As a CI/CD system, Bamboo stores sensitive data used to authenticate to external systems, such as VCS's, issue trackers and deployment targets. To protect this data, Bamboo uses a central encryption service.
Data encrypted at rest
The following data is encrypted:
- variables that include keywords such as "secret" and "password". These variables will also be obfuscated in the UI,
- shared credentials,
- credentials stored in the repository configuration (keys, passwords and passphrases).
This data is encrypted in the database and in the backups.
Encryption of data in transit
Bamboo relies on transport-level encryption for security of data in transit.
In the case of remote agents, this means that Bamboo must be configured with SSL for the JMS and web interfaces. In case of elastic agents, the encrypted tunnel (automatically set up by Bamboo) provides security out of the box.
Bamboo 6.9 and later allows you to manually encrypt your sensitive data and later use it in repository-stored Bamboo Specs. For more information see Bamboo Specs encryption.
If you're a Bamboo administrator, you can enable/disable and configure the sensitive data encryption feature by going to > Security > Security settings and changing the System-wide encryption section.
The data is encrypted with AES algorithm using a key length of 256 bits. Both the key and the initialization vector are automatically generated using a secure random source when first used.
The encryption key is stored in the database and on the filesystem. Both the filesystem and the database key parts are required to perform successful decryption.
The key part stored on your filesystem is located under
In case a part of your key is lost, your credentials will no longer be available and nothing can be done to recover them.