高度な暗号化
In this method, you’ll use AlgorithmCipher
that allows you to choose the algorithm used to encrypt your password in Bitbucket Data Center and Server.
Before you begin: Prepare the JSON object
You’ll need to provide all arguments required to encrypt your password in a JSON object. Prepare beforehand by using the information and examples below.
フィールド | 説明 |
---|---|
plainTextPassword | プレーン テキストのパスワード。 |
algorithm | 以下のアルゴリズムから1つ選択します。
|
algorithmKey | アルゴリズム キーは上記で選択したアルゴリズムと一致している必要があります。
|
ステップ 1. パスワードを暗号化する
<Bitbucket-installation-directory>/tools/atlassian-password
に移動します。次のコマンドを実行してパスワードを暗号化します。
java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher
After running the command, you'll be asked to provide the required arguments in a JSON object in a single line. Prepare it based on the information from Before you begin.
When encrypting your password, the encryption tool generates three files and prints the output JSON object that you'll later add to the bitbucket.properties
file. The next step discusses how to secure those files.
ステップ 2. 生成されたファイルを保護する
Move the files generated by the tool to a secure place. Change them to read-only and accessible only to the user running Bitbucket. Note that if a multi-node cluster is in use, then the files should be available on the same path for all nodes. Bitbucket needs to be able to access and read those files to decrypt your password and connect to the database.
次のファイルが生成されます。
javax.crypto.SealedObject_[timestamp]
暗号化されたパスワードを含むファイル。javax.crypto.spec.SecretKeySpec_[timestamp]
パスワードの暗号化に使用されたキー。このファイルは、パスワードを復号化するために必要です。java.security.AlgorithmParameters_[timestamp]
Algorithm parameters used to encrypt your password. You will need this file only if you want to recreate an encrypted password.
Step 3. (Optional) Store file paths as environment variables
This step is optional. You can store paths to the generated files as environment variables. If the paths aren't present in the bitbucket.properties
file and the jdbc.password
is an empty JSON object ({}
), AlgorithmCipher
will look for them in the environment. This way, file paths are not stored in the file, making it difficult to locate the files used for encryption.
Store the two generated files as environment variables. You don't need to add the file with algorithm parameters, because
AlgorithmCipher
does not use it to decrypt the password. You must set the following environment variables to the correct values in any of the scripts used for launching your Bitbucket instance:com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject
Edit the output from the first step, Encrypt the password, and remove paths to the files. The decrypter class name and password should match the following:
jdbc.password.decrypter.classname=com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher jdbc.password={}
Step 4. Add the encrypted password to bitbucket.properties
Go to the Bitbucket home directory and back up the bitbucket.properties file. Move the backup to a safe place, ideally outside your instance.
In the
bitbucket.properties
file, replace thejdbc.password
property with the output JSON object. Depending on whether you’re using environment variables or not, adjust the JSON object to one of the following examples:If you’re storing file paths as environment variables, remove the paths from the output. The properties should look like the following:
jdbc.password.decrypter.classname=com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher jdbc.password={}
If you’re not using environment variables and want to stick to file paths in the
bitbucket.properties
file, make sure you update their paths after moving them to a secure place. The properties should look like the following:jdbc.password.decrypter.classname=com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher jdbc.password={"sealedObjectFilePath":"/home/bitbucket/javax.crypto.SealedObject_123456789","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_123456789"}
WINDOWS You shouldn’t use backslashes in the path to avoid JSON parsing errors. The paths should look like the following example:
jdbc.password.decrypter.classname=com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher jdbc.password={"sealedObjectFilePath":"C:/bitbucket/javax.crypto.SealedObject_123456789","keyFilePath":"C:/bitbucket/javax.crypto.spec.SecretKeySpec_123456789"}
Restart Bitbucket.
パスワードを復号化する
To decrypt an encrypted password, extend the command used earlier with the -m decrypt parameter:
java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher -m decrypt
When asked for the password, provide the JSON object from your bitbucket.properties
file.
{"sealedObjectFilePath":"/home/bitbucket/javax.crypto.SealedObject_123456789","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_123456789"}
{}
暗号化されたパスワードを再作成する
If you lose an encrypted password and try to encrypt the plain text password once again, the new encrypted password will look different. This is not an issue, as it will still represent the same plain text password. However, in some cases, you might want to keep it consistent, for example by having the same encrypted password when a Bitbucket instance is migrated to another server.
以前とまったく同じ方法でパスワードを暗号化するには、元のパスワードの暗号化に使用したキーとアルゴリズム パラメータが必要です。いずれもも暗号化ツールによって生成され、以下のファイルに保存されています。
- Key:
javax.crypto.spec.SecretKeySpec_[timestamp]
- Algorithm parameters:
java.security.AlgorithmParameters_[timestamp]
これらのファイルを見つけたら、JSON オブジェクトにある 2 つの追加フィールドによって暗号化ツールにその場所を指し示せます。
フィールド | 説明 |
---|---|
keyFilePath | Path to a file that contains the key used to encrypt your original password, e.g. ファイル パスを環境変数として保存した場合、このパラメータを省略できます。 |
algorithmParametersFilePath | Path to a file that contains the algorithm parameters used to encrypt your original password, e.g. |
To encrypt the password, follow the steps in the first step, Encrypt the password, and use the JSON object with the key and algorithm parameters.