Data Center 6.3
Versions

Password encryption

User Guide

On this page

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

All passwords for external systems stored in Crowd are encrypted by default.

The password encryption functionality is available starting from CROWD 4.2.

If you're an upgrading user, your passwords stored in Crowd will be encrypted automatically during upgrade to Crowd 4.2 or later.

Staring from Crowd 4.2, it's crucial to make sure you back up your encryption keys. Starting from Crowd 6.3, you will also need to back up the encryption configuration file. Without them you won't be able to properly restore Crowd from backup.

How do I backup and restore keys?

The keys are stored in the shared folder {crowdHome}/shared/keys. To back up the keys, copy the mentioned directory to a secure place.

The encryption configuration file is stored in the shared folder under {crowdHome}/shared/secrets-config.yaml. To back it up, copy the file to a secure place.

To correctly restore from backup with encrypted passwords, corresponding keys must be present in the {crowdHome}/shared/keys and the secrets-config.yaml file must be present in {crowdHome}/shared , otherwise Crowd won’t be able to decrypt passwords


Here's the complete list of sensitive data which Crowd encrypts: 

  • LDAP directory password

  • Remote Crowd directory application password

  • Microsoft Entra ID web application key

  • SMTP mail password

  • Proxy password

  • SAML  X.509 certificate and private key

On this page:

AES key management API

This API provides endpoints for rotating Advanced Encryption Standard ( AES) keys and retrieving and deleting inactive keys. Below, you'll find detailed descriptions of each endpoint, including the URL, accepted HTTP methods, possible response codes, and their meanings.

Rotate AES key

This endpoint is used to rotate the AES encryption key. Existing secrets will be re-encrypted with the new key.

  • Method: POST

  • URL: https://<HOSTNAME>:<PORT>/rest/secrets/1.0/keys/rotate

  • Query parameters: None

  • Request body: None

The response codes are:

  • 200 OK: The AES key was rotated successfully.

  • 401 Unauthorized: The user isn't authorized to perform the operation.

  • 406 Not Acceptable: The rotation can't occur due to invalid conditions.

  • 500 Internal Server Error: An unexpected error occurs when performing the operation.

The response body has the following format:

{
    "message": "<detailed_message>",
    "status": "<rotation_status>"
}

Get inactive AES keys

Once key rotation is completed, the old AES key becomes inactive. This endpoint retrieves a list of inactive AES keys.

  • Method: GET

  • URL: https://<HOSTNAME>:<PORT>/rest/secrets/1.0/keys/inactive

  • Query parameters: None

  • Request body: None

The response codes are:

  • 200 OK: The inactive AES keys were retrieved successfully.

  • 401 Unauthorized: The user isn't authorized to perform the operation.

  • 500 Internal Server Error: An unexpected error occurs when performing the operation.

The response body has the following format:

{
    "inactiveKeys": [
        "<inactive_key_name>"
    ]
}

Delete inactive AES keys

Once key rotation is completed, the old AES key becomes inactive. This endpoint deletes all inactive AES keys.

  • Method: DELETE

  • URL: https://<HOSTNAME>:<PORT>/rest/secrets/1.0/keys/inactive

  • Query parameters: None

  • Request body: None

The response codes are:

  • 200 OK: The inactive AES keys were deleted successfully.

  • 401 Unauthorized: The user isn't authorized to perform the operation.

  • 500 Internal Server Error: An unexpected error occurs when performing the operation.

The response body has the following format:

{
    "deletedKeys": [
        "<deleted_key_name>"
    ]
}

Frequently asked question (FAQ)

What's the algorithm used for encryption?

Crowd can encrypt your password using the following algorithm:

  • AES / GCM /NoPadding

How do I rotate the encryption key?

For security reasons, we recommend rotating the encryption key at least once per year. If the security key is leaked, you must rotate it immediately.

Issue admin authenticated PUT request to the following url {baseUrl}/rest/admin/1.0/encryption/changeKey.

Existing data will be automatically re-encrypted using new encryption key.

How do I issue authenticated request to the mentioned endpoints?

Rest endpoints support both basic authentication and Crowd token key (usually crowd.token_key). Depending on configuration, Crowd might not allow to re-use token key cookie on IP address different than the initial one.

How do I recover when I lost my encryption key?

If the encryption key is missing, Crowd won’t be able to decrypt passwords. All passwords will have to be restored manually.

If your admin account comes from remote directory, admin won’t be able to authenticate. In such case Crowd will need to be started in recovery mode to restore passwords manually. See Using recovery mode.

How do I disable encryption during upgrade?

You should consider disabling password encryption only if you notice that this functionality is causing you problems with the upgrade.

To disable password encryption during upgrade, start Crowd with the following flag -Dcrowd.encryption.upgrade.disabled=true.
How can I be sure that my encryption key is safe?

For higher security, please restrict filesystem permission for {crowdHome}/shared/keys and {crowdHome}/shared/secrets-config.yaml so that only Crowd user (on all nodes) have access to this directory.

Last modified on Apr 7, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.