Anyone know how to encrypt the dbconfig.xml password?

You can do it as follows for AES key which falls in FIPS 140.2

- Typing json argument in terminal is not a good idea (as it won't be visible to you). You can open any text editor and prepare json in that, (replace <PASSWORD> with your original password)

{"plainTextPassword":"<PASSWORD>", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES"}

- Move to Jira Installation directory

$ cd /<jira_installation_directory>/bin

- Write this java command,

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

- If everything works fine in above command it will prompt you with text "Enter Password:", now copy whole text from your editor (json) that you created and paste it in terminal. It is will not show you anything in terminal but content is there. You just need to hit <return> key and your password related files will be generated

- You can use following command to confirm, it will show you recently generated files directory in the end

$ ls -lrt

- If you are not comfortable with pasting content in terminal and not seeing it, you can pass your json as parameter to above command also.

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher -p <YOUR_FULL_JSON_HERE>

- But if you are using this method make sure you remove this command from your terminal/shell history

I hope this helps. Also note that this feature was made available after Jira 8.0. This won't work if you are using earlier version of Jira.

I forgot to add the password cipher line to the dbconfig.  Now it no longer gives me errors but it acts as if it's a new install and wants me to set up a new DB

@Christopher Gronde 

There is dbconfig.xml file inside you Jira Home directory. And it contains

<password>your_plan_text_password</password>

You need to replace this with JSON Object that points to your encrypted files location. Something like this

<password>{"sealedObjectFilePath":"<safe_location>/javax.crypto.SealedObject_....", "keyFilePath":"<safe_location>/javax.crypto.spec.SecretKeySpec_...."}</password>

This will tell Jira where to look for encrypted password and what spec you used to encrypt your password.

Yes, I get "enter password" which I then add the json object which gives me the three output files.  I put those files in a "safe place" and then make them read only.  I don't understand step 4 in https://confluence.atlassian.com/jiracore/advanced-encryption-975040999.html where I have to then add the encrypted password to dbconfig.xml.  I don't understand Replace the <password> tag with the output JSON object.  What output are they talking about?  How do I get that ouput?

What we did,

- Created password related files at mentioned in STEP-1

- Moved all generated to filed to JIRA_USER home directory, and changed its mode to read only.

$ mv javax.crypto.SealedObject* /home/<jira_user>/.config/jira/.
$ mv javax.crypto.spec.SecretKeySpec /home/<jira_user>/.config/jira/.
$ chmod -R 0444 /home/<jira_user>/.config/jira/

- You can also keep java.security.AlgorithmParameters in this directory but it is not essential and only useful during password decryption, or other maintenance activities.

- Now we added path of these file to environment variable as mentioned in STEP-3

$ echo 'export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec=/home/<jira_user>/.config/jira/javax.crypto.spec.SecretKeySpec_123456789' >> /home/<jira_user>/.bash_profile
$ echo 'export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject=/home/<jira_user>/.config/jira/javax.crypto.SealedObject_123456789' >> /home/<jira_user>/.bash_profile

- Sourced these variable in Jira user account, and updated dbconfig.xml file in Jira home directory.

<atlassian-password-cipher-provider>com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher</atlassian-password-cipher-provider>
<password>{}</password>

- And restarted Jira.

In case you get error connecting to DB after restart make use environment variable exists.

Hi guys,

I tried  to insert the encrypted psw in my dbconfig.xml, but jira return in error .

I tried  both method , after to be created the psw encrypted (it is gone OK)
first I tried to add the instruction below in DBCONFIG.XML:
<password>{"sealedObjectFilePath":"/data_mount/atlassian/application-data/jira/javax.crypto.SealedObject_161728585xxxx", "keyFilePath":"/data_mount/atlassian/application-data/jira/javax.crypto.spec.SecretKeySpec_161728585xxxx"}</password> 

But jira's log return in error :
2021-04-02 12:42:31,453+0200 JIRA-Bootstrap INFO [c.a.j.config.database.SystemDatabaseConfigurationLoader] Reading database configuration from /data_mount/atlas
sian/application-data/jira/dbconfig.xml
2021-04-02 12:42:31,493+0200 JIRA-Bootstrap INFO [c.a.j.config.database.DatabaseConfigHandler] Trying to get encrypted password from xml and decrypt it
2021-04-02 12:42:31,494+0200 JIRA-Bootstrap INFO [c.a.j.config.database.DatabaseConfigHandler] Database password decryption not performed.

The second method I tried to add the file javax.crypto.spec.SecretKeySpec_161728585xxxx javax.crypto.SealedObject_161728585xxxx , in enviroment variables
But jira's log return in error : 

2021-04-02 13:15:22,770+0200 JIRA-Bootstrap INFO [c.a.j.config.database.SystemDatabaseConfigurationLoader] Reading database configuration from /data_mount/atlas
sian/application-data/jira/dbconfig.xml
2021-04-02 13:15:22,773+0200 JIRA-Bootstrap INFO [c.a.j.config.database.DatabaseConfigHandler] Trying to get encrypted password from xml and decrypt it
2021-04-02 13:15:22,776+0200 JIRA-Bootstrap ERROR [c.a.d.c.p.ciphers.algorithm.AlgorithmCipher] Runtime Exception thrown when decrypting: DecryptionParameters{s
ealedObjectFilePath='null', keyFilePath='null'}
java.lang.IllegalArgumentException: Missing file path for: javax.crypto.SealedObject

please help me to understand what's  wrong

Hi ,

  I am asked to implement advanced encryption method with AES-GCM. I wanted to clarify is it possible using AES-GCM , since the documentation shows me only AESCBC.

Can anyone clarify if AES-GCM is possible for implementation?

@Christopher GrondeIf you have Java installed, you need to path of JAVA_HOME/bin to your PATH environment variable. You can look into this guide for help.

https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Portal/5.1/html/Installation_Guide/Pre_Requisites-Configuring_Your_Java_Environment.html

RHEL 7 Linux

This implies that you don't have JAVA executable set in your terminal environment.

If you need help setting this value, do let me know what OS you are on (Windows or Linux).

Hello?  Can anyone answer this for me?

What happens if when I try to run the java command in the /bin directory that it tells me:

bash: java: command not found

@Christopher GrondeI was getting the EXACT same error where it was asking for a brand new DB install. It was totally weird. But I too finally figured it out. I just had to enter in the file path of the 2 files that it generated in the BIN folder. By placing C:\\Program Files\\Jira\\bin\\PATH OF FILES.

ok it looks like I fat fingered the file location.  Everything is working now!  Thanks for the help!

Can please share log files and also what you added in dbconfig.xml file.

Also try reverse encryption process to verify that your files contains correct data.

oh!  Got it!  I added that and the cypher line, but now when I start Jira it is acting as if it's a new installation and wants me to set up a new DB.

@Christopher GrondeAfter you enter in

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

 Do you immediately get a "Enter Password" prompt? This is how you know that it worked correctly.

I have step 1 and 2 done but steps 3 and 4 don't make any sense to me.  how do I get the output that goes into dbconfig

@S_ Toyo 

It seems Jira is not able to find file path mentioned in dbconfig.xml files.

{sealedObjectFilePath='javax.crypto.SealedObject_1565824481015', keyFilePath='javax.crypto.spec.SecretKeySpec_1565824480983'}

Where are these files in your system?

Please add full file path to these file, like I mentioned earlier.

{sealedObjectFilePath='/home/jira/javax.crypto.SealedObject_1565824481015', keyFilePath='/home/jira/javax.crypto.spec.SecretKeySpec_1565824480983'}

Like above if files exists in `/home/jira` directory. Also check if they readable to user who is assigned to run Jira. In your case `jira`.

@DPKJI pulled this from my jira log file.

2019-08-14 13:19:34,919 JIRA-Bootstrap INFO [c.a.j.c.cache.pauser.NonClusteredReplicationPauserManager] Non-clustered mode: ReplicationPauserManager implemented by NonClusteredReplicationPauserManager
2019-08-14 13:19:35,950 JIRA-Bootstrap INFO [c.a.j.config.database.SystemDatabaseConfigurationLoader] Reading database configuration from C:\Program Files\Atlassian\Application Data\JIRA\dbconfig.xml
2019-08-14 13:19:35,950 JIRA-Bootstrap INFO [c.a.j.config.database.DatabaseConfigHandler] Trying to get encrypted password from xml and decrypt it
2019-08-14 13:19:35,950 JIRA-Bootstrap DEBUG [c.a.d.config.password.DefaultCipherProvider] Initiate cipher provider class: com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher
2019-08-14 13:19:35,950 JIRA-Bootstrap DEBUG [c.a.d.c.p.ciphers.algorithm.AlgorithmCipher] Initiate AlgorithmCipher
2019-08-14 13:19:35,950 JIRA-Bootstrap DEBUG [c.a.d.c.p.ciphers.algorithm.AlgorithmCipher] Decrypting data...
2019-08-14 13:19:35,950 JIRA-Bootstrap ERROR [c.a.d.c.p.c.algorithm.serialization.SerializationFile] Couldn't read file needed for encryption/decryption. Tried to read file under: javax.crypto.SealedObject_1565824481015
java.io.FileNotFoundException: javax.crypto.SealedObject_1565824481015 (The system cannot find the file specified)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at com.atlassian.db.config.password.ciphers.algorithm.serialization.SerializationFile.read(SerializationFile.java:31)
at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:141)
at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:133)
at com.atlassian.jira.config.database.JdbcDatasource.lambda$parse$0(JdbcDatasource.java:389)
at java.util.Optional.map(Optional.java:215)
at com.atlassian.jira.config.database.JdbcDatasource.parse(JdbcDatasource.java:389)
at com.atlassian.jira.config.database.DatabaseConfigHandler.parseDatasource(DatabaseConfigHandler.java:62)
at com.atlassian.jira.config.database.DatabaseConfigHandler.parse(DatabaseConfigHandler.java:33)
at com.atlassian.jira.config.database.AbstractJiraHomeDatabaseConfigurationLoader.loadDatabaseConfiguration(AbstractJiraHomeDatabaseConfigurationLoader.java:51)
at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.getDatabaseConfiguration(DatabaseConfigurationManagerImpl.java:180)
at com.atlassian.jira.startup.BootstrapContainerLauncher.bootstrapJIRAWhenDBIsNotSetup(BootstrapContainerLauncher.java:69)
at com.atlassian.jira.startup.BootstrapContainerLauncher.start(BootstrapContainerLauncher.java:43)
at com.atlassian.jira.startup.DefaultJiraLauncher.preDbLaunch(DefaultJiraLauncher.java:117)
at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$start$0(DefaultJiraLauncher.java:103)
at com.atlassian.jira.util.devspeed.JiraDevSpeedTimer.run(JiraDevSpeedTimer.java:31)
at com.atlassian.jira.startup.DefaultJiraLauncher.start(DefaultJiraLauncher.java:102)
at com.atlassian.jira.startup.LauncherContextListener.initSlowStuff(LauncherContextListener.java:154)
at java.lang.Thread.run(Thread.java:748)
2019-08-14 13:19:35,981 JIRA-Bootstrap ERROR [c.a.d.c.p.ciphers.algorithm.AlgorithmCipher] Runtime Exception thrown when decrypting: DecryptionParameters{sealedObjectFilePath='javax.crypto.SealedObject_1565824481015', keyFilePath='javax.crypto.spec.SecretKeySpec_1565824480983'}
java.lang.RuntimeException: java.io.FileNotFoundException: javax.crypto.SealedObject_1565824481015 (The system cannot find the file specified)
at com.atlassian.db.config.password.ciphers.algorithm.serialization.SerializationFile.read(SerializationFile.java:39)
at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:141)
at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:133)
at com.atlassian.jira.config.database.JdbcDatasource.lambda$parse$0(JdbcDatasource.java:389)
at java.util.Optional.map(Optional.java:215)
at com.atlassian.jira.config.database.JdbcDatasource.parse(JdbcDatasource.java:389)
at com.atlassian.jira.config.database.DatabaseConfigHandler.parseDatasource(DatabaseConfigHandler.java:62)
at com.atlassian.jira.config.database.DatabaseConfigHandler.parse(DatabaseConfigHandler.java:33)
at com.atlassian.jira.config.database.AbstractJiraHomeDatabaseConfigurationLoader.loadDatabaseConfiguration(AbstractJiraHomeDatabaseConfigurationLoader.java:51)
at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.getDatabaseConfiguration(DatabaseConfigurationManagerImpl.java:180)
at com.atlassian.jira.startup.BootstrapContainerLauncher.bootstrapJIRAWhenDBIsNotSetup(BootstrapContainerLauncher.java:69)
at com.atlassian.jira.startup.BootstrapContainerLauncher.start(BootstrapContainerLauncher.java:43)
at com.atlassian.jira.startup.DefaultJiraLauncher.preDbLaunch(DefaultJiraLauncher.java:117)
at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$start$0(DefaultJiraLauncher.java:103)
at com.atlassian.jira.util.devspeed.JiraDevSpeedTimer.run(JiraDevSpeedTimer.java:31)
at com.atlassian.jira.startup.DefaultJiraLauncher.start(DefaultJiraLauncher.java:102)
at com.atlassian.jira.startup.LauncherContextListener.initSlowStuff(LauncherContextListener.java:154)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.FileNotFoundException: javax.crypto.SealedObject_1565824481015 (The system cannot find the file specified)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)

@DPKJ thanks so much! I tried everything and it’s not working. :( it keeps thinking I have Jira CORE for some odd reason.... please let me know if I missed something. We need advanced encryption to meet our fedramp compliance. 

oh! @S_ Toyo I was using basic auth, but I will see in staging what happen when I go with Advance, give me day or two (I got busy in confluence update, lots of security issues in Atlassian updates these days).

@DPKJAny possible response to my previous reply? :(

@DPKJOkay so I tried to place the "Advanced encryption" into my dbconfig.xml file and just place a empty database to see if that would work. And I figure I would just load my data back in when I get to the dashboard.

I got a new page that I never seen before and somehow it things I hava JIRA CORE. When we have JIRA SOFTWARE. Does the Advanced Encryption not working with Jira SOFTWARE? When we revert back again to the BASIC ENCRYPTION we don't get this issue. We are taken straight to our JIRA SOFTWARE dashboard.

@DPKJ we upgraded the jira 8.3. Encryption of the password works fine using the BASIC ENCRYPTION method. But since we need to meet FIPS 140.2 we need the ADVANCED ENCRYPTION a method. :(