Secure secrets configuration properties
Secret storage
We introduced secured secrets by default in Confluence 9.1, which automatically secures your secrets. See Secured secrets by default.
After an upgrade, or during a zero-downtime upgrade (ZDU), we'll encrypt system secret values in confluence.cfg.xml replacing them with the placeholder: {ATL_SECURED}. You can expect the following logs to indicate that this process has occurred:
INFO [RMI TCP Connection(2)-127.0.0.1] [confluence.cluster.DefaultClusterConfigurationHelper] lambda$saveSetupConfigIntoSharedHome$9 Writing setup configuration into shared home...
INFO [RMI TCP Connection(2)-127.0.0.1] [confluence.cluster.DefaultClusterConfigurationHelper] lambda$saveSetupConfigIntoSharedHome$9 Finished writing setup configuration into shared home
INFO [RMI TCP Connection(2)-127.0.0.1] [secrets.service.DefaultSecretServiceManagement] reloadConfiguration Re-loading SecretService configuration
INFO [RMI TCP Connection(2)-127.0.0.1] [secrets.service.DefaultSecretService] reconfigure Re-configuring SecretService to use new default backend: ATL_SECRET_AES_256_2025-01-02-012345_12dcb123-cf1a-12ff-123a-1a2c3ddd1b12In case of a rollback, refer to Upgrading Confluence.
Information for customers using other methods
We introduced secured secrets by default in Confluence 9.1. If the database password has previously been encrypted with other methods, such as AES encryption, AWS Secrets Manager, HashiCorp Vault, or a custom implementation, Confluence will re-encrypt the encrypted password, store it using secured secrets by default, and replace the encrypted password in the confluence.cfg.xml file with {ATL_SECURED}.