Advanced database password encryption in Bamboo

Securing a database password in Bamboo

このページの内容

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

To add extra security to your Bamboo instance, you can encrypt the database password that is stored in the configuration file used by Bamboo to access your database. In this advanced method, you can use the Cipher algorithm that allows you to choose the algorithm used to encrypt your password. It provides more security as you don't have to store the encrypted password anywhere in the configuration file, which makes it difficult to find and decrypt.

This solution is an obfuscation, which doesn’t assure real security. Bamboo still needs to use the plain text password to connect to your database, so the configuration will contain all the information needed to decrypt the password. An attacker could act like Bamboo to obtain the password. We recommend that you secure the server where Bamboo and the database reside.

On this page:

はじめる前に

Back up the bamboo.cfg.xml file in a safe location away from your Bamboo server.

Prepare a JSON object which contains all arguments required to encrypt your password using the following information:

フィールド説明
plainTextPasswordプレーン テキストのパスワード。
algorithm以下のアルゴリズムから1つ選択します。
  • AES/CBC/PKCS5Padding
  • DES/CBC/PKCS5Padding
  • DESede/CBC/PKCS5Padding
algorithmKeyアルゴリズム キーは上記で選択したアルゴリズムと一致している必要があります。
  • AES
  • DES
  • DESede

{"plainTextPassword":"yourPassword","algorithm":"AES/CBC/PKCS5PADDING","algorithmKey":"AES"}

Encrypting the database password

To encrypt your database password, you'll need to:

パスワードを暗号化する

データベースのパスワードを暗号化するときは、以下のテーブルに示すように、いくつかのオプションの引数を指定できます。

引数

説明

-c,--class <arg>

暗号の正規クラス名。初期設定を使用するには空のままにします: com.atlassian.secrets.store.base64.Base64SecretStore

-h,--help

これらのオプションの引数を表示するヘルプ メッセージを出力します。

-m,--mode <arg>

設定したパスワードに対して encrypt (既定) または decrypt を使用します。

-p,--password <arg>

暗号化したいプレーンテキストのパスワード。このパラメーターを省略すると、コンソールからパスワードの入力を求められます。

-s,--silent

最低限の情報をログに出力します。

データベースのパスワードを暗号化するには、以下の手順に従います。

  1. <bamboo-installation-directory>/tools/atlassian-password に移動します。

  2. Run the following command to encrypt your database password. You can also use the optional parameters described above. 

    java -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -c com.atlassian.secrets.store.algorithm.AlgorithmSecretStore

  3. パスワードの入力を求められたら、始める前にの情報に基づいて事前に準備された JSON オブジェクトを入力します。
    JSON オブジェクトは 1 行で入力する必要があることにご注意ください。

    このコマンドが正常に実行されると、次のような出力が表示されます。 

    2023-10-13 00:30:49,016 main INFO [com.atlassian.secrets.DefaultSecretStoreProvider] Initiating secret store class: com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
2023-10-13 00:30:50,811 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Initiate AlgorithmCipher
2023-10-13 00:30:50,891 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Encrypting data...
2023-10-13 00:30:50,950 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_java_security_AlgorithmParameters
2023-10-13 00:30:50,951 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable.
2023-10-13 00:30:51,093 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: java.security.AlgorithmParameters_1234567890
2023-10-13 00:30:51,108 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Name of generated file with algorithm params used for encryption: java.security.AlgorithmParameters_1234567890
2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Will try to read file path from environment variable under: com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
2023-10-13 00:30:51,111 main DEBUG [store.algorithm.serialization.EnvironmentVarBasedConfiguration] Nothing found under environment variable.
2023-10-13 00:30:51,220 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.spec.SecretKeySpec_1234567890
2023-10-13 00:30:51,245 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.spec.SecretKeySpec_1234567890
2023-10-13 00:30:51,353 main DEBUG [store.algorithm.serialization.UniqueFilePathGenerator] Will use generated name: javax.crypto.SealedObject_1234567890
2023-10-13 00:30:51,357 main DEBUG [store.algorithm.serialization.SerializationFile] Saved file: javax.crypto.SealedObject_1234567890
2023-10-13 00:30:51,369 main DEBUG [secrets.store.algorithm.AlgorithmSecretStore] Encryption done.
Success!
For Jira, set the following properties in dbconfig.xml:

<atlassian-password-cipher-provider>com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</atlassian-password-cipher-provider>
<password>{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</password>

For Bitbucket, set the following properties in bitbucket.properties:

jdbc.password.decrypter.classname=com.atlassian.secrets.store.algorithm.AlgorithmSecretStore
jdbc.password={"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}

For Bamboo, set the following properties in bamboo.cfg.xml:

<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
<property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property>

For Confluence, set the following properties in confluence.cfg.xml:

<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
<property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1234567890","keyFilePath":"javax.crypto.spec.SecretKeySpec_1234567890"}</property>



When encrypting your password, the encryption tool generates three files and prints the output JSON object that you'll later add to the bamboo.cfg.xml file. The next step discusses how to secure those files.

Secure the generated files

The cipher tool generates the following files:

  • javax.crypto.SealedObject_[timestamp] – file containing the encrypted password
  • javax.crypto.spec.SecretKeySpec_[timestamp] – key used to encrypt your password (also required to decrypt your password)
  • java.security.AlgorithmParameters_[timestamp] – algorithm parameters used to encrypt your password (also required to recreate an encrypted password)

Bamboo must be able to access and read those files to decrypt your password and connect to the database.

Change the permissions on the files generated by the tool so that they are read-only to the user running Bamboo.

Optionally, export the paths to generated files as environment variables

To secure the encrypted password and encryption key even further, you can store paths to the files in environment variables. If the paths aren't present in the bamboo.cfg.xml file, Bamboo will automatically look for them in the following environment variables:

  • com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec
  • com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject

To do this, export the paths to the encrypted password and encryption key files to the environment variables listed above. For example:

export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec=/home/bamboo/javax.crypto.spec.SecretKeySpec_123456789
export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject=/home/bamboo/javax.crypto.SealedObject_123456789

Add the encrypted password to bamboo.cfg.xml

To add the encrypted password to the bamboo.cfg.xml file:

  1. In the bamboo.cfg.xml file, replace the content of the <property name="hibernate.connection.password"> tag with the output JSON object according to your chosen method of storing the paths to files generated by the encryption tool:

    • If you stored the paths to the encrypted password and encryption key as environment variables, set the content of the tag to an empty JSON object as follows:

      <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
<property name="hibernate.connection.password">{}</property>

    • If you didn’t use environment variables and want to save the file paths directly to bamboo.cfg.xml, set the content of the tag as follows:

      <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
<property name="hibernate.connection.password">{"sealedObjectFilePath":"javax.crypto.SealedObject_1621327067811","keyFilePath":"javax.crypto.spec.SecretKeySpec_1621327067777"}</property>

      To avoid JSON parsing errors, escape backslashes and change double quotes (") surrounding the path to single quotes ('). For example:

      <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
<property name="hibernate.connection.password">{"sealedObjectFilePath":'C:\\bamboo\\javax.crypto.SealedObject_123456789',"keyFilePath":"'C:\\bamboo\\javax.crypto.spec.SecretKeySpec_123456789'"}</property>
  2. Bamboo を再起動します。

Decrypting the database password

データベース パスワードを復号化する方法は以下のとおりです。

  1. Run the encryption tool with the -m decrypt parameter:

    java -jar atlassian-secrets-cli.jar -config=db -m decrypt
  2. When asked for the JSON object, provide the one from your bamboo.cfg.xml file.

暗号化されたパスワードの再作成

When you lose the encrypted password and encrypt the plain text password once again, the new encrypted password will look different. This isn’t an issue, as the newly encrypted password will still represent the same plain text password. However, in some cases, you might want to retain consistency. For example, by having the same encrypted password for all Bamboo Data Center nodes.

To encrypt the password in the exact same way as you did before, you’ll need the key used to encrypt the original password and the algorithm parameters. Both of these were generated by the encryption tool and saved in the following files:

  • Key: javax.crypto.spec.SecretKeySpec_[timestamp]
  • Algorithm parameters: java.security.AlgorithmParameters_[timestamp]

これらのファイルを見つけたら、JSON オブジェクトで 2 つの追加フィールドを使用して暗号化ツールでその場所を指すことができます。これらのフィールドの説明とサンプル JSON オブジェクトは次のとおりです。

フィールド説明
keyFilePath
Path to a file that contains the key used to encrypt your original password. For example:


javax.crypto.spec.SecretKeySpec_[timestamp]

ファイル パスを環境変数として保存した場合、このパラメータを省略できます。

algorithmParametersFilePath

Path to a file that contains the algorithm parameters used to encrypt your original password. For example:

java.security.AlgorithmParameters_[timestamp]

Example of a JSON object with all fields:

{"plainTextPassword":"yourPassword", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES", "algorithmParametersFilePath":"java.security.AlgorithmParameters_123456789", "keyFilePath":"javax.crypto.spec.SecretKeySpec_123456789"}

To encrypt the password, follow the steps in the Encrypting the database password section, and use the JSON object with they key and algorithm parameters.


トラブルシューティング

Reverting the changes

To revert the changes, remove the <atlassian-password-cipher-provider> tag from the bamboo.cfg.xml file, and change the encrypted password to a plain text one.

502 Bad Gateway error after restarting Bamboo

To investigate this problem, go to <bamboo-home>/logs/atlassian-bamboo.log, and check the lines after HikariPool-1 - Starting.

以下のメッセージが表示される場合があります。

ERROR [main] [HikariPool] HikariPool-1 - Exception during pool initialization. org.postgresql.util.PSQLException: FATAL: password authentication failed for user [DB_USER]
FATAL [main] [BootstrapLoaderListener] Fatal error has occurred during startup. This node will now go down com.atlassian.bamboo.setup.FatalBootstrapException: Failed to acquire primary cluster lock

This means that Bamboo decrypted the password successfully, but the password itself is incorrect.

これを確認するには、次の手順に従います。

  1. bamboo.cfg.xml ファイルを開き、暗号化されたパスワードをコピーします。

  2. パスワードを復号化します

  3. 復号化されたパスワードがバックアップの bamboo.cfg.xml ファイルと同じかどうかを確認します。




最終更新日 2024 年 7 月 1 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.