Cloud
Data Center 8.17
Versions

Base64 encoding

Secure Bitbucket configuration properties

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

We don't recommend Base64 encoding in production for securing secrets because it doesn't provide encryption, and therefore can't guarantee sufficient data protection.

This type of encoding is suitable for users who don’t want to store passwords in plaintext, but don't have to meet specific requirements to encode them.

Encode the sensitive data

For this method, we'll use Base64 encoding, which is a way to achieve simple obfuscation of sensitive data.

Step 1. Encode the sensitive data

When you encode the database password, you can supply some optional arguments, as shown in the table below.

Argument

Description

-c,--class <arg>

Canonical class name of the cipher. Leave empty to use the default: com.atlassian.secrets.store.base64.Base64SecretStore

-h,--help

Output the help message, which displays these optional arguments

-m,--mode <arg>

Use 'encrypt' (default) or 'decrypt' on your provided password.

-p,--password <arg>

The plaintext password that you want to encrypt. If you omit this parameter, the console will ask you to type the password.

-s,--silent

Log minimum info.

To encode the database password, follow the steps below.

  1. Go to <Bitbucket-installation-directory>/tools/atlassian-password.

  2. Run the following command to encode your password. Additionally, you can use optional arguments described above. 

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool

    When this command is run you should see output similar to this:

    2023-10-10 03:58:01,548 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.base64.Base64SecretStore
2023-10-10 03:58:01,568 main DEBUG [secrets.store.base64.Base64SecretStore] Initiate Base64Cipher
2023-10-10 03:58:01,583 main DEBUG [secrets.store.base64.Base64SecretStore] Encrypting data...
2023-10-10 03:58:01,585 main DEBUG [secrets.store.base64.Base64SecretStore] Encryption done.
Success!
For Jira, set the following properties in dbconfig.xml:

<atlassian-password-cipher-provider>com.atlassian.secrets.store.base64.Base64SecretStore</atlassian-password-cipher-provider>
<password>c2VjcmV0</password>

For Bitbucket, set the following properties in bitbucket.properties:

jdbc.password.decrypter.classname=com.atlassian.secrets.store.base64.Base64SecretStore
jdbc.password=c2VjcmV0

For Bamboo, set the following properties in bamboo.cfg.xml:

<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.base64.Base64SecretStore</property>
<property name="hibernate.connection.password">c2VjcmV0</property>

For Confluence, set the following properties in confluence.cfg.xml:

<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.base64.Base64SecretStore</property>
<property name="hibernate.connection.password">c2VjcmV0</property>

Step 2. Add the encoded data to bitbucket.properties

  1. Back up the <home-directory>/shared/bitbucket.properties file. Move the backup to a safe place outside of your instance.

  2. In the bitbucket.properties file, add or modify the encrypted-property.cipher.classname property to contain:

    com.atlassian.secrets.store.base64.Base64SecretStore

  3. In the bitbucket.properties file, add or modify the jdbc.password property to contain the Base64 encoded value prefixed with {ENC}:

    {ENC}c2VjcmV0

  4. Once updated, check that bitbucket.properties contains:

    encrypted-property.cipher.classname=com.atlassian.secrets.store.base64.Base64SecretStore
jdbc.password={ENC}c2VjcmV0

  5. Restart Bitbucket.

Decode the sensitive data

To decode the sensitive data:

  1. Extend the command with the -m decrypt parameter:

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -m decrypt

  2. When asked for a password, provide the encoded one from your bitbucket.properties file.

    2023-10-10 04:57:22,330 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.base64.Base64SecretStore
2023-10-10 04:57:22,345 main DEBUG [secrets.store.base64.Base64SecretStore] Initiate Base64Cipher
2023-10-10 04:57:22,360 main DEBUG [secrets.store.base64.Base64SecretStore] Decrypting data...
2023-10-10 04:57:22,364 main DEBUG [secrets.store.base64.Base64SecretStore] Decryption done.
Success! Decrypted password using cipher provider: com.atlassian.secrets.store.base64.Base64SecretStore decrypted password: secret


Troubleshooting

Bitbucket fails to start after enabling database password encryption...

This means that Bitbucket couldn't connect to the database to access your configuration, most likely because of an error with decrypting your password.

To solve this problem, open <Bitbucket_home_directory>/log/atlassian-bitbucket.log, and check for DataSourcePasswordDecryptionException. For example:

com.atlassian.stash.internal.jdbc.DataSourcePasswordDecryptionException: java.lang.IllegalArgumentException: Illegal base64 character 25

The exception contains details about the error. If the error is java.lang.IllegalArgumentException, you will need to encrypt the password again.

'A fatal error has occurred' message displayed after restarting Bitbucket...

To investigate this problem, have a look at both the <Bitbucket_home_directory>/log/launcher.log and <Bitbucket_home_directory>/log/atlassian-bitbucket.log files, and check for JdbcSQLExceptions. The messages should be pretty clear as to what went wrong.

You’ll probably see the following messages:

 Wrong user name or password [28000-176]

This means that Bitbucket decrypted the password successfully, but the password itself is incorrect. You can verify that by completing these steps:

  1. Open the bitbucket.properties file, and copy the encrypted password.

  2. Decrypt the password.

  3. Check if the decrypted password is the same as the one in your backup bitbucket.properties file.

Disable database password encryption and revert changes...

To disable database password encryption, remove the jdbc.password.decrypter.classname property from the bitbucket.properties file, and change the value of jdbc.password to the unencrypted in your backup.

Last modified on Jul 11, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.