Cloud
Data Center 9.16
Versions

Base64 encoding

Securing a database password

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

We don't recommend Base64 encoding in production for securing secrets because it doesn't provide encryption, and therefore cannot guarantee sufficient data protection.

This type of encoding is suitable for users who don’t want to store passwords in plaintext, but don't have to meet specific requirements to encode them.

Encoding the password

For this method, we'll use Base64 encoding, which is a way to achieve simple obfuscation of sensitive data.

Step 1. Encoding the password

When you encode the database password, you can supply some optional arguments, as shown in the table below.

Argument

Description

-c,--class <arg>

Canonical class name of the cipher. Leave empty to use the default: com.atlassian.secrets.store.base64.Base64SecretStore

-h,--help

Output the help message, which displays these optional arguments

-m,--mode <arg>

Use encrypt (default) or decrypt on your provided password.

-p,--password <arg>

The plaintext password that you want to encrypt. If you omit this parameter, the console will ask you to type the password.

-s,--silent

Log minimum info.

To encode the database password, follow the steps below.

To encode the database password

  1. Go to <Jira-installation-directory>/bin.

  2. Run the following command to encode your password. Additionally, you can use optional arguments described above. 

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool

    When this command is run you should see output similar to this:

    2023-10-10 03:58:01,548 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.base64.Base64SecretStore
2023-10-10 03:58:01,568 main DEBUG [secrets.store.base64.Base64SecretStore] Initiate Base64Cipher
2023-10-10 03:58:01,583 main DEBUG [secrets.store.base64.Base64SecretStore] Encrypting data...
2023-10-10 03:58:01,585 main DEBUG [secrets.store.base64.Base64SecretStore] Encryption done.
Success!
For Jira, set the following properties in dbconfig.xml:

<atlassian-password-cipher-provider>com.atlassian.secrets.store.base64.Base64SecretStore</atlassian-password-cipher-provider>
<password>c2VjcmV0</password>

For Bitbucket, set the following properties in bitbucket.properties:

jdbc.password.decrypter.classname=com.atlassian.secrets.store.base64.Base64SecretStore
jdbc.password=c2VjcmV0

For Bamboo, set the following properties in bamboo.cfg.xml:

<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.base64.Base64SecretStore</property>
<property name="hibernate.connection.password">c2VjcmV0</property>

For Confluence, set the following properties in confluence.cfg.xml:

<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.base64.Base64SecretStore</property>
<property name="hibernate.connection.password">c2VjcmV0</property>

Step 2. Adding the encoded password to dbconfig.xml

To add the encoded password:

  1. Back up the <home-directory>/dbconfig.xml file. Move the backup to a safe place outside of your instance.

  2. In the dbconfig.xml file, add or modify the <atlassian-password-cipher-provider> property to contain:

    com.atlassian.secrets.store.base64.Base64SecretStore

  3. In the dbconfig.xml file, add or modify the <password> property to contain the Base64 encoded value:

    c2VjcmV0

  4. Once updated, check that dbconfig.xml contains:

    <atlassian-password-cipher-provider>com.atlassian.secrets.store.base64.Base64SecretStore</atlassian-password-cipher-provider>
<password>c2VjcmV0</password>

  5. Restart Jira.

Decoding the password

To decode the password:

  1. Extend the command with the -m decrypt parameter.

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -m decrypt

  2. When asked for a password, provide the encoded one from your dbconfig.xml file.

    2023-10-10 04:57:22,330 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.base64.Base64SecretStore
2023-10-10 04:57:22,345 main DEBUG [secrets.store.base64.Base64SecretStore] Initiate Base64Cipher
2023-10-10 04:57:22,360 main DEBUG [secrets.store.base64.Base64SecretStore] Decrypting data...
2023-10-10 04:57:22,364 main DEBUG [secrets.store.base64.Base64SecretStore] Decryption done.
Success! Decrypted password using cipher provider: com.atlassian.secrets.store.base64.Base64SecretStore decrypted password: secret

Troubleshooting

Reverting the changes...

To revert the changes, remove the <atlassian-password-cipher-provider> tag from the dbconfig.xml file, and change the encrypted password to a plain text one.

The setup screen opens after restarting Jira...

The setup screen means that Jira couldn't connect to the database to access your configuration, most probably because of an error with decrypting your password.

To solve this problem, open <Jira_home_directory>/log/atlassian-jira.log, and check the lines after: Reading database configuration from.

You’ll probably see the following message:

[c.a.j.config.database.DatabaseConfigHandler] Trying to get encrypted password from xml and decrypt it
[c.a.s.store.base64.Base64SecretStore] Runtime Exception thrown when decrypting:

If that’s the case, read the message, as it contains details about the error and a possible solution. If the error is java.lang.IllegalArgumentException, you will need to encrypt the password again.

‘Jira had problems starting up’ message is displayed after restarting Jira…

To investigate this problem, open <Jira_home_directory>/log/atlassian-jira.log, and check the lines after: Reading database configuration from.

You’ll probably see the following messages:

[c.a.j.config.database.DatabaseConfigHandler] Trying to get encrypted password from xml and decrypt it
[c.a.j.config.database.DatabaseConfigHandler] Database password decryption success!
[c.a.config.bootstrap.DefaultAtlassianBootstrapManager] Could not successfully test your database:

[c.a.jira.health.HealthChecks] JIRA couldn't connect to your database
[c.a.jira.health.HealthChecks] JIRA failed to establish a connection to your database.

This means that Jira decrypted the password successfully, but the password itself is incorrect. You can verify that by completing these steps:

  1. Open the dbconfig.xml file, and copy the encrypted password.
  2. Decrypt the password.
  3. Check if the decrypted password is the same as the one in your backup dbconfig.xml file.
Last modified on Jul 11, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.