dosubot[bot] commented on issue #37842: URL: https://github.com/apache/superset/issues/37842#issuecomment-3877623102
<!-- Answer --> The "Invalid decryption key" error after running `superset re-encrypt-secrets` is almost always due to a mismatch or misconfiguration of the keys used for rotation. The re-encryption command tries to decrypt each secret with the previous key, and if that fails, with the current key. If neither works, you get the error; if the current key works, it silently skips re-encryption for that row, which can make the command appear to succeed even if nothing was actually re-encrypted ([source](https://github.com/apache/superset/discussions/23598), [source](https://github.com/apache/superset/issues/36139), [source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/utils/encrypt.py#L92-L208)). Here’s a checklist to help you troubleshoot: 1. **Double-check your keys**: Make sure `PREVIOUS_SECRET_KEY` is exactly the key that was used to encrypt your secrets, and `SECRET_KEY` (or `SUPERSET_SECRET_KEY` env var, which is now preferred) is your new key. Even a single character difference or whitespace will break decryption ([source](https://github.com/apache/superset/discussions/36340#discussioncomment-15122338)). 2. **Verify loaded values**: Use `superset shell` and run: ```python from flask import current_app print(current_app.config["SECRET_KEY"]) print(current_app.config.get("PREVIOUS_SECRET_KEY")) ``` Do this both in the environment where you run the re-encrypt command and after restart, to confirm the correct keys are loaded. 3. **Try the CLI option**: You can pass the previous key directly to the command: ``` superset re-encrypt-secrets --previous_secret_key=your_previous_secret_key ``` This can help if your config file isn’t being picked up as expected ([source](https://github.com/apache/superset/issues/32375)). 4. **Restart all processes**: After rotation, make sure all Superset processes/pods are restarted so they pick up the new key(s). 5. **Check for config issues**: If you’re using Helm or Kubernetes, ensure only one `configOverrides` block is present, and that your config is not mounted read-only if you need to update it ([source](https://github.com/apache/superset/discussions/23598)). 6. **If you can’t recover the previous key**: The only recovery is to clear encrypted fields (like `password` and `encrypted_extra` in the `dbs` table) and re-enter credentials ([source](https://github.com/apache/superset/discussions/36340#discussioncomment-15122338)). If you follow these steps and still see the error, please share the output of the config check from `superset shell` and any relevant logs. That will help pinpoint where the key mismatch is happening. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/099761c7-4670-4327-b97c-87cca955ab86?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/099761c7-4670-4327-b97c-87cca955ab86?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/099761c7-4670-4327-b97c-87cca955ab86?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/099761c7-4670-4327-b97c-87cca955ab86?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/099761c7-4670-4327-b97c-87cca955ab86?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/099761c7-4670-4327-b97c-87cca955ab86?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/099761c7-4670-4327-b97c-87cca955ab86?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20%22Invalid%20decryption%20key%22%20error%20after%20running%20%60superset%20re-encrypt-secrets%60%20is%20almost%20always%20due%20to%20a%20mismatch%20or%20misconfiguration%20of%20the%20keys%20used%20for%20rotation.%20The%20re-encryption%20command%20tries%20to%20decrypt%20each%20secret%20with%20the%20previous%20key%2C%20and%20if%20that%20fails%2C%20with%20the%20current%20key.%20If%20neither%20works%2C%20you%20get%20the%20error%3B%20if%20the%20current%20key%20works%2C%20it%20silently%20skips%20re-encryption%20for%20that%20row%2C%20which%20can%20make%20the%20command%20appear%20to%20succeed%20even%20if%20nothing%20was%20actually%20re-encrypted%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/23598%29%2C%20%5Bsource%5D%28https %3A//github.com/apache/superset/issues/36139%29%2C%20%5Bsource%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/utils/encrypt.py%23L92-L208%29%29.%0A%0AHere%E2%80%99s%20a%20checklist%20to%20help%20you%20troubleshoot%3A%0A%0A1.%20%2A%2ADouble-check%20your%20keys%2A%2A%3A%20Make%20sure%20%60PREVIOUS_SECRET_KEY%60%20is%20exactly%20the%20key%20that%20was%20used%20to%20encrypt%20your%20secrets%2C%20and%20%60SECRET_KEY%60%20%28or%20%60SUPERSET_SECRET_KEY%60%20env%20var%2C%20which%20is%20now%20preferred%29%20is%20your%20new%20key.%20Even%20a%20single%20character%20difference%20or%20whitespace%20will%20break%20decryption%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/36340%23discussioncomment-15122338%29%29.%0A2.%20%2A%2AVerify%20loaded%20values%2A%2A%3A%20Use%20%60superset%20shell%60%20and%20run%3A%0A%20%20%20%60%60%60python%0A%20%20%20from%20flask%20import%20current_app%0A%20%20%20print%28current_app.config%5B%22SECR ET_KEY%22%5D%29%0A%20%20%20print%28current_app.config.get%28%22PREVIOUS_SECRET_KEY%22%29%29%0A%20%20%20%60%60%60%0A%20%20%20Do%20this%20both%20in%20the%20environment%20where%20you%20run%20the%20re-encrypt%20command%20and%20after%20restart%2C%20to%20confirm%20the%20correct%20keys%20are%20loaded.%0A3.%20%2A%2ATry%20the%20CLI%20option%2A%2A%3A%20You%20can%20pass%20the%20previous%20key%20directly%20to%20the%20command%3A%0A%20%20%20%60%60%60%0A%20%20%20superset%20re-encrypt-secrets%20--previous_secret_key%3Dyour_previous_secret_key%0A%20%20%20%60%60%60%0A%20%20%20This%20can%20help%20if%20your%20config%20file%20isn%E2%80%99t%20being%20picked%20up%20as%20expected%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/32375%29%29.%0A4.%20%2A%2ARestart%20all%20processes%2A%2A%3A%20After%20rotation%2C%20make%20sure%20all%20Superset%20processes/pods%20are%20restarted%20so%20they%20pick%20up%20the%20new%20key%28s%29.%0A5.%20%2A%2ACheck%20for%20config%20issues%2A%2A%3A%20If%20you%E2% 80%99re%20using%20Helm%20or%20Kubernetes%2C%20ensure%20only%20one%20%60configOverrides%60%20block%20is%20present%2C%20and%20that%20your%20config%20is%20not%20mounted%20read-only%20if%20you%20need%20to%20update%20it%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/23598%29%29.%0A6.%20%2A%2AIf%20you%20can%E2%80%99t%20recover%20the%20previous%20key%2A%2A%3A%20The%20only%20recovery%20is%20to%20clear%20encrypted%20fields%20%28like%20%60password%60%20and%20%60encrypted_extra%60%20in%20the%20%60dbs%60%20table%29%20and%20re-enter%20credentials%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/36340%23discussioncomment-15122338%29%29.%0A%0AIf%20you%20follow%20these%20steps%20and%20still%20see%20the%20error%2C%20please%20share%20the%20output%20of%20the%20config%20check%20from%20%60superset%20shell%60%20and%20any%20relevant%20logs.%20That%20will%20help%20pinpoint%20where%20the%20key%20mismatch%20is%20happening.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/37842) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
