AES 暗号化

Secure Bitbucket configuration properties

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

In this method, you’ll use AlgorithmCipher that allows you to choose the algorithm used to encrypt the sensitive information in the bitbucket.properties file.

Before you begin: Prepare the JSON object

You’ll need to provide all arguments required to encrypt the sensitive data in a JSON object. Prepare beforehand by using the information and examples below.

フィールド説明
plainTextPasswordプレーン テキストのパスワード。
algorithm

以下のアルゴリズムから1つ選択します。

  • AES/CBC/PKCS5Padding
  • DES/CBC/PKCS5Padding
  • DESede/CBC/PKCS5Padding
algorithmKey

アルゴリズム キーは上記で選択したアルゴリズムと一致している必要があります。

  • AES
  • DES
  • DESede


See a sample JSON object
{"plainTextPassword":"yourPassword","algorithm":"AES/CBC/PKCS5PADDING",
"algorithmKey":"AES"}

Step 1. Encrypt the sensitive data

Let's look at an example of encrypting your database password.

  1. <Bitbucket-installation-directory>/tools/atlassian-password に移動します。

  2. 次のコマンドを実行してパスワードを暗号化します。

    java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher
    See optional arguments
    • -- silent -s: ログの記録を最小限に制限します。

    • -- help -h: すべてのパラメータを含むヘルプ メッセージを出力します

    • -- mode -m: パスワード処理方法を暗号化または 復号化として定義します。省略した場合は "encrypt" が使用されます

    • -- password -p: 必要な引数を持つ JSON オブジェクトです。省略すると、パスワードの入力を求められます。パスワードがターミナルの履歴に保存されないように、このパラメーターを省略することをお勧めします。

  3. After running the command, you'll be asked to provide the required arguments in a JSON object in a single line. Prepare it based on the information from Before you begin.

When encrypting your data, the encryption tool generates three files and prints the output JSON object that you'll later add to the bitbucket.properties file. The next step discusses how to secure those files. 

ステップ 2. 生成されたファイルを保護する

Change the permissions on the files generated by the tool so that they are read-only to the user running Bitbucket. Note that if a multi-node cluster is in use, then the files should be available on the same path for all nodes. Bitbucket needs the encrypted property to configure cluster-wide settings such as the database password.

次のファイルが生成されます。

  • javax.crypto.SealedObject_[timestamp]
    暗号化されたパスワードを含むファイル。

  • javax.crypto.spec.SecretKeySpec_[timestamp] 
    パスワードの暗号化に使用されたキー。このファイルは、パスワードを復号化するために必要です。

  • java.security.AlgorithmParameters_[timestamp]
    Algorithm parameters used to encrypt your password. You will need this file only if you want to recreate an encrypted password

Step 3. (Optional) Store file paths as environment variables

This step is optional and is only applicable if you're on a version below 8.11

This step is optional. You can store paths to the generated files as environment variables. If the paths aren't present in the bitbucket.properties file and the jdbc.password is an empty JSON object ({}), AlgorithmCipher will look for them in the environment. This way, file paths are not stored in the file, making it difficult to locate the files used for encryption.

  1. Store the two generated files as environment variables. You don't need to add the file with algorithm parameters, because AlgorithmCipher does not use it to decrypt the password. You must set the following environment variables to the correct values in any of the scripts used for launching your Bitbucket instance:

    com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
    com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject
  2. Edit the output from the first step, Encrypt the password, and remove paths to the files. The decrypter class name and password should match the following:

    jdbc.password.decrypter.classname=com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher
    jdbc.password={}

Step 4. Add the encrypted data to bitbucket.properties

  1. Go to the Bitbucket home directory and back up the bitbucket.properties file. Move the backup to a safe place, ideally outside your instance.

  2. Based on your Bitbucket version, do one of the following:
    1. For versions on 8.11+, in the bitbucket.properties file, replace the application property with the output JSON object with {ENC} prefixed to the value. The properties should look like the following:  

      encrypted-property.cipher.classname=com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher
      jdbc.password={ENC}{"sealedObjectFilePath":"/home/bitbucket/javax.crypto.SealedObject_123456789","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_123456789"}


    2. For versions below 8.11,  in the bitbucket.properties file, replace the jdbc.password property with the output JSON object. Depending on whether you’re using environment variables or not, adjust the JSON object to one of the following examples:

      1. If you’re storing file paths as environment variables, remove the paths from the output. The properties should look like the following:

        jdbc.password.decrypter.classname=com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher
        jdbc.password={}
      2. If you’re not using environment variables and want to stick to file paths in the bitbucket.properties file, make sure you update their paths after moving them to a secure place. The properties should look like the following: If you’re not using environment variables and want to stick to file paths in the bitbucket.properties file, make sure you update their paths after moving them to a secure place. The properties should look like the following: 

        jdbc.password.decrypter.classname=com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher
        jdbc.password={"sealedObjectFilePath":"/home/bitbucket/javax.crypto.SealedObject_123456789","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_123456789"}
  3. Restart Bitbucket.

Decrypt the sensitive data

To decrypt the sensitive data, extend the command used earlier with the -m decrypt parameter:

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher -m decrypt

When asked for a password, based on your Bitbucket version, do one of the following:

  • For versions on 8.11+provide the JSON object from your bitbucket.properties file without the {ENC} prefix. 

    {"sealedObjectFilePath":"/home/bitbucket/javax.crypto.SealedObject_123456789","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_123456789"}


  • For versions below 8.11provide the JSON object from your bitbucket.properties file. 

    ファイル パスを使用する際のサンプル JSON オブジェクト
    {"sealedObjectFilePath":"/home/bitbucket/javax.crypto.SealedObject_123456789","keyFilePath":"/home/bitbucket/javax.crypto.spec.SecretKeySpec_123456789"}

Recreate encrypted data

Let's look at an example of recreating encrypted database password.

If you lose an encrypted password and try to encrypt the plain text password once again, the new encrypted password will look different. This is not an issue, as it will still represent the same plain text password. However, in some cases, you might want to keep it consistent, for example by having the same encrypted password when a Bitbucket instance is migrated to another server.

以前とまったく同じ方法でパスワードを暗号化するには、元のパスワードの暗号化に使用したキーとアルゴリズム パラメータが必要です。いずれもも暗号化ツールによって生成され、以下のファイルに保存されています。

  • Key: javax.crypto.spec.SecretKeySpec_[timestamp]
  • Algorithm parameters: java.security.AlgorithmParameters_[timestamp]

これらのファイルを見つけたら、JSON オブジェクトにある 2 つの追加フィールドによって暗号化ツールにその場所を指し示せます。 

フィールド説明
keyFilePath

Path to a file that contains the key used to encrypt your original password, e.g. javax.crypto.spec.SecretKeySpec_[timestamp].

ファイル パスを環境変数として保存した場合、このパラメータを省略できます。

algorithmParametersFilePath

Path to a file that contains the algorithm parameters used to encrypt your original password, e.g. java.security.AlgorithmParameters_[timestamp].

See a sample JSON object with all fields
{"plainTextPassword":"yourPassword", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES", "algorithmParametersFilePath":"java.security.AlgorithmParameters_123456789", "keyFilePath":"javax.crypto.spec.SecretKeySpec_123456789"}

To encrypt the password, follow the steps in the first step, Encrypt the password, and use the JSON object with the key and algorithm parameters.

トラブルシューティング

Bitbucket fails to start after enabling database password encryption...

This means that Bitbucket couldn't connect to the database to access your configuration, most probably because of an error with decrypting your password.

To solve this problem, open <Bitbucket_home_directory>/log/atlassian-bitbucket.log, and check for DataSourcePasswordDecryptionException

例:

com.atlassian.stash.internal.jdbc.DatasourcePasswordDecryptionException: java.lang.IllegalArgumentException: <>

This exception contains details about the error. If the error is java.lang.IllegalArgumentException, you will need to encrypt the password again. 

  • If the error is related to missing files, there might be a problem with your environment variables. They could have been deleted, or have not been set correctly. To verify that, try adding file paths to the JSON object in the bitbucket.properties file.

  • If you’re seeing some Bouncy Castle errors, you will need to encrypt the password again.

'A fatal error has occurred' message displayed after restarting Bitbucket...

To investigate this problem, open <Bitbucket_home_directory>/log/atlassian-bitbucket.log, and check for JdbcSQLExceptions. The messages should be pretty clear as to what went wrong.

You’ll likely see the following message:

 Wrong user name or password [28000-176]

This means that Bitbucket decrypted the password successfully, but the password itself is incorrect. You can verify that by completing these steps:

  1. Open the bitbucket.properties file, and copy the encrypted password.

  2. パスワードを復号化します

  3. Check if the decrypted password is the same as the one in your backup bitbucket.properties file.

Disable database password encryption and revert changes...

To disable database password encryption, remove the jdbc.password.decrypter.classname property from the bitbucket.properties file, and change the encrypted password to the plain text one.

最終更新日 2024 年 7 月 11 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.