Advanced database password encryption in Bamboo

Still need help?

The Atlassian Community is here for you.

Ask the community

To add extra security to your Bamboo instance, you can encrypt the database password that is stored in the configuration file used by Bamboo to access your database. In this advanced method, you can use the Cipher algorithm that allows you to choose the algorithm used to encrypt your password. It provides more security as you don't have to store the encrypted password anywhere in the configuration file, which makes it difficult to find and decrypt.

This solution is an obfuscation, which doesn’t assure real security. Bamboo still needs to use the plain text password to connect to your database, so the configuration will contain all the information needed to decrypt the password. An attacker could act like Bamboo to obtain the password. We recommend that you secure the server where Bamboo and the database reside.

On this page:

Before you begin

Back up the bamboo.cfg.xml file in a safe location away from your Bamboo server.

Prepare a JSON object which contains all arguments required to encrypt your password using the following information:

FieldDescription
plainTextPasswordPassword in plain text.
algorithmYou can choose one of the following algorithms:
  • AES/CBC/PKCS5Padding
  • DES/CBC/PKCS5Padding
  • DESede/CBC/PKCS5Padding
algorithmKeyThe algorithm key must correspond with the algorithm chosen above:
  • AES
  • DES
  • DESede

Example

{"plainTextPassword":"yourPassword","algorithm":"AES/CBC/PKCS5PADDING","algorithmKey":"AES"}

Encrypting the database password

To encrypt your database password, you'll need to:

Encrypt the password

When you encrypt the database password, you can supply some optional arguments, as shown in the table below.

Argument

Description

-c,--class <arg>

Canonical class name of the cipher. Leave empty to use the default: com.atlassian.secrets.store.base64.Base64SecretStore

-h,--help

Output the help message, which displays these optional arguments

-m,--mode <arg>

Use encrypt  (default) or decrypt on your provided password.

-p,--password <arg>

The plaintext password that you want to encrypt. If you omit this parameter, the console will ask you to type the password.

-s,--silent

Log minimum info.

To encrypt the database password, follow the steps below.

  1. Go to <bamboo-installation-directory>/tools/atlassian-password.
  2. Run the following command to encrypt your database password. You can also use the optional parameters described above. 

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -c com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
  3. When prompted for a password, enter the pre-prepared JSON object based on the information from Before you begin.
    Note: the JSON object must be entered as a single line.

    When this command runs successfully, you will see output similar to the output below: 

    2023-10-13 00:30:49,016 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
    2023-10-13 00:30:50,811 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Initiate AlgorithmCipher
    2023-10-13 00:30:50,891 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Encrypting data...
    2023-10-13 00:30:50,950 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_java_security_AlgorithmParameters
    2023-10-13 00:30:50,951 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable.
    2023-10-13 00:30:51,093 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: java.security.AlgorithmParameters_1234567890
    2023-10-13 00:30:51,108 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Name of generated file with algorithm params used for encryption: java.security.AlgorithmParameters_1234567890
    2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
    2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable.
    2023-10-13 00:30:51,220 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.spec.SecretKeySpec_1234567890
    2023-10-13 00:30:51,245 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.spec.SecretKeySpec_1234567890
    2023-10-13 00:30:51,353 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.SealedObject_1234567890
    2023-10-13 00:30:51,357 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.SealedObject_1234567890
    2023-10-13 00:30:51,369 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Encryption done.
    Success!
    For Jira, set the following properties in dbconfig.xml:
    
    <atlassian-password-cipher-provider>com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</atlassian-password-cipher-provider>
    <password>{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</password>
    
    For Bitbucket, set the following properties in bitbucket.properties:
    
    jdbc.password.decrypter.classname=com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
    jdbc.password={"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}
    
    For Bamboo, set the following properties in bamboo.cfg.xml:
    
    <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
    <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property>
    
    For Confluence, set the following properties in confluence.cfg.xml:
    
    <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
    <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property>



When encrypting your password, the encryption tool generates three files and prints the output JSON object that you'll later add to the bamboo.cfg.xml file. The next step discusses how to secure those files.

Secure the generated files

The cipher tool generates the following files:

  • javax.crypto.SealedObject_[timestamp] – file containing the encrypted password
  • javax.crypto.spec.SecretKeySpec_[timestamp] – key used to encrypt your password (also required to decrypt your password)
  • java.security.AlgorithmParameters_[timestamp] – algorithm parameters used to encrypt your password (also required to recreate an encrypted password)

Bamboo must be able to access and read those files to decrypt your password and connect to the database.

Change the permissions on the files generated by the tool so that they are read-only to the user running Bamboo.

Optionally, export the paths to generated files as environment variables

To secure the encrypted password and encryption key even further, you can store paths to the files in environment variables. If the paths aren't present in the bamboo.cfg.xml file, Bamboo will automatically look for them in the following environment variables:

  • com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
  • com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject

To do this, export the paths to the encrypted password and encryption key files to the environment variables listed above. For example:

export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec=/home/bamboo/javax.crypto.spec.SecretKeySpec_123456789
export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject=/home/bamboo/javax.crypto.SealedObject_123456789

Add the encrypted password to bamboo.cfg.xml

To add the encrypted password to the bamboo.cfg.xml file:

  1. In the bamboo.cfg.xml file, replace the content of the <property name="hibernate.connection.password"> tag with the output JSON object according to your chosen method of storing the paths to files generated by the encryption tool:
    • If you stored the paths to the encrypted password and encryption key as environment variables, set the content of the tag to an empty JSON object as follows:

      <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
      <property name="hibernate.connection.password">{}</property>
    • If you didn’t use environment variables and want to save the file paths directly to bamboo.cfg.xml, set the content of the tag as follows:

      <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
      <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1621327067811","keyFilePath":"javax.crypto.spec.SecretKeySpec_1621327067777"}</property>

      To avoid JSON parsing errors, escape backslashes and change double quotes (") surrounding the path to single quotes ('). For example:

      <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
      <property name="hibernate.connection.password">{"sealedObjectFilePath":'C:\\bamboo\\javax.crypto.SealedObject_123456789',"keyFilePath":"'C:\\bamboo\\javax.crypto.spec.SecretKeySpec_123456789'"}</property>
  2. Restart Bamboo.

Decrypting the database password

To decrypt the database password:

  1. Run the encryption tool with the -m decrypt parameter:

    java -jar atlassian-secrets-cli.jar -config=db -m decrypt
  2. When asked for the JSON object, provide the one from your bamboo.cfg.xml file.

Recreating an encrypted password

When you lose the encrypted password and encrypt the plain text password once again, the new encrypted password will look different. This isn’t an issue, as the newly encrypted password will still represent the same plain text password. However, in some cases, you might want to retain consistency. For example, by having the same encrypted password for all Bamboo Data Center nodes.

To encrypt the password in the exact same way as you did before, you’ll need the key used to encrypt the original password and the algorithm parameters. Both of these were generated by the encryption tool and saved in the following files:

  • Key: javax.crypto.spec.SecretKeySpec_[timestamp]
  • Algorithm parameters: java.security.AlgorithmParameters_[timestamp]

Once you've located these files, you can point the encryption tool to their location by using two extra fields in the JSON object. Below you can find the description of these fields and a sample JSON object.

FieldDescription
keyFilePath
Path to a file that contains the key used to encrypt your original password. For example:


javax.crypto.spec.SecretKeySpec_[timestamp]

If you stored the file path as environment variable, you can omit this parameter.

algorithmParametersFilePath

Path to a file that contains the algorithm parameters used to encrypt your original password. For example:

java.security.AlgorithmParameters_[timestamp]

Example of a JSON object with all fields:

{"plainTextPassword":"yourPassword", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES", "algorithmParametersFilePath":"java.security.AlgorithmParameters_123456789", "keyFilePath":"javax.crypto.spec.SecretKeySpec_123456789"}

To encrypt the password, follow the steps in the Encrypting the database password section, and use the JSON object with they key and algorithm parameters.


Troubleshooting

Reverting the changes

To revert the changes, remove the <atlassian-password-cipher-provider> tag from the bamboo.cfg.xml file, and change the encrypted password to a plain text one.

502 Bad Gateway error after restarting Bamboo

To investigate this problem, go to <bamboo-home>/logs/atlassian-bamboo.log, and check the lines after HikariPool-1 - Starting.

You’ll probably see the following messages:

ERROR [main] [HikariPool] HikariPool-1 - Exception during pool initialization. org.postgresql.util.PSQLException: FATAL: password authentication failed for user [DB_USER]
FATAL [main] [BootstrapLoaderListener] Fatal error has occurred during startup. This node will now go down com.atlassian.bamboo.setup.FatalBootstrapException: Failed to acquire primary cluster lock

This means that Bamboo decrypted the password successfully, but the password itself is incorrect.

To verify this:

  1. Open the bamboo.cfg.xml file, and copy the encrypted password.

  2. Decrypt the password.

  3. Check if the decrypted password is the same as the one in your backup bamboo.cfg.xml file.




Last modified on Jul 1, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.