Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

bamboo cipher keys are seemingly not generated

This question is in reference to Atlassian Documentation: System-wide encryption

Got all Atlassian products on one vm and bamboo on another vm. Enabled inward access on all ports. They're all sharing postgre db.

Application links are fine, shared user directories are fine. Ssh is enabled with default base url. git executable is specified.
I try to create repository link to Bitbucket but

get Unable to read cipher data for 0

Log says:
Database part of instance key is unavailable
Cipher initialisation vector is unavailable

...\bamboo-home\xml-data\configuration\cipher\cipher.key_0 is empty


5 answers

1 accepted

1 vote
Answer accepted

I had several things going wrong:

1) The cipher file didn't have write access for the user running the service, which for me, was local_system.
2) The cipher didn't get regenerated on start of service because the public key had been added to Bitbucket and apparently that's how it decides to make a new cipher pair or not. 

my solution:

1) I deleted the cipher file with 0 bytes, just because.  
2) sorted out the permissions properly
3) Removed all records that contained the value bamboo in table: authcode_SSH_PUBLIC_KEY which i found under our stash db.
4) stopped and started the service again. 

Christian advised looking for the records under a bandana table
The keys are stored in the BANDANA table, and the query to delete them is the following:

DELETE FROM BANDANA WHERE BANDANA_KEY='com.atlassian.restricted.instance.cipher.key_0' OR BANDANA_KEY='com.atlassian.restricted.instance.cipher.iv_0'

If there's any data in the database that already has been encrypted, then it won't be accessible anymore because you're missing the cipher already, so you may need to start with a brand new home directory and set up the database from scratch using the setup wizard.


Deleting these keys in the database will destroy the setup, as these keys are the keys used to encrypt the data in the database:

Would NOT recommend this!

....I had no problems with my database.
This was during initial install, there wouldn't have much been much to encrypt - no plans had been configured, there had never been a public / private key combo at that point.


I had the same error. I was running Bamboo and Bitbucket (both configured to run as a windows service) and was able to configure the Application links between them. But when I was trying to create a new plan and link it to a Bitbucket repository it was failing with the below error.


My environment:

  1. Windows 10 x64
  2. atlassian-bitbucket-4.14.1-x64
  3. Git-2.12.0-64-bit
  4. atlassian-bamboo-
  5. External DB - postgresql-9.5.6-2-windows-x64 for both Bamboo and Bitbucket

Stack Trace:

2017-03-05 12:50:38,815 FATAL [http-apr-8085-exec-23] [SecretEncryptionServiceImpl]
java.lang.RuntimeException: java.nio.file.AccessDeniedException: \bamboo-home\xml-data\configuration\cipher\cipher.key_0


2017-03-05 12:50:38,820 FATAL [http-apr-8085-exec-23] [InstanceSecretStorage] Database part of instance key is unavailable

2017-03-05 12:50:38,820 FATAL [http-apr-8085-exec-23] [InstanceSecretStorage] Cipher initialisation vector is unavailable
2017-03-05 12:50:38,821 ERROR [http-apr-8085-exec-23] [CreateChain]
java.lang.IllegalArgumentException: Unable to read cipher data for 0


Actions taken to resolve:

The Bamboo service was running as a Local System user (This happened by default when installing Bamboo using the .exe installer option. Whereas with Bitbucket installer the service was installed with a separate service account which had adequate permissions) which did not have access to bamboo-home\xml-data\configuration\cipher. To fix this I just used created a seperate account with Full  Access permissions to the file-system and configured Bamboo service to run as this user.


I struggled with this issue today after trying to switch from the embedded database to an external one.

Installation would succeed, but after getting to the "Create Plan" page it would fail to create the cipher. My solution on windows was to toggle off readonly for the cipher folder, and apply the changes. 

Immediately following this, submit the "Create Plan" page. Cipher was created correctly and I was able to continue to "Configure Tasks".

If done quickly bamboo wont have time to reset the folder to readonly before the file is created.

Hope this helps.

I just happen to see this question, and found when I had the similar error, got solved by accessing to xml-data\configuration\cipher directory and it asked whether I want to allow permissions to this directory, so did yes. then I was able to create bamboo plan and cipher_key was able to create under this directory.

0 votes

Hi Natasha,

The cipher file should be generated at startup, but if the generation fails (for instance due to lack of permissions), then the cipher file won't be generated and you'll see errors like the one you're seeing.

It'll be best to open a ticket with Bamboo Support via so we can take a look. When you open the ticket, please create a support zip so we can get started right away.



Premier Support Engineer


Thank you Christian, I've submitted request, but just for my own learning:
1) What permissions are needed?
2) By "startup", do you mean during the setup wizard? or start of service?
3) Is there no way to get bamboo/any-Atlassian-product to generate the keys post startup? no genKeys.exe?

Hi Natasha,

  1. As long as the user you're running Bamboo as has write permission on the xml-data/configuration directory that should be sufficient (unless the xml-data/configuration/cipher directory already exists, in which case the user also needs write permission on that one)
  2. "Startup" refers to the start of the service. When Bamboo starts up it checks which upgrade tasks it has to perform to bring the Bamboo database up to a level that matches the version of Bamboo. As part of that it checks whether the encryptable data has been encrypted already, and if not it attempts to generate the cipher and it'll then proceed with encryption using that cipher. Bamboo will continue to attempt to do this every time you restart the application until the process was successful.
  3. There i no way to generate the keys without restarting Bamboo I'm afraid.
Like Paul Winstone likes this

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bamboo

Bamboo Data Center is here!

G’day Bamboo customers, The wait is over! Bamboo Data Center edition you have been asking for is finally here! This self-managed enterprise offering of Bamboo has the resilience, reliability, and s...

518 views 1 17
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you