JIRA Security and MYSQL DB encryption

Eduardo Marques April 24, 2017

Hi everybody,

We are currently analysing possibilities of encrypting sensitive information inserted in the JIRA tickets (text and attachments).

We are already using an HTTPS access and an external authentication tool but we would like to improve the security of the information.

We were considering either the acquisition of a specific plugin like Encrypted Field or encryption directly in the JIRA DB (MYSQL). Does JIRA support encrypted databases?

We are currently running JIRA version 6.2.7 but we are thinking of migrating to JIRA 7.0.11 in the near future.

Can anyone share your experiences in making JIRA more secure?

Thank you all for your help.

 

1 answer

1 vote
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 24, 2017

Hi Eduardo,

JIRA doesn't officially support encrypted databases - that is, Atlassian Support can't help if you experience configuration issues with encrypted fields. Some folks are definitely doing it.

A couple items came to mind:

  • Since you're on 6.2, see https://jira.atlassian.com/browse/JRASERVER-23255 for a description of "everyone" filters being accessible to non-logged-in users - something to keep in mind when you upgrade
  • Prevent Anonymous Access is a free plugin intended to fix the above (on versions below the fix version listed in that ticket) as well as keeping people from accessing other pages without being authenticated.

I saw Encrypted Field mentioned in a few other questions, so it looks like you are doing your research. Good luck and let us know how your encyption efforts turn out!

 

Eduardo Marques April 25, 2017

Thanks Daniel.

I will check your links.

Any tips for the database encryption or that's a question more for the DB experts?

 

Best regards.

Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 25, 2017

Yes, that sounds right. After reading up a little about MySQL encryption, it seems like you would want to enlist the help of a DBA who has used it before. A few posts noted that you'll take a performance hit encrypting the whole database and it might be worth scoping out to what you mentioned (text in tickets).

Note that attachments are stored on disk, so you can take permissions and encryption steps for those on the filesystem without having to do things to your database.

Suggest an answer

Log in or Sign up to answer