Re: [D] Superset 5.0.0 Upgrade — Invalid Decryption Key Error After psycopg2 Fix [superset]

via GitHub Sun, 30 Nov 2025 06:29:14 -0800


GitHub user dosubot[bot] added a comment to the discussion: Superset 5.0.0 
Upgrade — Invalid Decryption Key Error After psycopg2 Fix


<!-- Greeting -->
Hi @inesh25! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the 
superset team.

<!-- Answer -->
There are no changes to encryption/decryption logic or SECRET_KEY handling in 
Superset 5.0.0 that would cause this error—your issue is almost certainly due 
to a mismatch or misconfiguration of the SECRET_KEY, even if it appears 
unchanged. Superset uses SECRET_KEY to encrypt sensitive data, and if the key 
changes or is not set exactly as before, you’ll get decryption errors like the 
one you’re seeing. This can happen if the key is accidentally regenerated, 
whitespace is introduced, or the config is mounted differently after the 
upgrade 
[[source]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py#L191-L2008)
 [[source]](https://github.com/apache/superset/issues/36107).

To resolve this:

1. **Double-check your SECRET_KEY** in both values.yaml and superset_config.py 
for typos, whitespace, or accidental changes. The value must be identical to 
what was used before the upgrade.
2. If you need to rotate or have changed the key, set both 
`PREVIOUS_SECRET_KEY` (to the old value) and `SECRET_KEY` (to the new value) in 
your Helm `configOverrides`, then run `superset re-encrypt-secrets` during 
initialization. Example Helm config:
   ```yaml
   configOverrides:
     secret: |
       PREVIOUS_SECRET_KEY = 'your_old_key'
       SECRET_KEY = 'your_new_key'
   init:
     command:
       - /bin/sh
       - -c
       - |
         . {{ .Values.configMountPath }}/superset_bootstrap.sh
         superset re-encrypt-secrets
         . {{ .Values.configMountPath }}/superset_init.sh
   ```
   
[[source]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/installation/kubernetes.mdx#L113-L188)
3. If you can’t recover the previous key, you can clear encrypted fields in the 
database (e.g., set `password` and `encrypted_extra` to NULL in the `dbs` 
table), but you’ll need to re-enter database credentials after 
[[source]](https://github.com/apache/superset/issues/33595).

For best practices: always use a strong, random SECRET_KEY, set it via Helm 
`configOverrides` or environment variable, and never leave it as the default 
[[source]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/installation/kubernetes.mdx#L113-L188).

Let me know if you need a step-by-step for any of these actions!


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/928237c9-a564-4e56-b321-5325dc2e476e?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/928237c9-a564-4e56-b321-5325dc2e476e?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/928237c9-a564-4e56-b321-5325dc2e476e?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/928237c9-a564-4e56-b321-5325dc2e476e?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/928237c9-a564-4e56-b321-5325dc2e476e?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/928237c9-a564-4e56-b321-5325dc2e476e?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/928237c9-a564-4e56-b321-5325dc2e476e?feedback_type=other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=There%20are%20no%20changes%20to%20encryption/decryption%20logic%20or%20SECRET_KEY%20handling%20in%20Superset%205.0.0%20that%20would%20cause%20this%20error%E2%80%94your%20issue%20is%20almost%20certainly%20due%20to%20a%20mismatch%20or%20misconfiguration%20of%20the%20SECRET_KEY%2C%20even%20if%20it%20appears%20unchanged.%20Superset%20uses%20SECRET_KEY%20to%20encrypt%20sensitive%20data%2C%20and%20if%20the%20key%20changes%20or%20is%20not%20set%20exactly%20as%20before%2C%20you%E2%80%99ll%20get%20decryption%20errors%20like%20the%20one%20you%E2%80%99re%20seeing.%20This%20can%20happen%20if%20the%20key%20is%20accidentally%20regenerated%2C%20whitespace%20is%20introduced%2C%20or%20the%20config%20is%20mounted%20differently%20after%20the%20upgrade%20%5B%5Bsource%5D%
 
5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py%23L191-L2008%29%20%5B%5Bsource%5D%5D%28https%3A//github.com/apache/superset/issues/36107%29.%0A%0ATo%20resolve%20this%3A%0A%0A1.%20%2A%2ADouble-check%20your%20SECRET_KEY%2A%2A%20in%20both%20values.yaml%20and%20superset_config.py%20for%20typos%2C%20whitespace%2C%20or%20accidental%20changes.%20The%20value%20must%20be%20identical%20to%20what%20was%20used%20before%20the%20upgrade.%0A2.%20If%20you%20need%20to%20rotate%20or%20have%20changed%20the%20key%2C%20set%20both%20%60PREVIOUS_SECRET_KEY%60%20%28to%20the%20old%20value%29%20and%20%60SECRET_KEY%60%20%28to%20the%20new%20value%29%20in%20your%20Helm%20%60configOverrides%60%2C%20then%20run%20%60superset%20re-encrypt-secrets%60%20during%20initialization.%20Example%20Helm%20config%3A%0A%20%20%20%60%60%60yaml%0A%20%20%20configOverrides%3A%0A%20%20%20%20%20secret%3A%20%7C%0A%20%20%20%20%20%20%20PREVIOUS_SECRET_KEY%20%3D%20%27your_old_key%
 
27%0A%20%20%20%20%20%20%20SECRET_KEY%20%3D%20%27your_new_key%27%0A%20%20%20init%3A%0A%20%20%20%20%20command%3A%0A%20%20%20%20%20%20%20-%20/bin/sh%0A%20%20%20%20%20%20%20-%20-c%0A%20%20%20%20%20%20%20-%20%7C%0A%20%20%20%20%20%20%20%20%20.%20%7B%7B%20.Values.configMountPath%20%7D%7D/superset_bootstrap.sh%0A%20%20%20%20%20%20%20%20%20superset%20re-encrypt-secrets%0A%20%20%20%20%20%20%20%20%20.%20%7B%7B%20.Values.configMountPath%20%7D%7D/superset_init.sh%0A%20%20%20%60%60%60%0A%20%20%20%5B%5Bsource%5D%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/installation/kubernetes.mdx%23L113-L188%29%0A3.%20If%20you%20can%E2%80%99t%20recover%20the%20previous%20key%2C%20you%20can%20clear%20encrypted%20fields%20in%20the%20database%20%28e.g.%2C%20set%20%60password%60%20and%20%60encrypted_extra%60%20to%20NULL%20in%20the%20%60dbs%60%20table%29%2C%20but%20you%E2%80%99ll%20need%20to%20re-enter%20database%20credentials%20after%20%5B%5Bsource%5D%5D%28https
 
%3A//github.com/apache/superset/issues/33595%29.%0A%0AFor%20best%20practices%3A%20always%20use%20a%20strong%2C%20random%20SECRET_KEY%2C%20set%20it%20via%20Helm%20%60configOverrides%60%20or%20environment%20variable%2C%20and%20never%20leave%20it%20as%20the%20default%20%5B%5Bsource%5D%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/installation/kubernetes.mdx%23L113-L188%29.%0A%0ALet%20me%20know%20if%20you%20need%20a%20step-by-step%20for%20any%20of%20these%20actions%21)&nbsp;[![Join
 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36340)

GitHub link: 
https://github.com/apache/superset/discussions/36340#discussioncomment-15116974

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [D] Superset 5.0.0 Upgrade — Invalid Decryption Key Error After psycopg2 Fix [superset]

Reply via email to