Custom encryption

Secure a database password

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

To add extra security to your Confluence site, you can encrypt the database password that is stored in the confluence.cfg.xml file.

If you don't want to use the basic or advanced encryption methods provided by Confluence you can choose to create your own cipher. This may be especially useful if:

  • you're required to use a specific vault to store the password
  • you want to use a different encryption algorithm.

This procedure assumes you are familiar with Java and Maven. 

On this page:

Step 1. Create a Maven project and get API dependencies

To create a maven project and get API dependencies:

  1. Get password-cipher-api and password-cipher-base dependencies.
    1. Go to <install-directory>/confluence/WEB-INF/lib and copy the following jar files:
    2. password-cipher-api-<version>.jar
      This file contains the API
    3. (password-cipher-base-<version>.jar
      (optional) This file contains some sample implementations
  2. Create a Maven project.
  3. Go to resources and create a new folder, named libs.
  4. Copy the jar files to the libs folder.
  5. Next, use the following pom:

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
     
      <groupId><your_group_ID></groupId>
      <artifactId><your_artifact_ID></artifactId>
      <version><your_version></version>
     
      <properties>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
      </properties>
     
      <repositories>
        <repository>
          <id>local-maven-repo</id>
          <url>file:///${project.basedir}/libs</url>
        </repository>
      </repositories>
    
      <build>
        <resources>
          <resource>
            <directory>src/main/resources/libs</directory>
            <excludes>
              <exclude>*</exclude>
            </excludes>
            <filtering>false</filtering>
          </resource>
        </resources>
      </build>
     
      <dependencies>
        <dependency>
          <groupId>com.atlassian.db.config</groupId>
          <artifactId>password-cipher-api</artifactId>
          <version><api_version></version>
          <scope>provided</scope>
        </dependency>
        <dependency>
          <groupId>com.atlassian.db.config</groupId>
          <artifactId>password-cipher-base</artifactId>
          <version><base_version></version>
          <scope>provided</scope>
        </dependency>
      </dependencies>
    </project>

Step 2. Implement the Cipher interface

The Cipher interface contains two methods that you need to implement according to your requirements; encrypt and decrypt. decrypt is called during Confluence startup, which means that long-running tasks can affect the startup time. encrypt is not called by Confluence, as it's only used in the encryption tool.

You can use the Base64Cipher and AlgorithmCipher as examples.

Step 3. Test your implementation

The encryption tool described in Base64 encoding and AES encryption uses the same code as Confluence to decrypt the password. You can use it to test your implementation.

Assuming that the CLI and your jar is in the same folder:

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c your.package.here.ClassName

Step 4. Make your library available

Confluence must be able to access your library. Your class will be instantiated using reflection.

Put the library in the <install-directory>/confluence/WEB-INF/lib directory. 


Last modified on May 25, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.