Advanced encryption

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

This method provides more security as you don't have to store the encrypted password anywhere in the configuration file, which makes it difficult for unauthorised parties to find and decrypt it.

Encrypt the password

In this method, you’ll use AlgorithmCipher that allows you to choose the algorithm used to encrypt the sensitive information in the file.

Before you begin: Prepare the JSON object

You’ll need to provide all arguments required to encrypt the sensitive data in a JSON object. Prepare beforehand by using the information and examples below.

plainTextPasswordPassword in plaintext.

You can choose one of the following algorithms:

  • AES/CBC/PKCS5Padding
  • DES/CBC/PKCS5Padding
  • DESede/CBC/PKCS5Padding

The algorithm key must correspond with the algorithm chosen above:

  • AES
  • DES
  • DESede

Using this information, prepare the appropriate JSON for the sensitive data to be encrypted, for example:


Keep this JSON available to use when you follow the steps below.

Step 1. Encrypt the sensitive data

When you encrypt the database password, you can supply some optional arguments, as shown in the table below.



-c,--class <arg>

Canonical class name of the encoder provider. Leave empty to use the default:


Output the help message, which displays these optional arguments

-m,--mode <arg>

Use 'encrypt' to encode (default) or 'decrypt' to decode your provided password.

-p,--password <arg>

The plaintext password that you want to encrypt. If you omit this parameter, the console will ask you to type the password.


Log minimum info.

To encrypt the database password, follow the steps below.

  1. Go to <Bitbucket-installation-directory>/tools/atlassian-password.

  2. Run the following command to encrypt your database password. You can also use the optional parameters described above.

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -c

    When prompted for a password enter the prepared JSON object based on the information from Before you begin.
    Note: the JSON object must be entered as a single line.
    When this command runs successfully, you will see output similar to the output below:

    2023-10-13 00:30:49,016 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class:
    2023-10-13 00:30:50,811 main DEBUG [] Initiate AlgorithmCipher
    2023-10-13 00:30:50,891 main DEBUG [] Encrypting data...
    2023-10-13 00:30:50,950 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_java_security_AlgorithmParameters
    2023-10-13 00:30:50,951 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable.
    2023-10-13 00:30:51,093 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name:
    2023-10-13 00:30:51,108 main DEBUG [] Name of generated file with algorithm params used for encryption:
    2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
    2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable.
    2023-10-13 00:30:51,220 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.spec.SecretKeySpec_1234567890
    2023-10-13 00:30:51,245 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.spec.SecretKeySpec_1234567890
    2023-10-13 00:30:51,353 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.SealedObject_1234567890
    2023-10-13 00:30:51,357 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.SealedObject_1234567890
    2023-10-13 00:30:51,369 main DEBUG [] Encryption done.
    For Jira, set the following properties in dbconfig.xml:
    For Bitbucket, set the following properties in
    For Bamboo, set the following properties in bamboo.cfg.xml:
    <property name="jdbc.password.decrypter.classname"></property>
    <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property>
    For Confluence, set the following properties in confluence.cfg.xml:
    <property name="jdbc.password.decrypter.classname"></property>
    <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property>

When encrypting your data, the encryption tool generates three files and prints the output JSON object that you'll later add to the file. The next step discusses how to secure those files. 

Step 2. Secure the generated files

Encrypting a password results in three generated files:

  • javax.crypto.SealedObject_[timestamp]
    The file with the encrypted password.

  • javax.crypto.spec.SecretKeySpec_[timestamp] 
    The key used to encrypt your password. You will need this file to decrypt your password.

    The algorithm parameters used to encrypt your password. You will need this file only if you want to recreate an encrypted password

If you're running Bitbucket in a cluster, the files should be available to all nodes via the same path. Bitbucket needs to be able to access and read those files to decrypt your password and connect to the database.

  1. Move the files generated by the tool to a secure place.
  2. Change them to read-only and accessible only to the user running Bitbucket.

Step 3. Add the encrypted data to

To add the encrypted data:

  1. Back up the <home-directory>/shared/ file. Move the backup to a safe place outside of your instance.

  2. In the file, add or modify the encrypted-property.cipher.classname property to contain:
  3. In the file, add or modify the jdbc.password property to contain the fully qualified path to the two files prefixed with {ENC}:

  4. Once updated, check that the contains:
  5. Restart Bitbucket.

Decrypt the sensitive data

To decrypt the sensitive data:

  1. Extend the command used earlier with the -m decrypt parameter:

    java -cp "./*" com.atlass ian.secrets.cli.db.DbCipherTool -c -m decrypt
  2. When asked for a password, provide the JSON object from your file without the {ENC} prefix. 


On running the command, the secret will be decrypted and printed:

2023-10-13 05:01:14,203 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class:
2023-10-13 05:01:15,991 main DEBUG [] Initiate AlgorithmCipher
2023-10-13 05:01:16,068 main DEBUG [] Decrypting data...
2023-10-13 05:01:16,250 main DEBUG [] Decryption done.
Success! Decrypted password using cipher provider: decrypted password: secret

Recreate encrypted data

If you lose an encrypted password and try to encrypt the plaintext password once again, the new encrypted password will look different. This is not an issue, as it will still represent the same plaintext password. However, in some cases, you might want to keep it consistent, for example by having the same encrypted password when a Bitbucket instance is migrated to another server.

To encrypt the password in the exact same way as you did before, you will need the key used to encrypt the original password and the algorithm parameters. Both of these were generated by the encryption tool and saved in the following files:

  • Key: javax.crypto.spec.SecretKeySpec_[timestamp]
  • Algorithm parameters:[timestamp]

Once you've located these files, you can point the encryption tool to their location by using two extra fields in the JSON object. 


Path to a file that contains the key used to encrypt your original password, e.g. javax.crypto.spec.SecretKeySpec_[timestamp].

If you stored the file path as environment variable, you can omit this parameter.


Path to a file that contains the algorithm parameters used to encrypt your original password, e.g.[timestamp].


To encrypt the password, follow the steps in the first step, Encrypt the password, and use the JSON object with the key and algorithm parameters.


Bitbucket fails to start after enabling database password encryption...

This means that Bitbucket couldn't connect to the database to access your configuration, most probably because of an error with decrypting your password.

To solve this problem, examine the log files:

  • <Bitbucket_home_directory>/log/atlassian-bitbucket.log

  • <Bitbucket_home_directory>/log/atlassian-launcher.log

and look for the cause preventing startup, namely DataSourcePasswordDecryptionException.

For example:

com.atlassian.stash.internal.jdbc.DatasourcePasswordDecryptionException: java.lang.IllegalArgumentException: <>

This exception contains details about the error. If the error is java.lang.IllegalArgumentException, you will need to encrypt the password again. 

  • If the error is related to missing files, there might be a problem with your environment variables. They could have been deleted, or have not been set correctly. To verify that, try adding file paths to the JSON object in the file.

  • If you’re seeing some Bouncy Castle errors, you will need to encrypt the password again.

'A fatal error has occurred' message displayed after restarting Bitbucket...

To investigate this problem, open <Bitbucket_home_directory>/log/atlassian-bitbucket.log, and check for JdbcSQLExceptions. The messages should be pretty clear as to what went wrong.

You’ll likely see the following message:

 Wrong user name or password [28000-176]

This means that Bitbucket decrypted the password successfully, but the password itself is incorrect. You can verify that by completing these steps:

  1. Open the file, and copy the encrypted password.

  2. Decrypt the password.

  3. Check if the decrypted password is the same as the one in your backup file.

Disable database password encryption and revert changes...

To disable database password encryption, remove the encrypted-property.cipher.classname property from the file, and change the encrypted password to the plaintext one.

Last modified on Nov 16, 2023

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.