Encrypting passwords in server.xml in Bamboo
Bamboo provides the following protocols that extend Tomcat protocols with support for password encryption:
Bamboo protocol | Base Tomcat protocol | Attributes supporting password encryption |
---|---|---|
com.atlassian.secrets.tomcat.protocol.Http11NioProtocolWithPasswordEncryption | Http11NioProtocol |
|
com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption | Http11Nio2Protocol |
|
com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryption | Http11AprProtocol |
|
com.atlassian.secrets.tomcat.protocol.AjpNioProtocolWithPasswordEncryption | AjpNioProtocol | secret |
com.atlassian.secrets.tomcat.protocol.AjpNio2ProtocolWithPasswordEncryption | AjpNio2Protocol | secret |
com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryption | AjpAprProtocol | secret |
Encrypting a single password
To encrypt a single password:
Run the following command from the <bamboo_installation_dir>/lib directory:
java -jar atlassian-secrets-cli-<bamboo_version>.jar
Where
<bamboo_version>
is the version of Bamboo you’re currently running. For example:java -jar atlassian-secrets-cli-9.5.0.jar
- Enter your password when prompted.
The encryption tool will generate two files: encryptedPassword
and encryptionKey
. Move those files to a safe location. You can also rename the files if you want to.
Encrypting multiple passwords for one connector
If you want to encrypt more than one password for a single connector, you should use the same encryption key for all passwords.
To encrypt multiple passwords:
- Encrypt the first password by following the steps described in Encrypting a single password.
Use the generated
encryptionKey
file to encrypt the remaining passwords by passing the path to the key in the following command:java -jar atlassian-secrets-cli.jar -config=tomcat /path/to/encryptionKey
In this scenario, the encryption tool generates only the encryptedPassword
file.
Using encrypted passwords in the connector configuration
To use encrypted passwords in the connector configuration, configure the following properties:
protocol
– one of the Bamboo protocols listed aboveproductEncryptionKey
– path to theencryptionKey
file
Then you can use the path to a proper encryptedPassword
file in place of a plain text password in the connector configuration.
For example, the configuration of a Http11Nio2 connector with encrypted keystore and key passwords might look similar to this:
<Connector
protocol="com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption"
port="8443"
(...)
keystoreFile="/var/secrets/keystore/keystore"
keystorePass="/var/secrets/keystore/encryptedKeystorePass"
keyPass="/var/secrets/keystore/encryptedKeyPass"
productEncryptionKey="/var/secrets/encryptionKey"
/>
Note that only one productEncryptionKey
is specified, and both keystorePass
and keyPass
have to be encrypted with the same key.