Custom encryption

Secure Bitbucket configuration properties

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

In addition to the basic and advanced encryption methods that you can use in Bitbucket Data Center and Server, you can also choose to create your own Cipher. This might be especially useful if:

  • you're required to use a specific vault to store the password

  • you want to use encryption algorithms beyond those we ship with Bitbucket

Step 1. Create a Maven project and get API dependencies 

  1. Get password-cipher-api and password-cipher-base dependencies.

    1. Go to <Bitbucket_installation_directory>/atlassian-bitbucket/WEB-INF/lib.

    2. Copy the following jar files:

    • password-cipher-api-<version>.jar: this file contains the API

    • (optional) password-cipher-base-<version>.jar: this file contains some sample implementations 

  2. Create a Maven project.

  3. Go to resources and create a new folder, named libs.

  4. Copy the jar files to the libs folder.

  5. Next, use the following pom

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
     
      <groupId><your_group_ID></groupId>
      <artifactId><your_artifact_ID></artifactId>
      <version><your_version></version>
     
      <properties>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
      </properties>
     
      <repositories>
        <repository>
          <id>local-maven-repo</id>
          <url>file:///${project.basedir}/libs</url>
        </repository>
      </repositories>
    
      <build>
        <resources>
          <resource>
            <directory>src/main/resources/libs</directory>
            <excludes>
              <exclude>*</exclude>
            </excludes>
            <filtering>false</filtering>
          </resource>
        </resources>
      </build>
     
      <dependencies>
        <dependency>
          <groupId>com.atlassian.db.config</groupId>
          <artifactId>password-cipher-api</artifactId>
          <version><api_version></version>
          <scope>provided</scope>
        </dependency>
        <dependency>
          <groupId>com.atlassian.db.config</groupId>
          <artifactId>password-cipher-base</artifactId>
          <version><base_version></version>
          <scope>provided</scope>
        </dependency>
      </dependencies>
    </project>


Step 2. Implement the Cipher interface

The Cipher interface contains two methods that you need to implement according to your requirements; encrypt and decrypt. decrypt is called during Bitbucket startup, which means that long-running tasks can affect the startup time. encrypt is not called by Bitbucket, as it's only used in the encryption tool.

You can use Base64Cipher and AlgorithmCipher as examples. 

Step 3. Test your implementation

The encryption tool described in Basic encryption and Advanced encryption, uses the same code as Bitbucket to decrypt the password. You can use it to test your implementation.

Assuming that the CLI and your jar is in the same folder:

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c your.package.here.ClassName

Step 4. Make your library available

Bitbucket must be able to access your library. Your class will be instantiated using reflection. Put the library in the following directory:

<Bitbucket_home_directory>/lib
Last modified on May 31, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.