Encrypting passwords in server.xml

To add extra security to your Confluence instance, you can encrypt passwords that you use to configure connectors in Tomcat’s server.xml file.

Before you begin

This solution requires you to use a protocol supporting the productEncryptionKey property, and encrypted passwords, which may not guarantee complete security, as the configuration in Tomcat's server.xml file will contain all the necessary information to decrypt the password. There are additional security measures you can take to mitigate the worst-case scenario of an attacker potentially impersonating Confluence to gain access to the password. We therefore recommend you safeguard the server where Confluence and the productEncryptionKey file are located.

On this page:

Confluence provides the following protocols that extend Tomcat protocols with support for password encryption. If the table isn't fully displayed, scroll it to the right to see the content.

Protocol class

Based on Tomcat protocol

Attributes that support password encryption

com.atlassian.secrets.tomcat.protocol.
Http11NioProtocolWithPasswordEncryption
Http11NioProtocol
  • KeystorePass
  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.secrets.tomcat.protocol.
Http11Nio2ProtocolWithPasswordEncryption
Http11Nio2Protocol
  • KeystorePass
  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.secrets.tomcat.protocol.
Http11AprProtocolWithPasswordEncryption
Http11AprProtocol
  • KeystorePass
  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.secrets.tomcat.protocol.
AjpNioProtocolWithPasswordEncryption
AjpNioProtocol
  • secret
com.atlassian.secrets.tomcat.protocol.
AjpNio2ProtocolWithPasswordEncryption
AjpNio2Protocol
  • secret
com.atlassian.secrets.tomcat.protocol.
AjpAprProtocolWithPasswordEncryption
AjpAprProtocol
  • secret

Encrypting a single password

When you create an encrypted password, the encryption tool will generate two files — encryptedPassword and encryptionKey.

You can also add your own encryption key file name as an optional argument to the end of the command in the steps below, and the encryption tool will use your file name instead of generating a new file with the encryption key. If you use your own file name, make sure it already exists in your current directory.

  1. Go to <Confluence-installation-directory>/bin.

  2. Run the following command to encrypt your password:

    java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool

    If you want to add your own file name, make sure you add the name to the end of the command, and that the file already exists in your current directory:

    java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool encryptionKey_1698120035971
  3. When prompted, enter your password.
    If you didn’t add your own file name to the end of the command, the encryption tool will generate the files encryptedPassword and encryptionKey.
    If you added your own file name to the end of the command, the encryption tool will generate encryptedPassword only.

  4. Move these two new files to a safe location. You can also rename the files if you want.

Encrypting multiple passwords for one connector

If you want to encrypt multiple passwords for a single connector, you must use the same encryption key for all passwords. After you encrypt your first password, use the generated encryptionKey file to encrypt the subsequent password by passing the path to the key to the encryption tool:

java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool /path/to/encryptionKey

The encryption tool will generate only the encryptedPassword file.

Using encrypted passwords in Connector configuration

To use encrypted passwords in Connector configuration, set up the following properties:

  • protocol - use one of the protocol classes described above

  • productEncryptionKey - specify a path to the encryptionKey file

You can then use path to a file with the encrypted password file in place of a plaintext password in the Connector configuration.

For example, in the Confluence conf/server.xml file, configuration of a Http11Nio2 Connector with encrypted keystore and key passwords might look like this:

<Connector
    protocol="com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption"
    port="8443"

    (...)

    keystoreFile="/var/secrets/keystore/keystore"
    keystorePass="/var/secrets/keystore/encryptedKeystorePass"
    keyPass="/var/secrets/keystore/encryptedKeyPass"

    productEncryptionKey="/var/secrets/encryptionKey"
/>

Note that only one productEncryptionKey is specified, and both keystorePass and keyPass had to be encrypted with the same key.

Last modified on Dec 6, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.