AES 暗号化

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

This method provides more security as you don't have to store the encrypted password anywhere in the configuration file, which makes it difficult for unauthorized parties to find and decrypt it.

パスワードを暗号化する

In this method, you’ll use AlgorithmCipher that allows you to choose the algorithm used to encrypt the sensitive information in the bitbucket.properties file.

Before you begin: Prepare the JSON object

You’ll need to provide all arguments required to encrypt the sensitive data in a JSON object. Prepare beforehand by using the information and examples below.

フィールド説明
plainTextPasswordプレーン テキストのパスワード。
algorithm

以下のアルゴリズムから1つ選択します。

  • AES/CBC/PKCS5Padding
  • DES/CBC/PKCS5Padding
  • DESede/CBC/PKCS5Padding
algorithmKey

アルゴリズム キーは上記で選択したアルゴリズムと一致している必要があります。

  • AES
  • DES
  • DESede

Using this information, prepare the appropriate JSON for the sensitive data to be encrypted, for example:

{"plainTextPassword":"secret","algorithm":"AES/CBC/PKCS5PADDING",
"algorithmKey":"AES"}

以下の手順を実行するときは、この JSON を使用できるようにしておいてください。

Step 1. Encrypt the sensitive data

データベースのパスワードを暗号化するときは、以下のテーブルに示すように、いくつかのオプションの引数を指定できます。

引数

説明

-c,--class <arg>

Canonical class name of the encoder provider. Leave empty to use the default: com.atlassian.secrets.store.base64.Base64SecretStore

-h,--help

これらのオプションの引数を表示するヘルプ メッセージを出力します。

-m,--mode <arg>

Use 'encrypt' to encode (default) or 'decrypt' to decode your provided password.

-p,--password <arg>

暗号化したいプレーンテキストのパスワード。このパラメーターを省略すると、コンソールからパスワードの入力を求められます。

-s,--silent

最低限の情報をログに出力します。

To encrypt the database password, follow the steps below.

  1. <Bitbucket-installation-directory>/tools/atlassian-password に移動します。

  2. 次のコマンドを実行して、データベース パスワードを暗号化します。上記のオプション パラメーターも使用できます。

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -c com.atlassian.secrets.store.algorithm.AlgorithmSecretStore

    When prompted for a password enter the prepared JSON object based on the information from Before you begin.
    Note: the JSON object must be entered as a single line.
    When this command runs successfully, you will see output similar to the output below:

    2023-10-13 00:30:49,016 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
    2023-10-13 00:30:50,811 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Initiate AlgorithmCipher
    2023-10-13 00:30:50,891 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Encrypting data...
    2023-10-13 00:30:50,950 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_java_security_AlgorithmParameters
    2023-10-13 00:30:50,951 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable.
    2023-10-13 00:30:51,093 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: java.security.AlgorithmParameters_1234567890
    2023-10-13 00:30:51,108 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Name of generated file with algorithm params used for encryption: java.security.AlgorithmParameters_1234567890
    2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
    2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable.
    2023-10-13 00:30:51,220 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.spec.SecretKeySpec_1234567890
    2023-10-13 00:30:51,245 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.spec.SecretKeySpec_1234567890
    2023-10-13 00:30:51,353 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.SealedObject_1234567890
    2023-10-13 00:30:51,357 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.SealedObject_1234567890
    2023-10-13 00:30:51,369 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Encryption done.
    Success!
    For Jira, set the following properties in dbconfig.xml:
    
    <atlassian-password-cipher-provider>com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</atlassian-password-cipher-provider>
    <password>{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</password>
    
    For Bitbucket, set the following properties in bitbucket.properties:
    
    jdbc.password.decrypter.classname=com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
    jdbc.password={"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}
    
    For Bamboo, set the following properties in bamboo.cfg.xml:
    
    <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
    <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property>
    
    For Confluence, set the following properties in confluence.cfg.xml:
    
    <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
    <property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property>

When encrypting your data, the encryption tool generates three files and prints the output JSON object that you'll later add to the bitbucket.properties file. The next step discusses how to secure those files. 

ステップ 2. 生成されたファイルを保護する

パスワードを暗号化すると、3 つのファイルが生成されます。

  • javax.crypto.SealedObject_[timestamp]
    暗号化されたパスワードを含むファイル。

  • javax.crypto.spec.SecretKeySpec_[timestamp] 
    パスワードの暗号化に使用されたキー。このファイルは、パスワードを復号化するために必要です。

  • java.security.AlgorithmParameters_[timestamp]
    The algorithm parameters used to encrypt your password. You will need this file only if you want to recreate an encrypted password

If you're running Bitbucket in a cluster, the files should be available to all nodes via the same path. Bitbucket needs to be able to access and read those files to decrypt your password and connect to the database. Change the permissions on the files generated by the tool so that they are read-only to the user running Bitbucket.

Step 3. Add the encrypted data to bitbucket.properties

To add the encrypted data:

  1. <home-directory>/shared/bitbucket.properties ファイルをバックアップします。バックアップをインスタンスの外部の安全な場所に移動します。

  2. In the bitbucket.properties file, add or modify the encrypted-property.cipher.classname property to contain:

    com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
  3. In the bitbucket.properties file, add or modify the jdbc.password property to contain the fully qualified path to the two files prefixed with {ENC}:

    {ENC}{"sealedObjectFilePath":"/home/bitbucket/javax.crypto.SealedObject_1234567890","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_1234567890"}
  4. Once updated, check that the bitbucket.properties contains:

    encrypted-property.cipher.classname=com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
    jdbc.password={ENC}{"sealedObjectFilePath":"/home/bitbucket/javax.crypto.SealedObject_1234567890","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_1234567890"}
  5. Restart Bitbucket.

Decrypt the sensitive data

機密データを復号化する方法。

  1. Extend the command used earlier with the -m decrypt parameter:

    java -cp "./*" com.atlass ian.secrets.cli.db.DbCipherTool -c com.atlassian.secrets.store.algorithm.AlgorithmSecretStore -m decrypt
  2. When asked for a password, provide the JSON object from your bitbucket.properties file without the {ENC} prefix. 

    {"sealedObjectFilePath":"/home/bitbucket/javax.crypto.SealedObject_1234567890","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_1234567890"}

コマンドを実行すると、シークレットが復号化されて次のように出力されます。

2023-10-13 05:01:14,203 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
2023-10-13 05:01:15,991 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Initiate AlgorithmCipher
2023-10-13 05:01:16,068 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Decrypting data...
2023-10-13 05:01:16,250 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Decryption done.
Success! Decrypted password using cipher provider: com.atlassian.secrets.store.algorithm.AlgorithmSecretStore decrypted password: secret


Recreate encrypted data

If you lose an encrypted password and try to encrypt the plaintext password once again, the new encrypted password will look different. This is not an issue, as it will still represent the same plaintext password. However, in some cases, you might want to keep it consistent, for example by having the same encrypted password when a Bitbucket instance is migrated to another server.

以前とまったく同じ方法でパスワードを暗号化するには、元のパスワードの暗号化に使用したキーとアルゴリズム パラメータが必要です。いずれもも暗号化ツールによって生成され、以下のファイルに保存されています。

  • Key: javax.crypto.spec.SecretKeySpec_[timestamp]
  • Algorithm parameters: java.security.AlgorithmParameters_[timestamp]

これらのファイルを見つけたら、JSON オブジェクトにある 2 つの追加フィールドによって暗号化ツールにその場所を指し示せます。 

フィールド説明
keyFilePath

Path to a file that contains the key used to encrypt your original password, e.g. javax.crypto.spec.SecretKeySpec_[timestamp].

ファイル パスを環境変数として保存した場合、このパラメータを省略できます。

algorithmParametersFilePath

Path to a file that contains the algorithm parameters used to encrypt your original password, e.g. java.security.AlgorithmParameters_[timestamp].

{"plainTextPassword":"secret","algorithm":"AES/CBC/PKCS5PADDING","algorithmKey":"AES","algorithmParametersFilePath":"/home/bitbucket/java.security.AlgorithmParameters_1234567890","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_1234567890"}

To encrypt the password, follow the steps in the first step, Encrypt the password, and use the JSON object with the key and algorithm parameters.

トラブルシューティング

Bitbucket fails to start after enabling database password encryption...

This means that Bitbucket couldn't connect to the database to access your configuration, most probably because of an error with decrypting your password.

To solve this problem, examine the log files:

  • <Bitbucket_home_directory>/log/atlassian-bitbucket.log

  • <Bitbucket_home_directory>/log/atlassian-launcher.log

and look for the cause preventing startup, namely DataSourcePasswordDecryptionException.

例:

com.atlassian.stash.internal.jdbc.DatasourcePasswordDecryptionException: java.lang.IllegalArgumentException: <>

This exception contains details about the error. If the error is java.lang.IllegalArgumentException, you will need to encrypt the password again. 

  • If the error is related to missing files, there might be a problem with your environment variables. They could have been deleted, or have not been set correctly. To verify that, try adding file paths to the JSON object in the bitbucket.properties file.

  • If you’re seeing some Bouncy Castle errors, you will need to encrypt the password again.

'A fatal error has occurred' message displayed after restarting Bitbucket...

To investigate this problem, open <Bitbucket_home_directory>/log/atlassian-bitbucket.log, and check for JdbcSQLExceptions. The messages should be pretty clear as to what went wrong.

You’ll likely see the following message:

 Wrong user name or password [28000-176]

This means that Bitbucket decrypted the password successfully, but the password itself is incorrect. You can verify that by completing these steps:

  1. Open the bitbucket.properties file, and copy the encrypted password.

  2. パスワードを復号化します

  3. Check if the decrypted password is the same as the one in your backup bitbucket.properties file.

Disable database password encryption and revert changes...

To disable database password encryption, remove the encrypted-property.cipher.classname property from the bitbucket.properties file, and change the encrypted password to the plaintext one.

最終更新日 2024 年 9 月 24 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.