System-wide encryption in Bamboo
Data encrypted at rest
The following data is encrypted:
- variables that include keywords such as "secret" and "password". These variables will also be obfuscated in the UI,
- shared credentials,
- credentials stored in the repository configuration (keys, passwords and passphrases).
This data is encrypted in the database and in the backups.
Encryption of data in transit
Bamboo relies on transport-level encryption for security of data in transit.
In the case of remote agents, this means that Bamboo must be configured with SSL for the JMS and web interfaces. In case of elastic agents, the encrypted tunnel (automatically set up by Bamboo) provides security out of the box.
Manual encryption
Bamboo 6.9 and later allows you to manually encrypt your sensitive data and later use it in repository-stored Bamboo Specs. For more information see Bamboo Specs encryption.
If you're a Bamboo administrator, you can enable/disable and configure the sensitive data encryption feature by going to > Security > Security settings and changing the System-wide encryption section.
Encryption algorithm
The data is encrypted with AES algorithm using a key length of 256 bits. Both the key and the initialization vector are automatically generated using a secure random source when first used.
Key storage
The encryption key is stored in the database and on the filesystem. Both the filesystem and the database key parts are required to perform successful decryption.
The key part stored on your filesystem is located under BAMBOO-HOME/shared/
configuration/cipher
.
Data recovery
In case a part of your key is lost, your credentials will no longer be available and nothing can be done to recover them.