Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Artifacts encryption

Mark Hegedus
Mark Hegedus October 8, 2021

Are Bitbucket Pipleines artifacts encrypted at rest? I can't find any information about this in the documentation. I wonder what the best practice is when dealing with potentially sensitive artifacts (for example Terraform plan files, which might contain sensitive data in plain text).

Answer
Watch
Like # people like this
800 views

1 answer

1 accepted

0 votes
Answer accepted
Caroline R
Caroline R
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 12, 2021

Hi, @Mark Hegedus! Welcome to the community! 

Bitbucket Cloud data at rest is currently not encrypted, however, we are in the progress of supporting this and the work is estimated to be completed by Q3 of 2021. This is referenced on our roadmap under the 'Security' section:

Bitbucket encryption at rest
Support for ensuring your repositories are encrypted when on disk

While this is not implemented yet, you can use the secured variables to store the sensitive data instead of directly writing it into the file. From the repository, you can manage repository variables in Repository settings > Pipelines > Repository variables

Secure variables are encrypted at rest using aes128 symmetric keys and stored in AWS DynamoDB tables in us-west-1. They're only ever sent over-the-wire via TLS (encrypted in transit). Bitbucket Pipelines is run in a SOC2 compliant environment, with the compliance report available via https://www.atlassian.com/trust/compliance

The variables are injected into the Docker containers environment variables list, making them available to all processes run from bitbucket pipelines.

Variables are masked in logs when uploaded, so log data never contains sensitive information; however anyone that can modify your build process could encode the value, for example using base64, and that base64 encoded value will not be detected and masked.

I hope this helps, but do let me know if you have any questions. 

Kind regards,
Caroline

View More Comments
Mark Hegedus
Mark Hegedus October 13, 2021

Thank you for your answer. Unfortunately this is not a solution for my use case - working with Terraform -, but I am glad a solution is on the way, and apparently will soon be ready.

Like
Mark Hegedus
Mark Hegedus January 3, 2022

@Caroline RCan you provide any update on this issue? The roadmap you linked still says Q4 2021.

Like
Andreas Steinwachs
Andreas Steinwachs
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 19, 2023

For anyone else reading this, encryption at rest was announced in March 2022.

See https://bitbucket.org/blog/bitbucket-cloud-is-encrypted-at-rest

Quote: "We are happy to announce that work has been completed and all source code and customer data stored on Bitbucket now resides on hosts with encryption at rest."

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events