Encrypting passwords in server.xml in Bamboo

To add extra security to your Bamboo instance, you can encrypt passwords when configuring HTTP connectors in Tomcat’s server.xml file.

This solution is an obfuscation that can be used to secure information such as passphrases used by Bamboo to access its local keystores and other secrets. This doesn’t assure real security. For example, though stored locally using an encrypted format, an Apache Reverse Proxy will send the proxy secret in plain text to Bamboo when using the AJP protocol. An attacker could act like Bamboo to obtain the password.

On this page:

Bamboo provides the following protocols that extend Tomcat protocols with support for password encryption:

Bamboo protocolBase Tomcat protocolAttributes supporting password encryption
com.atlassian.secrets.tomcat.protocol.Http11NioProtocolWithPasswordEncryptionHttp11NioProtocol
  • KeystorePass
  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryptionHttp11Nio2Protocol
  • KeystorePass
  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryptionHttp11AprProtocol
  • KeystorePass
  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.secrets.tomcat.protocol.AjpNioProtocolWithPasswordEncryptionAjpNioProtocolsecret
com.atlassian.secrets.tomcat.protocol.AjpNio2ProtocolWithPasswordEncryptionAjpNio2Protocolsecret
com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryptionAjpAprProtocolsecret

Encrypting a single password

To encrypt a single password:

  1. Run the following command from the <bamboo_installation_dir>/lib directory:

    java -jar atlassian-secrets-cli-<bamboo_version>.jar

    Where <bamboo_version> is the version of Bamboo you’re currently running. For example:

    java -jar atlassian-secrets-cli-9.5.0.jar
  2. Enter your password when prompted.

The encryption tool will generate two files: encryptedPassword and encryptionKey. Move those files to a safe location. You can also rename the files if you want to.

Encrypting multiple passwords for one connector

If you want to encrypt more than one password for a single connector, you should use the same encryption key for all passwords. 

To encrypt multiple passwords:

  1. Encrypt the first password by following the steps described in Encrypting a single password.
  2. Use the generated encryptionKey file to encrypt the remaining passwords by passing the path to the key in the following command:

    java -jar atlassian-secrets-cli.jar -config=tomcat /path/to/encryptionKey

In this scenario, the encryption tool generates only the encryptedPassword file.

Using encrypted passwords in the connector configuration

To use encrypted passwords in the connector configuration, configure the following properties:

  • protocol – one of the Bamboo protocols listed above
  • productEncryptionKey – path to the encryptionKey file

Then you can use the path to a proper encryptedPassword file in place of a plain text password in the connector configuration.

For example, the configuration of a Http11Nio2 connector with encrypted keystore and key passwords might look similar to this:

<Connector
    protocol="com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption"
    port="8443"
 
    (...)
 
    keystoreFile="/var/secrets/keystore/keystore"
    keystorePass="/var/secrets/keystore/encryptedKeystorePass"
    keyPass="/var/secrets/keystore/encryptedKeyPass"
 
    productEncryptionKey="/var/secrets/encryptionKey"
/>

Note that only one productEncryptionKey is specified, and both keystorePass and keyPass have to be encrypted with the same key.



Last modified on Jul 1, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.