Encrypting passwords in server.xml
Confluence provides the following protocols that extend Tomcat protocols with support for password encryption. If the table isn't fully displayed, scroll it to the right to see the content.
Protocol class | Based on Tomcat protocol | Attributes that support password encryption |
com.atlassian.secrets.tomcat.protocol. | Http11NioProtocol |
|
com.atlassian.secrets.tomcat.protocol. | Http11Nio2Protocol |
|
com.atlassian.secrets.tomcat.protocol. | Http11AprProtocol |
|
com.atlassian.secrets.tomcat.protocol. | AjpNioProtocol |
|
com.atlassian.secrets.tomcat.protocol. | AjpNio2Protocol |
|
com.atlassian.secrets.tomcat.protocol. | AjpAprProtocol |
|
Encrypting a single password
When you create an encrypted password, the encryption tool will generate two files — encryptedPassword
and encryptionKey
.
You can also add your own encryption key file name as an optional argument to the end of the command in the steps below, and the encryption tool will use your file name instead of generating a new file with the encryption key. If you use your own file name, make sure it already exists in your current directory.
Go to
<Confluence-installation-directory>/bin
.Run the following command to encrypt your password:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool
If you want to add your own file name, make sure you add the name to the end of the command, and that the file already exists in your current directory:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool encryptionKey_1698120035971
When prompted, enter your password.
If you didn’t add your own file name to the end of the command, the encryption tool will generate the filesencryptedPassword
andencryptionKey
.
If you added your own file name to the end of the command, the encryption tool will generateencryptedPassword
only.Move these two new files to a safe location. You can also rename the files if you want.
Encrypting multiple passwords for one connector
If you want to encrypt multiple passwords for a single connector, you must use the same encryption key for all passwords. After you encrypt your first password, use the generated encryptionKey
file to encrypt the subsequent password by passing the path to the key to the encryption tool:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool /path/to/encryptionKey
The encryption tool will generate only the encryptedPassword
file.
Using encrypted passwords in Connector configuration
To use encrypted passwords in Connector configuration, set up the following properties:
protocol
- use one of the protocol classes described aboveproductEncryptionKey
- specify a path to theencryptionKey
file
You can then use path to a file with the encrypted password file in place of a plaintext password in the Connector configuration.
For example, in the Confluence conf/server.xml
file, configuration of a Http11Nio2
Connector with encrypted keystore and key passwords might look like this:
<Connector
protocol="com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption"
port="8443"
(...)
keystoreFile="/var/secrets/keystore/keystore"
keystorePass="/var/secrets/keystore/encryptedKeystorePass"
keyPass="/var/secrets/keystore/encryptedKeyPass"
productEncryptionKey="/var/secrets/encryptionKey"
/>
Note that only one productEncryptionKey
is specified, and both keystorePass
and keyPass
had to be encrypted with the same key.