To add extra security to your Bamboo instance, you can encrypt the database password that is stored in the configuration file used by Bamboo to access your database. In this advanced method, you can use the Cipher algorithm that allows you to choose the algorithm used to encrypt your password. It provides more security as you don't have to store the encrypted password anywhere in the configuration file, which makes it difficult to find and decrypt. 

Before you begin

Prepare a JSON object which contains all arguments required to encrypt your password using the following information:

To encrypt your database password:

Step 1: Encrypt the password:

1. Since the Bouncy Castle library is not bundled with Bamboo 9.4, you must ensure that it is included in the classpath when running the Java application. Visit the Bouncy Castle official website and download the latest version of the Bouncy Castle provider JAR file. Look for a file titled like bcprov-jdk15on-*.jar.

2. Place the downloaded JAR file in <Bamboo-installation-directory>/tools/atlassian-password.

3. Execute the following command to encrypt your password. You can also use optional parameters described below. 

   java -cp "./*:bcprov-jdk15on-*.jar" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

4. If the JAR is located in a different directory, adjust the classpath accordingly: 

   java -cp "./*:path/to/bcprov-jdk15on-*.jar" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

5. When prompted for "password," please provide the required arguments in a JSON object.

Step 2: Secure the generated files:

1. Secure the generated files:

   Change the permissions on the files generated by the tool so that they are read-only to the user running Bamboo. Bamboo needs to be able to access and read those files to decrypt your password and connect to the database.

   The following files have been generated:

   • javax.crypto.SealedObject_[timestamp] - file with the encrypted password.
   • javax.crypto.spec.SecretKeySpec_[timestamp] - key used to encrypt your password. You will need this file to decrypt your password.
   • java.security.AlgorithmParameters_[timestamp] - algorithm parameters used to encrypt your password. You will need this file only if you wanted to recreate an encrypted password. 

Step 3: (optional) Store file paths as environment variables:

You can store paths to the generated files as environment variables. If the paths aren't present in the bamboo.cfg.xml file, Bamboo will automatically look for them in the specific environment variables. This approach prevents file paths from being stored directly in the bamboo.cfg.xml file, making it more challenging to locate the files used for encryption.

1. Store the two of the generated files as environment variables:
   

   com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
   com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject

   Example...

   export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec=/home/bamboo/javax.crypto.spec.SecretKeySpec_123456789
   export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject=/home/bamboo/javax.crypto.SealedObject_123456789

2. Edit the output from Step 1 and remove paths to the files. The final output should look similar to the following JSON object:
   

   <property name="jdbc.password.decrypter.classname">com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher</property>
   <property name="hibernate.connection.password">{}</property>

   
   

Step 4: Adding the encrypted password to bamboo.cfg.xml:

1. Go to Bamboo home directory and back up the bamboo.cfg.xml file. Move the backup to a safe place outside of your Bamboo server.

2. In the bamboo.cfg.xml file, replace the content of the <property name="hibernate.connection.password"> tag with the output JSON object. Depending on whether you used environment variables or not, adjust the JSON object to one of the following examples:

   • If you stored file paths as environment variables, remove the paths from the output. It should look like the following example:
     

     <property name="jdbc.password.decrypter.classname">com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher</property>
     <property name="hibernate.connection.password">{}</property>

   • If you didn't use environment variables and want to stick to file paths in the bamboo.cfg.xml file, make sure you updated them after moving the files to a secure place. The output should look similar to the following example:
     

     <property name="hibernate.connection.driver_class">org.postgresql.Driver</property>
     <property name="hibernate.connection.password">{"sealedObjectFilePath":"<bamboo-install-directory>/tools/atlassian-password/javax.crypto.SealedObject_1747138404053","keyFilePath":"<bamboo-install-directory>/tools/atlassian-password/javax.crypto.spec.SecretKeySpec_1747138404045"}</property>

3. Restart Bamboo.

To decrypt your database password:

1. Run the encryption command with the -m decrypt parameter:

   java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher -m decrypt

2. When prompted for the JSON object (displayed as "Password" on the screen), enter the value found in your bamboo.cfg.xml file.
   Ensure that the indentation of the JSON object is correct; improper indentation will lead to errors. The correct format for the JSON object is as follows:

   {"sealedObjectFilePath":"/path/to/atlassian-password/javax.crypto.SealedObject_XXXXXXXXXXXX","keyFilePath":"/path/to/atlassian-password/javax.crypto.spec.SecretKeySpec_XXXXXXXXXXXX"}

   Possible error due to JSON indentation

   If you encounter error messages due to incorrect JSON object indentation, such as the following, please review your JSON object and ensure that the indentation matches the example provided above:

   Exception in thread "main" com.google.gson.JsonSyntaxException: com.google.gson.stream.MalformedJsonException: Expected value at line 1 column 25 path $.sealedObjectFilePath

Recreating an encrypted password

When you lose the encrypted password and encrypt the plain text password once again, the new encrypted password will look differently. This is not an issue, as it will still represent the same plain text password. However, in some cases, you might want to keep the consistency, for example by having the same encrypted password for all Bamboo Data Center nodes.

To encrypt the password in the exact same way as you did before, you will need the key used to encrypt the original password and the algorithm parameters. Both of these were generated by the encryption tool and saved in the following files:

• Key: javax.crypto.spec.SecretKeySpec_[timestamp]

• Algorithm parameters: java.security.AlgorithmParameters_[timestamp]

Once you've located these files, you can point the encryption tool to their location by using two extra fields in the JSON object. Below you can find the description of these fields and a sample JSON object.

Example of a JSON object with all fields:

{"plainTextPassword":"yourPassword", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES", "algorithmParametersFilePath":"java.security.AlgorithmParameters_123456789", "keyFilePath":"javax.crypto.spec.SecretKeySpec_123456789"}

To encrypt the password, follow the steps in Step 1, and use the JSON object with they key and algorithm parameters.