bamboo cipher keys are seemingly not generated

Natasha Moffat February 20, 2017

This question is in reference to Atlassian Documentation: System-wide encryption

Got all Atlassian products on one vm and bamboo on another vm. Enabled inward access on all ports. They're all sharing postgre db.

Application links are fine, shared user directories are fine. Ssh is enabled with default base url. git executable is specified.
I try to create repository link to Bitbucket but

get Unable to read cipher data for 0


Log says:
Database part of instance key is unavailable
Cipher initialisation vector is unavailable

...\bamboo-home\xml-data\configuration\cipher\cipher.key_0 is empty


hulp.

5 answers

1 accepted

1 vote
Answer accepted
Natasha Moffat February 20, 2017

I had several things going wrong:

1) The cipher file didn't have write access for the user running the service, which for me, was local_system.
2) The cipher didn't get regenerated on start of service because the public key had been added to Bitbucket and apparently that's how it decides to make a new cipher pair or not. 

my solution:

1) I deleted the cipher file with 0 bytes, just because.  
2) sorted out the permissions properly
3) Removed all records that contained the value bamboo in table: authcode_SSH_PUBLIC_KEY which i found under our stash db.
4) stopped and started the service again. 


Christian advised looking for the records under a bandana table
"
The keys are stored in the BANDANA table, and the query to delete them is the following:

DELETE FROM BANDANA WHERE BANDANA_KEY='com.atlassian.restricted.instance.cipher.key_0' OR BANDANA_KEY='com.atlassian.restricted.instance.cipher.iv_0'

If there's any data in the database that already has been encrypted, then it won't be accessible anymore because you're missing the cipher already, so you may need to start with a brand new home directory and set up the database from scratch using the setup wizard.
"

 

Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 10, 2017

Deleting these keys in the database will destroy the setup, as these keys are the keys used to encrypt the data in the database:

https://community.atlassian.com/t5/Bamboo-questions/Unable-to-read-cipher-data-for-0/qaq-p/584981/comment-id/14723#M14723

Would NOT recommend this!

Natasha Moffat June 11, 2017

....I had no problems with my database.
This was during initial install, there wouldn't have much been much to encrypt - no plans had been configured, there had never been a public / private key combo at that point.

1 vote
Kiran01BM March 4, 2017

Scenario:

I had the same error. I was running Bamboo and Bitbucket (both configured to run as a windows service) and was able to configure the Application links between them. But when I was trying to create a new plan and link it to a Bitbucket repository it was failing with the below error.

 

My environment:

  1. Windows 10 x64
  2. atlassian-bitbucket-4.14.1-x64
  3. Git-2.12.0-64-bit
  4. atlassian-bamboo-5.15.0.1-windows-x64
  5. External DB - postgresql-9.5.6-2-windows-x64 for both Bamboo and Bitbucket

Stack Trace:

2017-03-05 12:50:38,815 FATAL [http-apr-8085-exec-23] [SecretEncryptionServiceImpl]
java.lang.RuntimeException: java.nio.file.AccessDeniedException: \bamboo-home\xml-data\configuration\cipher\cipher.key_0
at com.google.common.base.Throwables.propagate(Throwables.java:160)

 

2017-03-05 12:50:38,820 FATAL [http-apr-8085-exec-23] [InstanceSecretStorage] Database part of instance key is unavailable

2017-03-05 12:50:38,820 FATAL [http-apr-8085-exec-23] [InstanceSecretStorage] Cipher initialisation vector is unavailable
2017-03-05 12:50:38,821 ERROR [http-apr-8085-exec-23] [CreateChain]
java.lang.IllegalArgumentException: Unable to read cipher data for 0

 

Actions taken to resolve:

The Bamboo service was running as a Local System user (This happened by default when installing Bamboo using the .exe installer option. Whereas with Bitbucket installer the service was installed with a separate service account which had adequate permissions) which did not have access to bamboo-home\xml-data\configuration\cipher. To fix this I just used created a seperate account with Full  Access permissions to the file-system and configured Bamboo service to run as this user.

 

0 votes
Matt Campbell October 12, 2017

I struggled with this issue today after trying to switch from the embedded database to an external one.

Installation would succeed, but after getting to the "Create Plan" page it would fail to create the cipher. My solution on windows was to toggle off readonly for the cipher folder, and apply the changes. 

Immediately following this, submit the "Create Plan" page. Cipher was created correctly and I was able to continue to "Configure Tasks".

If done quickly bamboo wont have time to reset the folder to readonly before the file is created.

Hope this helps.

0 votes
Jyothsna October 10, 2017

I just happen to see this question, and found when I had the similar error, got solved by accessing to xml-data\configuration\cipher directory and it asked whether I want to allow permissions to this directory, so did yes. then I was able to create bamboo plan and cipher_key was able to create under this directory.

0 votes
Christian Glockner
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 20, 2017

Hi Natasha,

The cipher file should be generated at startup, but if the generation fails (for instance due to lack of permissions), then the cipher file won't be generated and you'll see errors like the one you're seeing.

It'll be best to open a ticket with Bamboo Support via support.atlassian.com so we can take a look. When you open the ticket, please create a support zip so we can get started right away.

Cheers,

Christian

Premier Support Engineer

Atlassian

Natasha Moffat February 20, 2017

Thank you Christian, I've submitted request, but just for my own learning:
1) What permissions are needed?
2) By "startup", do you mean during the setup wizard? or start of service?
3) Is there no way to get bamboo/any-Atlassian-product to generate the keys post startup? no genKeys.exe?

Christian Glockner
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 20, 2017

Hi Natasha,

  1. As long as the user you're running Bamboo as has write permission on the xml-data/configuration directory that should be sufficient (unless the xml-data/configuration/cipher directory already exists, in which case the user also needs write permission on that one)
  2. "Startup" refers to the start of the service. When Bamboo starts up it checks which upgrade tasks it has to perform to bring the Bamboo database up to a level that matches the version of Bamboo. As part of that it checks whether the encryptable data has been encrypted already, and if not it attempts to generate the cipher and it'll then proceed with encryption using that cipher. Bamboo will continue to attempt to do this every time you restart the application until the process was successful.
  3. There i no way to generate the keys without restarting Bamboo I'm afraid.
Like Paul Winstone likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events