这是因为nexus使用默认的密钥文件来加密数据，正式环境有能会有数据泄露风险，需要换成你自己的密钥文件加密

步骤如下：

You can follow the steps below for configuring an encryption key for Nexus using two different methods: using an environment variable or using a property in the nexus.properties file. Each method includes updating the configuration through the Nexus web interface.

Method 1: Using the NEXUS_SECRETS_KEY_FILE Environment Variable

Step 1: Create the JSON Configuration File

1. Create the secrets JSON file:
   Create a file, e.g., /path/to/nexus.secrets.json, with the following content:
   

   {
     "active": "your-key-id",
     "keys": [
       {
         "id": "your-key-id",
         "key": "some-secret-key"
       }
     ]
   }

   • Replace “your-key-id” with your desired key ID.
   • 
     
   • Replace “your-encryption-key” with your generated encryption key (e.g., a 32-byte Base64 encoded string).
   • 
     

   • The JSON file specifies the following information:

     • active - Identifies the key currently used for encryption; the value of this field must match the id value of one of the keys defined in the keys array

     • keys - An array containing key objects

       • id - A unique identifier for the key; the value of this field should match the value of the active field if this key is currently in use

       • key - The actual secret key value; this can be any random string value

     Nexus Repository reads this file during startup, and the active key is used for all new encrypted passwords. You will need to keep this file permanently in order for Nexus Repository to be able to decrypt persisted secrets.

     
     

2. Secure the file:
   Set appropriate file permissions to prevent unauthorized access:
   

   chmod 600 /path/to/nexus.secrets.json

Step 2: Configure Nexus Service File

     1. Edit the Nexus systemd service file (typically located at /etc/systemd/system/nexus.service). Add the following line in the [Service] section:

        [Service]

          Environment="NEXUS_SECRETS_KEY_FILE=/path/to/nexus.secrets.json"

 Replace /path/to/nexus.secrets.json with the actual path to your secrets JSON file.

    2.Reload systemd and restart Nexus:

          sudo systemctl daemon-reload

          sudo systemctl restart nexus

Step 3: Verify the Configuration

1. Check Nexus startup logs for any errors or warnings related to the encryption key configuration:
   

   sudo journalctl -u nexus

2. Log in to the Nexus UI and verify that the previous warnings about using the default encryption key are no longer present.

Step 4: Update Encryption Settings via Web Interface

1. Log in to the Nexus web interface using the admin account.

2. Navigate to:
   System > API > Security Management: Secrets Encryption

3. Update the configuration with the following JSON:

   {

     "secretKeyId": "your-key-id",

     "notifyEmail": "your-email@example.com"

   }

   
   Replace “your-key-id” with the ID of the key you want to activate (the same ID specified in the JSON file).

   1. • Replace “your-email@example.com” with the email address to receive notifications.

   2. Execute the update to apply the new encryption settings.

Method 2: Using the nexus.secrets.file Property in nexus.properties

Step 1: Create the JSON Configuration File

1. Create the secrets JSON file:

   As in Method 1, create a file, e.g., /path/to/nexus.secrets.json, with the following content:

   {

     "active": "your-key-id",

     "keys": [

       {

         "id": "your-key-id",

         "key": "your-encryption-key"

       }

     ]

   }

   1. • eplace “your-key-id” with your desired key ID.
      • Replace “your-encryption-key” with your generated encryption key (e.g., a 32-byte Base64 encoded string).

   2. Secure the file:
      Set appropriate file permissions to prevent unauthorized access:

      chmod 600 /path/to/nexus.secrets.json

Step 2: Edit nexus.properties

1. Locate the nexus.properties file, typically found in the custom directory at /your-data-path/sonatype-work/nexus3/etc/nexus.properties.

2. Add the following line to specify the secrets file location:
   

   nexus.secrets.file=/path/to/nexus.secrets.json

   Replace /path/to/nexus.secrets.json with the path to your secrets JSON file.

Step 3: Restart Nexus

After modifying nexus.properties, restart Nexus to apply the changes:

sudo systemctl restart nexus

Step 4: Verify the Configuration

1. Check Nexus startup logs for any errors or warnings related to the encryption key configuration:
   

   sudo journalctl -u nexus

2. Log in to the Nexus UI and verify that the previous warnings about using the default encryption key are no longer present.

Step 5: Update Encryption Settings via Web Interface

1. Log in to the Nexus web interface using the admin account.

2. Navigate to:
   System > API > Security Management: Secrets Encryption

3. Update the configuration with the following JSON:

   {

     "secretKeyId": "your-key-id",

     "notifyEmail": "your-email@example.com"

   }

   1. • Replace “your-key-id” with the ID of the key you want to activate (the same ID specified in the JSON file).
      • Replace “your-email@example.com” with the email address to receive notifications.

   2. Execute the update to apply the new encryption settings.

   By following either of these methods, you can configure a custom encryption key for Nexus, apply it either through an environment variable or a properties file, and ensure that the configuration is updated through the Nexus web interface.