Encrypting passwords in server.xml
To add extra security to your Bamboo instance, you can encrypt passwords that you use to configure Connectors in the Tomcat’s server.xml file.
はじめる前に
This solution is an obfuscation, which doesn’t assure real security. Bamboo still needs to use the plain text password to connect to your database, so the configuration will contain all the information needed to decrypt the password. An attacker could act like Bamboo to obtain the password. We recommend that you secure the server where Bamboo and the database reside.
Bamboo provides the following protocols that extend Tomcat protocols with support for password encryption.
単一のパスワードの暗号化
<Bamboo-installation-directory>/lib
に移動します。次のコマンドを実行します。
java -jar atlassian-bamboo-tomcat-utils-<your bamboo version>.jar
Enter your password when prompted.
The encryption tool will generate two files:
encryptedPassword
andencryptionKey.
Move those files to a safe location. You can also rename the files if you want.
Encrypting multiple passwords for one Connector
If you want to encrypt more than one password for a single Connector, you must use the same encryption key for all passwords. After you encrypt you first password, use the generated encryptionKey
to encrypt the subsequent password by passing path to the key to the encryption tool:
java -jar atlassian-bamboo-tomcat-utils-*.jar /path/to/encryptionKey
The encryption tool will generate only the encryptedPassword
file.
Using encrypted passwords in Connector configuration
To use encrypted passwords in Connector configuration, you need to set up the following properties:
protocol
- use on of the Bamboo protocols described abovebambooEncryptionKey
- specify a path to the encryptionKey file
Then you can use path to a proper encryptedPassword file in place of plain text password in the Connector configuration.
For example, configuration of a Http11Nio2
Connector with encrypted keystore and key passwords might look similarly to this:
<Connector
protocol="com.atlassian.bamboo.tomcat.utils.Http11Nio2ProtocolWithPasswordEncryption"
port="8443"
(...)
keystoreFile="/var/secrets/keystore/keystore"
keystorePass="/var/secrets/keystore/encryptedKeystorePass"
keyPass="/var/secrets/keystore/encryptedKeyPass"
bambooEncryptionKey="/var/secrets/encryptionKey"
/>
Note that only one bambooEncryptionKey
is specified, and both keystorePass
and keyPass
had to be encrypted with the same key.