Advanced database password encryption



アトラシアン コミュニティをご利用ください。


To add extra security to your Bamboo instance, you can encrypt the database password that is stored in the configuration file used by Bamboo to access your database. In this advanced method, you can use the Cipher algorithm that allows you to choose the algorithm used to encrypt your password. It provides more security as you don't have to store the encrypted password anywhere in the configuration file, which makes it difficult to find and decrypt.

This solution is an obfuscation, which doesn’t assure real security. Bamboo still needs to use the plain text password to connect to your database, so the configuration will contain all the information needed to decrypt the password. An attacker could act like Bamboo to obtain the password. We recommend that you secure the server where Bamboo and the database reside.

On this page:


Back up the bamboo.cfg.xml file in a safe location away from your Bamboo server.

Prepare a JSON object which contains all arguments required to encrypt your password using the following information:

plainTextPasswordプレーン テキストのパスワード。
  • AES/CBC/PKCS5Padding
  • DES/CBC/PKCS5Padding
  • DESede/CBC/PKCS5Padding
algorithmKeyアルゴリズム キーは上記で選択したアルゴリズムと一致している必要があります。
  • AES
  • DES
  • DESede


Encrypting the database password

To encrypt your database password, you'll need to:

Run the encryption tool

To run the encryption tool:

  1. Run the following command from <bamboo-installation-directory>/tools/atlassian-password:

    java -jar atlassian-secrets-cli.jar -config=db

    This command accepts the following optional arguments:

    • --silent -s – limits logging to a minimum
    • --help -h – prints a help message with all parameters
    • --mode -m – defines what to do with the password, either encrypt or decrypt. If omitted, encrypt will be used.
    • --password -p – JSON object with required arguments. If omitted, you'll be asked to enter it. We recommend that you omit this parameter so your password is not stored in the history.
  2. When prompted, provide the required arguments in a JSON object.

Secure the generated files

The cipher tool generates the following files:

  • javax.crypto.SealedObject_[timestamp] – file containing the encrypted password
  • javax.crypto.spec.SecretKeySpec_[timestamp] – key used to encrypt your password (also required to decrypt your password)
  •[timestamp] – algorithm parameters used to encrypt your password (also required to recreate an encrypted password)

Bamboo must be able to access and read those files to decrypt your password and connect to the database.

To secure the generated files, move them to a secure location and set their permissions to read-only.

Optionally, export the paths to generated files as environment variables

To secure the encrypted password and encryption key even further, you can store paths to the files in environment variables. If the paths aren't present in the bamboo.cfg.xml file, Bamboo will automatically look for them in the following environment variables:

  • com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
  • com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject

To do this, export the paths to the encrypted password and encryption key files to the environment variables listed above. For example:

export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec=/home/bamboo/javax.crypto.spec.SecretKeySpec_123456789
export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject=/home/bamboo/javax.crypto.SealedObject_123456789

Add the encrypted password to bamboo.cfg.xml

To add the encrypted password to the bamboo.cfg.xml file:

  1. In the bamboo.cfg.xml file, replace the content of the <property name="hibernate.connection.password"> tag with the output JSON object according to your chosen method of storing the paths to files generated by the encryption tool:
    • If you stored the paths to the encrypted password and encryption key as environment variables, set the content of the tag to an empty JSON object as follows:

      <property name="jdbc.password.decrypter.classname"></property>
      <property name="hibernate.connection.password">{}</property>
    • If you didn’t use environment variables and want to save the file paths directly to bamboo.cfg.xml, set the content of the tag as follows:

      <property name="jdbc.password.decrypter.classname"></property>
      <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1621327067811","keyFilePath":"javax.crypto.spec.SecretKeySpec_1621327067777"}</property>

      To avoid JSON parsing errors, escape backslashes and change double quotes (") surrounding the path to single quotes ('). For example:

      <property name="jdbc.password.decrypter.classname"></property>
      <property name="hibernate.connection.password">{"sealedObjectFilePath":'C:\\bamboo\\javax.crypto.SealedObject_123456789',"keyFilePath":"'C:\\bamboo\\javax.crypto.spec.SecretKeySpec_123456789'"}</property>
  2. Bamboo を再起動します。

Decrypting the database password

データベース パスワードを復号化する方法は以下のとおりです。

  1. Run the encryption tool with the -m decrypt parameter:

    java -jar atlassian-secrets-cli.jar -config=db -m decrypt
  2. When asked for the JSON object, provide the one from your bamboo.cfg.xml file.


When you lose the encrypted password and encrypt the plain text password once again, the new encrypted password will look different. This isn’t an issue, as the newly encrypted password will still represent the same plain text password. However, in some cases, you might want to retain consistency. For example, by having the same encrypted password for all Bamboo Data Center nodes.

To encrypt the password in the exact same way as you did before, you’ll need the key used to encrypt the original password and the algorithm parameters. Both of these were generated by the encryption tool and saved in the following files:

  • Key: javax.crypto.spec.SecretKeySpec_[timestamp]
  • Algorithm parameters:[timestamp]

これらのファイルを見つけたら、JSON オブジェクトで 2 つの追加フィールドを使用して暗号化ツールでその場所を指すことができます。これらのフィールドの説明とサンプル JSON オブジェクトは次のとおりです。

Path to a file that contains the key used to encrypt your original password. For example:


ファイル パスを環境変数として保存した場合、このパラメータを省略できます。


Path to a file that contains the algorithm parameters used to encrypt your original password. For example:[timestamp]

Example of a JSON object with all fields:

{"plainTextPassword":"yourPassword", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES", "algorithmParametersFilePath":"", "keyFilePath":"javax.crypto.spec.SecretKeySpec_123456789"}

To encrypt the password, follow the steps in the Encrypting the database password section, and use the JSON object with they key and algorithm parameters.


Reverting the changes

To revert the changes, remove the <atlassian-password-cipher-provider> tag from the bamboo.cfg.xml file, and change the encrypted password to a plain text one.

502 Bad Gateway error after restarting Bamboo

To investigate this problem, go to <bamboo-home>/logs/atlassian-bamboo.log, and check the lines after HikariPool-1 - Starting.


ERROR [main] [HikariPool] HikariPool-1 - Exception during pool initialization. org.postgresql.util.PSQLException: FATAL: password authentication failed for user [DB_USER]
FATAL [main] [BootstrapLoaderListener] Fatal error has occurred during startup. This node will now go down com.atlassian.bamboo.setup.FatalBootstrapException: Failed to acquire primary cluster lock

This means that Bamboo decrypted the password successfully, but the password itself is incorrect.


  1. bamboo.cfg.xml ファイルを開き、暗号化されたパスワードをコピーします。

  2. パスワードを復号化します

  3. 復号化されたパスワードがバックアップの bamboo.cfg.xml ファイルと同じかどうかを確認します。

最終更新日: 2024 年 1 月 17 日


Powered by Confluence and Scroll Viewport.