Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is data on Bitbucket encrypted?

Chrisitian Weilguny
Chrisitian Weilguny July 13, 2015

I'm asking about the file storage itself: If somebody steals the harddisks of the Bitbucket servers, will he be able to just read all the data off of the disks or ist the data encrypted and he has to crack the encryption?

Answer
Watch
Like # people like this
8248 views

3 answers

6 votes
djneades
djneades July 20, 2015

Dennis, thank you for your comments. Since Bitbucket is not using whole-disk encryption or any other at-rest encryption for repositories, how do you ensure that data can never be recovered by an unauthorized party from decommissioned disks? A concern here would be disks that are returned to a manufacturer for warranty replacement, for example, or disks that are retired due to a capacity upgrade or non-warrantied fault.

Incidentally, Amazon’s new CodeCommit service makes a feature of encrypting data at rest: ‘our repositories are also automatically encrypted at rest through AWS Key Management Service using customer-specific keys’. It is disappointing that Atlassian doesn’t think this is an important feature. I would argue that at-rest encryption is a near-essential requirement for any repository used to store certificates, private keys, access ids, etc.

View More Comments
jhaggerty
jhaggerty
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 19, 2015

If you are storing secrets in a repository, I think it's worthwhile encrypting them yourself.

Like
djneades
djneades August 20, 2015

I take your point. There is, however, a trade-off between security and convenience. Whole-disk encryption for the repository is a convenient improvement in security. There’s another use case, though, and that’s one that applies to us. That’s where the repository is storing proprietary, company-confidential source code. The entire repository then needs to be treated carefully, with reasonable precautions used to protect it. I may decided to trust Bitbucket, but that doesn’t mean I want to have to trust their hard disk vendors or the refuse collectors handling their decommissioned disks.

Like # people like this
Reply
2 votes
Chrisitian Weilguny
Chrisitian Weilguny July 20, 2015

Thanks for the comment. I understand, that Atlassian has to prioritize their user's needs. As nearly all the products are aimed at business users, I'm wondering why at-rest data encryption does not seem to be a high priority feature. In our case the at-rest encryption of data is a requirement of one of our customers. So this probably means, that we have to replace Bitbucket with another solution.

Reply
1 vote
Dennis Kromhout van der Meer
Dennis Kromhout van der Meer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 13, 2015

As with most cloud code management products, Bitbucket’s hard disks are not encrypted at rest. This is due to performance and infrastructure implications, such as recovery of data in the case of catastrophic failure. However, all passwords are hashed and salted. Repositories are kept on disk, but the details on repository ownership and access are kept on separate disks.

We focus on keeping our networks and machines as secure as possible. This includes limited network access and keeping our machines and software up to date against the latest security vulnerabilities. All private data to clients is encrypted in transit via SSL. We update our customers on the latest security updates via our blog. Here are a few examples from the past:

In addition, the event of our hard disks being stolen from the data center is unlikely. Our data center has IC card and biometric authentication with limited access for approved Bitbucket and data center technicians. It’s also equipped with CCTV monitoring and 24/7 on-site security presence against unauthorized entry.

If you have any additional questions, please email security@atlassian.com

Cheers,

Dennis
Bitbucket Product Manager

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events