Database password encryption failed in Confluence Data Center with error "libbc-probe.so: failed to map segment from shared object: Operation not permitted"

Summary

When attempting to encrypt the Confluence database password to add extra security (See: AES encryption), and attempting Step 1.2, "Run the following command to encrypt your password", it fails with an error in the command line.

Environment

Confluence Data Center 7.19+

Diagnosis

To confirm if you are hitting this specific issue, please follow these steps:

1. Go to <install-directory>/bin.

2. Run the command to begin the encryption process:

   java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

3. A version of the following error will be displayed:

   libbc-probe.so: failed to map segment from shared object: Operation not permitted

Cause

The root cause of the problem is that Java is unable to load the library libbc-probe.so from the /tmp directory.

The issue lies in the operating system's mount point(s), where the {{/tmp}} partition has been mounted asnoexec. Mounting a filesystem as noexec means it does not permit the execution of executable binaries in the mounted filesystem. (See: How do I check if "noexec" flag exists on a Linux OS?)

Solution

To address this situation, there are two approaches:

• Approach 1)

  • Remove the noexec flags in your mount point

• Approach 2)

  • If flag noexec must remain set on the mount point, run the following to change the directory to one with exec permission to allow Java to load the library:

    java -Djava.io.tmpdir=/path/to/tmpdir -cp "./*" com.atlassian.secrets.cli.db.DbCipherTool -c com.atlassian.secrets.store.algorithm.AlgorithmSecretStore

    ℹ️ Make sure you update /path/to/tmpdir in the above example.