bamboo cipher keys are seemingly not generated

This question is in reference to Atlassian Documentation: System-wide encryption

Got all Atlassian products on one vm and bamboo on another vm. Enabled inward access on all ports. They're all sharing postgre db.

Application links are fine, shared user directories are fine. Ssh is enabled with default base url. git executable is specified.
I try to create repository link to Bitbucket but

get Unable to read cipher data for 0


Log says:
Database part of instance key is unavailable
Cipher initialisation vector is unavailable

...\bamboo-home\xml-data\configuration\cipher\cipher.key_0 is empty


hulp.

5 answers

1 accepted

I had several things going wrong:

1) The cipher file didn't have write access for the user running the service, which for me, was local_system.
2) The cipher didn't get regenerated on start of service because the public key had been added to Bitbucket and apparently that's how it decides to make a new cipher pair or not. 

my solution:

1) I deleted the cipher file with 0 bytes, just because.  
2) sorted out the permissions properly
3) Removed all records that contained the value bamboo in table: authcode_SSH_PUBLIC_KEY which i found under our stash db.
4) stopped and started the service again. 


Christian advised looking for the records under a bandana table
"
The keys are stored in the BANDANA table, and the query to delete them is the following:

DELETE FROM BANDANA WHERE BANDANA_KEY='com.atlassian.restricted.instance.cipher.key_0' OR BANDANA_KEY='com.atlassian.restricted.instance.cipher.iv_0'

If there's any data in the database that already has been encrypted, then it won't be accessible anymore because you're missing the cipher already, so you may need to start with a brand new home directory and set up the database from scratch using the setup wizard.
"

 

Deleting these keys in the database will destroy the setup, as these keys are the keys used to encrypt the data in the database:

https://community.atlassian.com/t5/Bamboo-questions/Unable-to-read-cipher-data-for-0/qaq-p/584981/comment-id/14723#M14723

Would NOT recommend this!

....I had no problems with my database.
This was during initial install, there wouldn't have much been much to encrypt - no plans had been configured, there had never been a public / private key combo at that point.

0 vote

Hi Natasha,

The cipher file should be generated at startup, but if the generation fails (for instance due to lack of permissions), then the cipher file won't be generated and you'll see errors like the one you're seeing.

It'll be best to open a ticket with Bamboo Support via support.atlassian.com so we can take a look. When you open the ticket, please create a support zip so we can get started right away.

Cheers,

Christian

Premier Support Engineer

Atlassian

Thank you Christian, I've submitted request, but just for my own learning:
1) What permissions are needed?
2) By "startup", do you mean during the setup wizard? or start of service?
3) Is there no way to get bamboo/any-Atlassian-product to generate the keys post startup? no genKeys.exe?

Hi Natasha,

  1. As long as the user you're running Bamboo as has write permission on the xml-data/configuration directory that should be sufficient (unless the xml-data/configuration/cipher directory already exists, in which case the user also needs write permission on that one)
  2. "Startup" refers to the start of the service. When Bamboo starts up it checks which upgrade tasks it has to perform to bring the Bamboo database up to a level that matches the version of Bamboo. As part of that it checks whether the encryptable data has been encrypted already, and if not it attempts to generate the cipher and it'll then proceed with encryption using that cipher. Bamboo will continue to attempt to do this every time you restart the application until the process was successful.
  3. There i no way to generate the keys without restarting Bamboo I'm afraid.

Scenario:

I had the same error. I was running Bamboo and Bitbucket (both configured to run as a windows service) and was able to configure the Application links between them. But when I was trying to create a new plan and link it to a Bitbucket repository it was failing with the below error.

 

My environment:

  1. Windows 10 x64
  2. atlassian-bitbucket-4.14.1-x64
  3. Git-2.12.0-64-bit
  4. atlassian-bamboo-5.15.0.1-windows-x64
  5. External DB - postgresql-9.5.6-2-windows-x64 for both Bamboo and Bitbucket

Stack Trace:

2017-03-05 12:50:38,815 FATAL [http-apr-8085-exec-23] [SecretEncryptionServiceImpl]
java.lang.RuntimeException: java.nio.file.AccessDeniedException: \bamboo-home\xml-data\configuration\cipher\cipher.key_0
at com.google.common.base.Throwables.propagate(Throwables.java:160)

 

2017-03-05 12:50:38,820 FATAL [http-apr-8085-exec-23] [InstanceSecretStorage] Database part of instance key is unavailable

2017-03-05 12:50:38,820 FATAL [http-apr-8085-exec-23] [InstanceSecretStorage] Cipher initialisation vector is unavailable
2017-03-05 12:50:38,821 ERROR [http-apr-8085-exec-23] [CreateChain]
java.lang.IllegalArgumentException: Unable to read cipher data for 0

 

Actions taken to resolve:

The Bamboo service was running as a Local System user (This happened by default when installing Bamboo using the .exe installer option. Whereas with Bitbucket installer the service was installed with a separate service account which had adequate permissions) which did not have access to bamboo-home\xml-data\configuration\cipher. To fix this I just used created a seperate account with Full  Access permissions to the file-system and configured Bamboo service to run as this user.

 

I just happen to see this question, and found when I had the similar error, got solved by accessing to xml-data\configuration\cipher directory and it asked whether I want to allow permissions to this directory, so did yes. then I was able to create bamboo plan and cipher_key was able to create under this directory.

I struggled with this issue today after trying to switch from the embedded database to an external one.

Installation would succeed, but after getting to the "Create Plan" page it would fail to create the cipher. My solution on windows was to toggle off readonly for the cipher folder, and apply the changes. 

Immediately following this, submit the "Create Plan" page. Cipher was created correctly and I was able to continue to "Configure Tasks".

If done quickly bamboo wont have time to reset the folder to readonly before the file is created.

Hope this helps.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Tuesday in Uncategorized

Friday fun: how many celebrates Midsummer holiday or is this a Swedish tradition only?

Any other country that celebrates Midsummer holiday (this friday 22 June)?  

45 views 3 1
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you