Basic encryption

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

This type of encoding is suitable for users who don’t want to store passwords in plaintext, but don't have to meet specific requirements to encode them.

Encode the sensitive data

For this method, we'll use Base64 encoding, which is a way to achieve simple obfuscation of sensitive data.

Step 1. Encode the sensitive data

When you encode the database password, you can supply some optional arguments, as shown in the table below.



-c,--class <arg>

Canonical class name of the cipher. Leave empty to use the default:


Output the help message, which displays these optional arguments

-m,--mode <arg>

Use 'encrypt' (default) or 'decrypt' on your provided password.

-p,--password <arg>

The plaintext password that you want to encrypt. If you omit this parameter, the console will ask you to type the password.


Log minimum info.

To encode the database password, follow the steps below.

  1. Go to <Bitbucket-installation-directory>/tools/atlassian-password.

  2. Run the following command to encode your password. Additionally, you can use optional arguments described above. 

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool

    When this command is run you should see output similar to this:

    2023-10-10 03:58:01,548 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class:
    2023-10-10 03:58:01,568 main DEBUG [] Initiate Base64Cipher
    2023-10-10 03:58:01,583 main DEBUG [] Encrypting data...
    2023-10-10 03:58:01,585 main DEBUG [] Encryption done.
    For Jira, set the following properties in dbconfig.xml:
    For Bitbucket, set the following properties in
    For Bamboo, set the following properties in bamboo.cfg.xml:
    <property name="jdbc.password.decrypter.classname"></property>
    <property name="hibernate.connection.password">c2VjcmV0</property>
    For Confluence, set the following properties in confluence.cfg.xml:
    <property name="jdbc.password.decrypter.classname"></property>
    <property name="hibernate.connection.password">c2VjcmV0</property>

Step 2. Add the encoded data to

  1. Back up the <home-directory>/shared/ file. Move the backup to a safe place outside of your instance.

  2. In the file, add or modify the encrypted-property.cipher.classname property to contain:
  3. In the file, add or modify the jdbc.password property to contain the Base64 encoded value prefixed with {ENC}:

  4. Once updated, check that contains:
  5. Restart Bitbucket.

Decode the sensitive data

To decode the sensitive data:

  1. Extend the command with the -m decrypt parameter:

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -m decrypt
  2. When asked for a password, provide the encoded one from your file.

    2023-10-10 04:57:22,330 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class:
    2023-10-10 04:57:22,345 main DEBUG [] Initiate Base64Cipher
    2023-10-10 04:57:22,360 main DEBUG [] Decrypting data...
    2023-10-10 04:57:22,364 main DEBUG [] Decryption done.
    Success! Decrypted password using cipher provider: decrypted password: secret


Bitbucket fails to start after enabling database password encryption...

This means that Bitbucket couldn't connect to the database to access your configuration, most likely because of an error with decrypting your password.

To solve this problem, open <Bitbucket_home_directory>/log/atlassian-bitbucket.log, and check for DataSourcePasswordDecryptionException. For example:

com.atlassian.stash.internal.jdbc.DataSourcePasswordDecryptionException: java.lang.IllegalArgumentException: Illegal base64 character 25

The exception contains details about the error. If the error is java.lang.IllegalArgumentException, you will need to encrypt the password again.

'A fatal error has occurred' message displayed after restarting Bitbucket...

To investigate this problem, have a look at both the <Bitbucket_home_directory>/log/launcher.log and <Bitbucket_home_directory>/log/atlassian-bitbucket.log files, and check for JdbcSQLExceptions. The messages should be pretty clear as to what went wrong.

You’ll probably see the following messages:

 Wrong user name or password [28000-176]

This means that Bitbucket decrypted the password successfully, but the password itself is incorrect. You can verify that by completing these steps:

  1. Open the file, and copy the encrypted password.

  2. Decrypt the password.

  3. Check if the decrypted password is the same as the one in your backup file.

Disable database password encryption and revert changes...

To disable database password encryption, remove the jdbc.password.decrypter.classname property from the file, and change the value of jdbc.password to the unencrypted in your backup.

Last modified on Nov 10, 2023

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.