While monitoring the rekey.log, I noticed:
- It searches archived artifacts directories ($JENKINS_HOME/jobs/$JOB_NAME/builds/$BUILD_ID/archive)? Aren't they just saved workspaces (which are known to not contain secrets)? In fact, it looks like 'artifacts' is excluded (according to the Wiki), and not 'archive'.
- fingerprints/ is scanned as well and probably doesn't need to be
- It scans both regular and symlinked (like 12 -> 2013-03-19_22-11-03 on Linux) builds, and probably checks every file within twice?
On this instance, re-keying finished after 40 minutes with rekey.log containing 2425 lines and resulting in 36 re-keyed files. find -L $JENKINS_HOME -name '*.xml' | wc -l found 235320 files. So there's probably some potential for optimization.
If this is a one-time issue, this can probably be ignored, but if re-keying could be required again in the future, this should be fixed.