Encrypting database password with custom Cipher

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

If you have extra requirements for storing the password, you can create your own Cipher based on our implementation and examples.

This solution is an obfuscation, which doesn’t assure real security. Bamboo still needs to use the plain text password to connect to your database, so the configuration will contain all the information needed to decrypt the password. An attacker could act like Bamboo to obtain the password. We recommend that you secure the server where Bamboo and the database reside.


To encrypt your database password:

Step 1: Create a Maven project and get API dependencies:

  1. Get 'api' and 'base' dependencies:
    1. Go to <bamboo_installation_directory>/atlassian-bamboo/WEB-INF/lib.
    2. Copy the following jar files:
      • password-cipher-api-<version>.jar: This file contains the API.
      • (optional) password-cipher-base-<version>.jar: This file contains sample implementation. 

  2. Create a Maven project.

  3. Go to resources, and create a new folder libs.
  4. Copy the jar files to the libs folder.
  5. Use the following pom:

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0http://maven.apache.org/xsd/maven-4.0.0.xsd">
       <modelVersion>4.0.0</modelVersion>
       <groupId><your_group_ID></groupId>
       <artifactId><your_artifact_ID></artifactId>
       <version><your_version></version>
       <properties>
          <maven.compiler.source>1.8</maven.compiler.source>
          <maven.compiler.target>1.8</maven.compiler.target>
       </properties>
       <repositories>
          <repository>
             <id>local-maven-repo</id>
             <url>file:///${project.basedir}/libs</url>
          </repository>
       </repositories>
       <build>
          <resources>
             <resource>
                <directory>src/main/resources/libs</directory>
                <excludes>
                   <exclude>*</exclude>
                </excludes>
                <filtering>false</filtering>
             </resource>
          </resources>
       </build>
       <dependencies>
          <dependency>
             <groupId>com.atlassian.db.config</groupId>
             <artifactId>password-cipher-api</artifactId>
             <version><api_version></version>
             <scope>provided</scope>
          </dependency>
          <dependency>
             <groupId>com.atlassian.db.config</groupId>
             <artifactId>password-cipher-base</artifactId>
             <version><base_version></version>
             <scope>provided</scope>
          </dependency>
       </dependencies>
    </project>

Step 2: Implement the Cipher interface

The Cipher interface contains only two methods — encrypt and decrypt. Decrypt will be called during Bamboo startup, which means that long running tasks can affect the startup time. Encrypt will not be called by Bamboo, as it's only used in the encryption tool.

You can use Base64Cipher and AlgorithmCipher as examples

Step 3: Test your implementation

The encryption tool, described in Basic encryption and Advanced encryption, uses the same code as Bamboo to decrypt the password. You can use it to test your implementation.


Assuming that CLI and your jar is in the same folder:

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c your.package.here.ClassName

Step 4: Make your lib available to Bamboo

Bamboo must be able to access your lib. Your class will be initiated using reflection. Put the lib in the following directory:

<Bamboo_installation_directory>/atlassian-bamboo/WEB-INF/lib

After upgrading Bamboo, you'll need to copy your lib to the Bamboo installation directory again.



Last modified on Aug 10, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.