Basic encryption
This type of encoding is suitable for users who don’t want to store passwords in plaintext, but don't have to meet specific requirements to encode them.
Encode the sensitive data
For this method, we'll use Base64 encoding, which is a way to achieve simple obfuscation of sensitive data.
Step 1. Encode the sensitive data
When you encode the database password, you can supply some optional arguments, as shown in the table below.
Argument | Description |
|---|---|
| Canonical class name of the cipher. Leave empty to use the default: |
| Output the help message, which displays these optional arguments |
| Use 'encrypt' (default) or 'decrypt' on your provided password. |
| The plaintext password that you want to encrypt. If you omit this parameter, the console will ask you to type the password. |
| Log minimum info. |
To encode the database password, follow the steps below.
Go to
<Bitbucket-installation-directory>/tools/atlassian-password.Run the following command to encode your password. Additionally, you can use optional arguments described above.
java -cp "./*" com.atlassian.secrets.cli.db.DbCipherToolWhen this command is run you should see output similar to this:
2023-10-10 03:58:01,548 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.base64.Base64SecretStore 2023-10-10 03:58:01,568 main DEBUG [secrets.store.base64.Base64SecretStore] Initiate Base64Cipher 2023-10-10 03:58:01,583 main DEBUG [secrets.store.base64.Base64SecretStore] Encrypting data... 2023-10-10 03:58:01,585 main DEBUG [secrets.store.base64.Base64SecretStore] Encryption done. Success! For Jira, set the following properties in dbconfig.xml: <atlassian-password-cipher-provider>com.atlassian.secrets.store.base64.Base64SecretStore</atlassian-password-cipher-provider> <password>c2VjcmV0</password> For Bitbucket, set the following properties in bitbucket.properties: jdbc.password.decrypter.classname=com.atlassian.secrets.store.base64.Base64SecretStore jdbc.password=c2VjcmV0 For Bamboo, set the following properties in bamboo.cfg.xml: <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.base64.Base64SecretStore</property> <property name="hibernate.connection.password">c2VjcmV0</property> For Confluence, set the following properties in confluence.cfg.xml: <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.base64.Base64SecretStore</property> <property name="hibernate.connection.password">c2VjcmV0</property>
Step 2. Add the encoded data to bitbucket.properties
Back up the
<home-directory>/shared/bitbucket.propertiesfile. Move the backup to a safe place outside of your instance.In the
bitbucket.propertiesfile, add or modify theencrypted-property.cipher.classnameproperty to contain:com.atlassian.secrets.store.base64.Base64SecretStoreIn the
bitbucket.propertiesfile, add or modify thejdbc.passwordproperty to contain the Base64 encoded value prefixed with{ENC}:{ENC}c2VjcmV0Once updated, check that
bitbucket.propertiescontains:encrypted-property.cipher.classname=com.atlassian.secrets.store.base64.Base64SecretStore jdbc.password={ENC}c2VjcmV0Restart Bitbucket.
Decode the sensitive data
To decode the sensitive data:
Extend the command with the
-m decryptparameter:java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -m decryptWhen asked for a password, provide the encoded one from your
bitbucket.propertiesfile.2023-10-10 04:57:22,330 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.base64.Base64SecretStore 2023-10-10 04:57:22,345 main DEBUG [secrets.store.base64.Base64SecretStore] Initiate Base64Cipher 2023-10-10 04:57:22,360 main DEBUG [secrets.store.base64.Base64SecretStore] Decrypting data... 2023-10-10 04:57:22,364 main DEBUG [secrets.store.base64.Base64SecretStore] Decryption done. Success! Decrypted password using cipher provider: com.atlassian.secrets.store.base64.Base64SecretStore decrypted password: secret