Related to JENKINS-58743, the confidential store could potentially be hardened by requiring a password to unlock it such as via PBEWithHmacSHA256AndAES_256 or potentially PBKDF2WithHmacSHA256 (not sure on the latter). Use of some form of authenticated encryption is preferred over plain encryption, and in this case, we can use EtM as mentioned in the OWASP guide.

In order for the password to be entered initially to unlock Jenkins, based on some exploratory testing, I've found that there is very little Jenkins functionality that can be relied upon at this point in the initialization process, so I have two initial suggested implementation ideas:

• Create a separate servlet and filter to prevent Jenkins from loading until the initial unlock password is submitted. This form could also potentially be used for implementing JENKINS-58743.
• Use System.console() to read a password. This is fairly low tech and doesn't require much more than a lock to initialize on demand. I'm still working on a PoC for this and will link in the comments.