Viewing or Updating the Bitbucket Server SSH Private Key

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

The content on this page relates to platforms which are supported; however, the content is out of scope of our Atlassian Support Offerings. Consequently, Atlassian cannot guarantee support. Please be aware that this material is provided for your information only and you may use it at your own risk.

Bitbucket Server runs its own SSH service to enable git over SSH. For this reason, Bitbucket Server generates and uses its own private key file. This article describes where to find the key and how it is used.

Solution

The SSH private key for Bitbucket Server is generated the very first time an SSH-based git request is made to the server. The SSH private key file is generated in the following location:

1 $BITBUCKET_HOME/shared/config/ssh-server-keys.pem

This key is a 2048-bit RSA key since Bitbucket version 6.7.x. Prior to that, it was a 1024-bit key. If necessary it is possible to replace this key with your own, however be aware that if this key is changed, preexisting clients will most likely fail to connect when they recognise the RSA host key for your server has changed. If necessary it is possible to replace this key with your own, however be aware that if this key is changed, preexisting clients will most likely fail to connect when they recognise the RSA host key for your server has changed.

To replace the key:

  1. Rename the existing key (if you delete this key you will not be able to retrieve it!)

  2. Place a new private key file here with the name ssh-server-keys.pem

    • Note: To have Bitbucket randomly generate a new key instead, you can skip this step and immediately move to step 5

  3. Set the owner to the Bitbucket user and group: chown atlbitbucket:atlbitbucket ssh-server-keys.pem

  4. Set the permissions to make the file readable only by the owner: chmod 400 ssh-server-keys.pem

  5. Restart Bitbucket Server. Note that if you have not replaced the key file, a new key file will be generated the first time that an SSH-based git request is made to the server.

Note: Data Center installations use a shared NFS mount of $BITBUCKET_HOME/shared and so all nodes of a Data Center instance use the same SSH key. This is the mechanism by which Bitbucket Data Center avoids DNS spoofing issues on the client side in a multi node setup.

Updated on April 8, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community