dosubot[bot] commented on issue #33595:
URL: https://github.com/apache/superset/issues/33595#issuecomment-2913696751
<!-- Answer -->
The error you encountered during `superset init` is critical—it prevents
Superset from initializing and operating correctly. The root cause is the
"Invalid decryption key" error, which happens when Superset tries to decrypt
data in the database using a SECRET_KEY that doesn't match the one originally
used to encrypt it. This often occurs after changing the SECRET_KEY or
migrating environments without properly rotating secrets.
**How to resolve the "Invalid decryption key" error:**
1. **Restore the Previous SECRET_KEY**
If you changed your SECRET_KEY, you need to provide the previous one so
Superset can decrypt existing secrets and re-encrypt them with the new key.
- Set the previous key in your config (e.g., `superset_config.py`):
```python
PREVIOUS_SECRET_KEY = "your_previous_secret_key"
```
- Or, run the re-encryption command directly:
```
superset re_encrypt_secrets
--previous_secret_key=your_previous_secret_key
```
This will rotate your secrets and resolve the decryption error.
[Reference](https://github.com/apache/superset/issues/32375)
2. **Set a Strong SECRET_KEY**
Using the default SECRET_KEY is insecure and not recommended for
production. Generate a strong key with:
```
openssl rand -base64 42
```
Then set it in your environment or `superset_config.py` as `SECRET_KEY`.
[Reference](https://github.com/apache/superset/blob/master/superset/config.py)
3. **Address the Rate Limiter Warning**
The warning about in-memory storage for rate limits means your rate
limiting is not persistent and is not suitable for production. For production,
configure a persistent backend (like Redis) as described in the [Flask-Limiter
docs](https://flask-limiter.readthedocs.io#configuring-a-storage-backend).
**Summary:**
- The error is critical and must be fixed for Superset to work.
- You must use the correct previous SECRET_KEY to re-encrypt secrets.
- Always use a strong, unique SECRET_KEY in production.
- For production, configure persistent storage for rate limiting.
If you don't know your previous SECRET_KEY, you may need to restore it from
backups or re-create affected connections/secrets.
<!-- Dosu Comment Footer -->
*To reply, just mention my name [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/b04974d4-eaa7-4a86-84fb-fee1a1cc0602?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/b04974d4-eaa7-4a86-84fb-fee1a1cc0602?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/b04974d4-eaa7-4a86-84fb-fee1a1cc0602?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/b04974d4-eaa7-4a86-84fb-fee1a1cc0602?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/b04974d4-eaa7-4a86-84fb-fee1a1cc0602?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/b04974d4-eaa7-4a86-84fb-fee1a1cc0602?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/b04974d4-eaa7-4a86-84fb-fee1a1cc0602?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [!
[Share on
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/33595)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org
