Base64 encoding

Secure Bitbucket configuration properties

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

We don't recommend Base64 encoding in production for securing secrets because it doesn't provide encryption, and therefore can't guarantee sufficient data protection.

Base64 encoding is one of the three ways to encrypt database passwords in Bitbucket Data Center and Server. See also, AES encryption and Custom encryption.

For this method, we'll use Base64Cipher, which is a way to achieve simple obfuscation of the database password.

Step 1. Encrypt the password

  1. Go to <Bitbucket-installation-directory>/tools/atlassian-password.

  2. Run the following command to encrypt your password:

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool
See optional arguments
  • -- silent -s: limits logging to a minimum

  • -- help -h: prints a help message with all parameters

  • -- mode -m: defines what to do with the password, either encrypt or decrypt. If omitted, 'encrypt' will be used.

  • -- password -p: plain text password. If omitted, you'll be asked to enter it. We recommend that you omit this parameter so that your password is not stored in the history.

Sample output...
main DEBUG [db.config.password.DefaultCipherProvider] Initiate cipher provider class: com.atlassian.db.config.password.ciphers.base64.Base64Cipher
main DEBUG [password.ciphers.base64.Base64Cipher] Initiate Base64Cipher
main DEBUG [password.ciphers.base64.Base64Cipher] Encrypting data...
main DEBUG [password.ciphers.base64.Base64Cipher] Encryption done. Success!
Success!
For Jira, put the following lines in database config xml file:
 
<atlassian-password-cipher-provider>com.atlassian.db.config.password.ciphers.base64.Base64Cipher</atlassian-password-cipher-provider>
<password>ZGZnZGZn</password>
 
and restart the instance.
 
For Bitbucket, set the following properties in bitbucket.properties:
 
jdbc.password.decrypter.classname=com.atlassian.db.config.password.ciphers.base64.Base64Cipher
jdbc.password=ZGZnZGZn
 
and restart the instance.  

Step 2. Add the encrypted password to the properties file

  1. Go to the Bitbucket home directory and back up the bitbucket.properties file. Move the backup to a safe place outside of your instance.

  2. Based on your Bitbucket version, do one of the following:
    1. For versions on 8.11+, in the bitbucket.properties file, replace the property with the encrypted value generated by CLI with {ENC} prefixed to the value. Also, specify the encrypted-property.cipher.classname property. For example:

      encrypted-property.cipher.classname=com.atlassian.db.config.password.ciphers.base64.Base64Cipher
      jdbc.password={ENC}put-the-obfuscated-password-generated-by-the-cli-tool-here
    2. For versions below 8.11, in the bitbucket.properties file, replace the jdbc.password property with the password generated by CLI. Also, specify the jdbc.password.decrypter.classname property. For example:

      jdbc.password.decrypter.classname=com.atlassian.db.config.password.ciphers.base64.Base64Cipher
      jdbc.password=put-the-obfuscated-password-generated-by-the-cli-tool-here


  3. Restart Bitbucket.

Decrypting the password

To decrypt the password, extend the command with the -m decrypt parameter:

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -m decrypt

When asked for a password, provide the encrypted one from your bitbucket.properties file.

Troubleshooting

Bitbucket fails to start after enabling database password encryption...

This means that Bitbucket couldn't connect to the database to access your configuration, most likely because of an error with decrypting your password.

To solve this problem, open <Bitbucket_home_directory>/log/atlassian-bitbucket.log, and check for DataSourcePasswordDecryptionException. For example:

com.atlassian.stash.internal.jdbc.DataSourcePasswordDecryptionException: java.lang.IllegalArgumentException: Illegal base64 character 25

The exception contains details about the error. If the error is java.lang.IllegalArgumentException, you will need to encrypt the password again.

'A fatal error has occurred' message displayed after restarting Bitbucket...

To investigate this problem, open <Bitbucket_home_directory>/log/atlassian-bitbucket.log, and check for JdbcSQLExceptions. The messages should be pretty clear as to what went wrong.

You’ll probably see the following messages:

 Wrong user name or password [28000-176]

This means that Bitbucket decrypted the password successfully, but the password itself is incorrect. You can verify that by completing these steps:

  1. Open the bitbucket.properties file, and copy the encrypted password.

  2. Decrypt the password.

  3. Check if the decrypted password is the same as the one in your backup bitbucket.properties file.

Disable database password encryption and revert changes...

To disable database password encryption, remove the jdbc.password.decrypter.classname property from the bitbucket.properties file, and change the value of jdbc.password to the unencrypted in your backup.

Last modified on Jul 11, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.