Advanced database password encryption in Bamboo
Before you begin
Back up the bamboo.cfg.xml
file in a safe location away from your Bamboo server.
Prepare a JSON object which contains all arguments required to encrypt your password using the following information:
Field | Description |
---|---|
plainTextPassword | Password in plain text. |
algorithm | You can choose one of the following algorithms:
|
algorithmKey | The algorithm key must correspond with the algorithm chosen above:
|
Example
{"plainTextPassword":"yourPassword","algorithm":"AES/CBC/PKCS5PADDING","algorithmKey":"AES"}
Encrypting the database password
To encrypt your database password, you'll need to:
Encrypt the password
When you encrypt the database password, you can supply some optional arguments, as shown in the table below.
Argument | Description |
---|---|
| Canonical class name of the cipher. Leave empty to use the default: |
| Output the help message, which displays these optional arguments |
| Use |
| The plaintext password that you want to encrypt. If you omit this parameter, the console will ask you to type the password. |
| Log minimum info. |
To encrypt the database password, follow the steps below.
- Go to
<bamboo-installation-directory>/tools/atlassian-password
. Run the following command to encrypt your database password. You can also use the optional parameters described above.
java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -c com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
When prompted for a password, enter the pre-prepared JSON object based on the information from Before you begin.
Note: the JSON object must be entered as a single line.When this command runs successfully, you will see output similar to the output below:
2023-10-13 00:30:49,016 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.algorithm.AlgorithmSecretStore 2023-10-13 00:30:50,811 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Initiate AlgorithmCipher 2023-10-13 00:30:50,891 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Encrypting data... 2023-10-13 00:30:50,950 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_java_security_AlgorithmParameters 2023-10-13 00:30:50,951 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable. 2023-10-13 00:30:51,093 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: java.security.AlgorithmParameters_1234567890 2023-10-13 00:30:51,108 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Name of generated file with algorithm params used for encryption: java.security.AlgorithmParameters_1234567890 2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec 2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable. 2023-10-13 00:30:51,220 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.spec.SecretKeySpec_1234567890 2023-10-13 00:30:51,245 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.spec.SecretKeySpec_1234567890 2023-10-13 00:30:51,353 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.SealedObject_1234567890 2023-10-13 00:30:51,357 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.SealedObject_1234567890 2023-10-13 00:30:51,369 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Encryption done. Success! For Jira, set the following properties in dbconfig.xml: <atlassian-password-cipher-provider>com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</atlassian-password-cipher-provider> <password>{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</password> For Bitbucket, set the following properties in bitbucket.properties: jdbc.password.decrypter.classname=com.atlassian.secrets.store.algorithm.AlgorithmSecretStore jdbc.password={"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"} For Bamboo, set the following properties in bamboo.cfg.xml: <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property> <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property> For Confluence, set the following properties in confluence.cfg.xml: <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property> <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property>
When encrypting your password, the encryption tool generates three files and prints the output JSON object that you'll later add to the bamboo.cfg.xml
file. The next step discusses how to secure those files.
Secure the generated files
The cipher tool generates the following files:
javax.crypto.SealedObject_[timestamp]
– file containing the encrypted passwordjavax.crypto.spec.SecretKeySpec_[timestamp]
– key used to encrypt your password (also required to decrypt your password)java.security.AlgorithmParameters_[timestamp]
– algorithm parameters used to encrypt your password (also required to recreate an encrypted password)
Bamboo must be able to access and read those files to decrypt your password and connect to the database.
Change the permissions on the files generated by the tool so that they are read-only
to the user running Bamboo.
Optionally, export the paths to generated files as environment variables
To secure the encrypted password and encryption key even further, you can store paths to the files in environment variables. If the paths aren't present in the bamboo.cfg.xml
file, Bamboo will automatically look for them in the following environment variables:
com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject
To do this, export the paths to the encrypted password and encryption key files to the environment variables listed above. For example:
export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec=/home/bamboo/javax.crypto.spec.SecretKeySpec_123456789
export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject=/home/bamboo/javax.crypto.SealedObject_123456789
Add the encrypted password to bamboo.cfg.xml
To add the encrypted password to the bamboo.cfg.xml
file:
- In the
bamboo.cfg.xml
file, replace the content of the<property name="hibernate.connection.password">
tag with the output JSON object according to your chosen method of storing the paths to files generated by the encryption tool:If you stored the paths to the encrypted password and encryption key as environment variables, set the content of the tag to an empty JSON object as follows:
<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property> <property name="hibernate.connection.password">{}</property>
If you didn’t use environment variables and want to save the file paths directly to
bamboo.cfg.xml
, set the content of the tag as follows:<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property> <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1621327067811","keyFilePath":"javax.crypto.spec.SecretKeySpec_1621327067777"}</property>
To avoid JSON parsing errors, escape backslashes and change double quotes (") surrounding the path to single quotes ('). For example:
<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property> <property name="hibernate.connection.password">{"sealedObjectFilePath":'C:\\bamboo\\javax.crypto.SealedObject_123456789',"keyFilePath":"'C:\\bamboo\\javax.crypto.spec.SecretKeySpec_123456789'"}</property>
- Restart Bamboo.
Decrypting the database password
To decrypt the database password:
Run the encryption tool with the -m decrypt parameter:
java -jar atlassian-secrets-cli.jar -config=db -m decrypt
- When asked for the JSON object, provide the one from your
bamboo.cfg.xml
file.
Recreating an encrypted password
When you lose the encrypted password and encrypt the plain text password once again, the new encrypted password will look different. This isn’t an issue, as the newly encrypted password will still represent the same plain text password. However, in some cases, you might want to retain consistency. For example, by having the same encrypted password for all Bamboo Data Center nodes.
To encrypt the password in the exact same way as you did before, you’ll need the key used to encrypt the original password and the algorithm parameters. Both of these were generated by the encryption tool and saved in the following files:
- Key:
javax.crypto.spec.SecretKeySpec_[timestamp]
- Algorithm parameters:
java.security.AlgorithmParameters_[timestamp]
Once you've located these files, you can point the encryption tool to their location by using two extra fields in the JSON object. Below you can find the description of these fields and a sample JSON object.
Field | Description |
---|---|
keyFilePath | Path to a file that contains the key used to encrypt your original password. For example:
If you stored the file path as environment variable, you can omit this parameter. |
algorithmParametersFilePath | Path to a file that contains the algorithm parameters used to encrypt your original password. For example:
|
Example of a JSON object with all fields:
{"plainTextPassword":"yourPassword", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES", "algorithmParametersFilePath":"java.security.AlgorithmParameters_123456789", "keyFilePath":"javax.crypto.spec.SecretKeySpec_123456789"}
To encrypt the password, follow the steps in the Encrypting the database password section, and use the JSON object with they key and algorithm parameters.
Troubleshooting
Reverting the changes
To revert the changes, remove the <atlassian-password-cipher-provider>
tag from the bamboo.cfg.xml
file, and change the encrypted password to a plain text one.
502 Bad Gateway error after restarting Bamboo
To investigate this problem, go to <bamboo-home>/logs/atlassian-bamboo.log
, and check the lines after HikariPool-1 - Starting.
You’ll probably see the following messages:
ERROR [main] [HikariPool] HikariPool-1 - Exception during pool initialization. org.postgresql.util.PSQLException: FATAL: password authentication failed for user [DB_USER]
FATAL [main] [BootstrapLoaderListener] Fatal error has occurred during startup. This node will now go down com.atlassian.bamboo.setup.FatalBootstrapException: Failed to acquire primary cluster lock
This means that Bamboo decrypted the password successfully, but the password itself is incorrect.
To verify this:
Open the
bamboo.cfg.xml
file, and copy the encrypted password.Check if the decrypted password is the same as the one in your backup
bamboo.cfg.xml
file.