Base64 encoding
We don't recommend Base64 encoding in production for securing secrets because it doesn't provide encryption, and therefore can't guarantee sufficient data protection.
Base64 encoding is one of the three ways to encrypt database passwords in Bitbucket Data Center. See also, AES encryption and Custom encryption.
For this method, we'll use Base64Cipher, which is a way to achieve simple obfuscation of the database password.
Step 1. Encrypt the password
Go to
<Bitbucket-installation-directory>/tools/atlassian-password
.Run the following command to encrypt your password:
java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool
Step 2. Add the encrypted password to the properties file
Go to the Bitbucket home directory and back up the
bitbucket.properties
file. Move the backup to a safe place outside of your instance.- Based on your Bitbucket version, do one of the following:
For versions on 8.11+, in the
bitbucket.properties
file, replace the property with the encrypted value generated by CLI with{ENC}
prefixed to the value. Also, specify theencrypted-property.cipher.classname
property. For example:encrypted-property.cipher.classname=com.atlassian.secrets.store.base64.Base64SecretStore jdbc.password={ENC}put-the-obfuscated-password-generated-by-the-cli-tool-here
For versions below 8.11, in the
bitbucket.properties
file, replace thejdbc.password
property with the password generated by CLI. Also, specify thejdbc.password.decrypter.classname
property. For example:jdbc.password.decrypter.classname=com.atlassian.secrets.store.base64.Base64SecretStore jdbc.password=put-the-obfuscated-password-generated-by-the-cli-tool-here
Restart Bitbucket.
Decrypting the password
To decrypt the password, extend the command with the -m decrypt parameter:
java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -m decrypt
When asked for a password, provide the encrypted one from your bitbucket.properties
file.