jenkinsci · jtnord · Feb 6, 2026 · Feb 1, 2026 · Feb 1, 2026 · jtnord
@@ -35,7 +35,9 @@
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Util;
+import hudson.remoting.Channel;
 import hudson.util.Secret;
+import java.io.ObjectStreamException;
 import java.io.Serializable;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
@@ -78,7 +80,8 @@
      */
     private static final Logger LOGGER = Logger.getLogger(SecretBytes.class.getName());
     /**
-     * The encrypted bytes.
+     * The (usually) encrypted bytes.
+     * Will be in plain text during remoting calls.
      */
     @NonNull
     private final byte[] value;
@@ -119,6 +122,14 @@
         }
     }
 
+    /**
+     * Construct a SecretBytes with the specified value (that may or may not be encrypted) that is used raw without any transformation.
+     * @param value explicit value to use for the data.  No encryption or dencryption is performed on this value and it is used as is.
+     */
+    private SecretBytes(@NonNull byte[] value) {
+        this.value = value;
+    }
+
     /**
      * Returns the raw unencrypted data. The caller is responsible for zeroing out the returned {@code byte[]} after
      * use.
@@ -343,6 +354,23 @@
         return s == null ? "" : s.toString();
     }
 
+    protected Object writeReplace() throws ObjectStreamException {
+        if (Channel.current() == null) {
+            return this;
+        }
+        // we need plain text during remoting serialisation as the remote side will not have the confidential key
+        return new SecretBytes(this.getPlainData());
+    }
+
+    protected Object readResolve() throws ObjectStreamException {
+        if (Channel.current() == null) {
+            return this;
+        }
+        // re-encrypt the byte array after serialisation.
+        // The remote side may have its own confidential key (for Jenkins to Jenkins remoting, or will use the mock key for an agent)
+        return SecretBytes.fromRawBytes(value);
+    }
+
     /**
      * Our XStream converter.
      */

@@ -23,13 +23,17 @@
  */
 package com.cloudbees.plugins.credentials;
 
+import hudson.slaves.DumbSlave;
 import java.nio.charset.StandardCharsets;
 import java.util.Random;
 import jenkins.model.Jenkins;
+import jenkins.security.MasterToSlaveCallable;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.junit.jupiter.api.Test;
 import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.junit.jupiter.WithJenkins;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
@@ -163,4 +167,29 @@ void largeRawString__chunking__urlSafe() {
     }
 
 
+    @WithJenkins
+    @Test
+    public void serialisationOverRemoting(JenkinsRule r) throws Exception {
+        final byte[] data = new byte[] {0x01,0x02,0x03,0x04,0x05};
+        final SecretBytes localSecretBytes  = SecretBytes.fromRawBytes(data);
+        DumbSlave onlineSlave = r.createOnlineSlave();
+        onlineSlave.getChannel().call(new CheckSecretBytesCallable(localSecretBytes,data));
+    }
+
+    private static class CheckSecretBytesCallable extends MasterToSlaveCallable<Void, AssertionError> {
+
+        private SecretBytes sb;
+        private byte[] expectedUnencryptedValue;
+
+        CheckSecretBytesCallable(SecretBytes sb, byte[] expectedUnencryptedValue) {
+            this.sb = sb;
+            this.expectedUnencryptedValue = expectedUnencryptedValue;
+        }
+
+        @Override
+        public Void call() throws AssertionError {
+            assertThat(sb.getPlainData(), is(expectedUnencryptedValue));
+            return null;
+        }
+    }
 }