work/nexus3/log/tasks/allTasks.log 2025-08-04 05:45:26,955+0000 INFO [periodic-1-thread-1] *SYSTEM org.sonatype.nexus.rapture.internal.LocalSystemCheckService - Health check status changed from false to true for Default Secret Encryption Key 2025-08-04 05:45:32,224+0000 INFO [quartz-7-thread-6] *TASK org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Admin - Re-encrypt secrets with the specified key' [security.secrets.re-encrypt] state change RUNNING -> OK
Perform a hard refresh on nexus UI and confirm that health check is cleared now.
Alternate option to check via REST API.
$ curl -s -u admin:admin123 "http://nxha.mydomain/service/rest/v1/status/check" | jq '."Default Secret Encryption Key"'
{
"healthy": true, # <=== Changed to true
"message": "Nexus was configured to use master to encrypt secrets.",
"error": null,
"details": null,
"time": 1754287030870,
"duration": 0,
"timestamp": "2025-08-04T05:57:10.870Z"
}
Update Active Key
Now that re-encryption is completed, update the secrets json file and kubernetes secrets with correct active key, so when nexus restarts it uses the correct key.
- Update the nx-secrets.json file with correct active key
$ sed -i.bak 's/"active": "null"/"active": "master"/g' nx-secrets.json
$ cat nx-secrets.json
{
"active": "master",
"keys": [
{
"id": "initial",
"key": null
},
{
"id": "master",
"key": "sajdlkasJuI7sdaasz0kYu"
}
]
}2. Update the secrets using the modified json file
1. Save the current k8s secrets content to a file $ kubectl get secrets -n nexusrepo nexus-secret.json -o yaml > secret.json 2. Obtain the modified nx-secrets.json file's base64 encoding $ base64 -w0 -i ../nx-secrets.json ewogICAgImFjdGl2ZSI6ICJtYXN0ZXIiLAogICAgImtleXMiOiBbCiAgICAgICAgewogICAgICAgICAgICAiaWQiOiAiaW5pdGlhbCIsCiAgICAgICAgICAgICJrZXkiOiBudWxsCiAgICAgICAgfSwKICAgICAgICB7CiAgICAgICAgICAgICJpZCI6ICJtYXN0ZXIiLAogICAgICAgICAgICAia2V5IjogInNhamRsa2FzSnVJN3NkYWFzejBrWXUiCiAgICAgICAgfQogICAgXQp9Cg== 3. Edit and replace the $ vi secret.json $ grep secre secret.json nexus-secret.json: ewogICAgImFjdGl2ZSI6ICJtYXN0ZXIiLAogICAgImtleXMiOiBbCiAgICAgICAgewogICAgICAgICAgICAiaWQiOiAiaW5pdGlhbCIsCiAgICAgICAgICAgICJrZXkiOiBudWxsCiAgICAgICAgfSwKICAgICAgICB7CiAgICAgICAgICAgICJpZCI6ICJtYXN0ZXIiLAogICAgICAgICAgICAia2V5IjogInNhamRsa2FzSnVJN3NkYWFzejBrWXUiCiAgICAgICAgfQogICAgXQp9Cg== $ kubectl apply -f secret.json -n nexusrepo secret/nexus-secret.json configured
4. OPTIONAL: Verify by restarting the Pods
$ kubectl scale --replicas=0 sts/nxha1-nxrm-ha -n nexusrepo $ kubectl scale --replicas=2 sts/nxha1-nxrm-ha -n nexusrepo