Problem Statement

When Bitbucket Data Center encrypts sensitive properties in bitbucket.properties using the secured secrets feature (introduced in 9.2), the original plaintext values are replaced with {{

{ATL_SECURED}}} and stored as encrypted blobs in $SHARED_HOME/shared/secured/. There is currently no supported method for administrators to decrypt these values back to plaintext.

This creates a significant operational gap: administrators who need direct database access for manual maintenance tasks (e.g., cluster state cleanup, data verification, emergency troubleshooting) are locked out if the jdbc.password was their only record of the database credentials.

Provide one or more of the following:
# A CLI utility (e.g., bitbucket-decrypt.sh or a Java JAR) that, given the path to the shared home, can decrypt {{{ATL_SECURED}

}} values and output the plaintext — requiring local filesystem access to the encryption keys as the authentication/authorization barrier

1. A REST API endpoint (restricted to SYS_ADMIN) that returns decrypted property values on demand

1. Documentation of the encryption format and key structure sufficient for administrators to perform manual decryption using standard tools (e.g., openssl)

Workaround:

Login using Database admin password.{}