Cannot decrypt encryption secret key

I’m getting an error with MB not being able to decrypt my key. I tried not quoting, single quoting, and double quoting my key, tried exporting the variable as well as including it when running the jar file like the link above shows. Any idea how to fix this error?

10-22 15:35:45 WARN util.encryption :: Cannot decrypt encrypted string. Have you changed o
r forgot to set MB_ENCRYPTION_SECRET_KEY? Message seems corrupt or manipulated. ["buddy.co
re.crypto$fn__27205.invokeStatic(crypto.clj:489)"                                         
 "buddy.core.crypto$fn__27205.invoke(crypto.clj:478)"
 "clojure.lang.MultiFn.invoke(MultiFn.java:229)"
 "buddy.core.crypto$decrypt.invokeStatic(crypto.clj:572)"
 "buddy.core.crypto$decrypt.invoke(crypto.clj:559)"
 "--> util.encryption$decrypt.invokeStatic(encryption.clj:65)"
 "util.encryption$decrypt.invoke(encryption.clj:57)"
 "util.encryption$maybe_decrypt.invokeStatic(encryption.clj:109)"
 "util.encryption$maybe_decrypt.doInvoke(encryption.clj:97)"
 "models.setting.cache$restore_cache_BANG_.invokeStatic(cache.clj:124)"
 "models.setting.cache$restore_cache_BANG_.invoke(cache.clj:120)"
 "models.setting$fn__22224$set_string_BANG___22229$fn__22230.invoke(setting.clj:313)"
 "models.setting$fn__22224$set_string_BANG___22229.invoke(setting.clj:297)"
 "models.setting$set_timestamp_BANG_.invokeStatic(setting.clj:374)"
 "models.setting$set_timestamp_BANG_.invoke(setting.clj:371)"
 "models.setting$set_BANG_.invokeStatic(setting.clj:420)"
 "models.setting$set_BANG_.invoke(setting.clj:405)"
 "models.setting$setting_fn$fn__22270.invoke(setting.clj:493)"
 "metabot.instance$update_last_checkin_BANG_.invokeStatic(instance.clj:62)"
 "metabot.instance$update_last_checkin_BANG_.invoke(instance.clj:59)"
 "metabot.instance$become_metabot_BANG_.invokeStatic(instance.clj:102)"
 "metabot.instance$become_metabot_BANG_.invoke(instance.clj:96)"
 "metabot.instance$check_and_update_instance_status_BANG_.invokeStatic(instance.clj:117)"
 "metabot.instance$check_and_update_instance_status_BANG_.invoke(instance.clj:105)"
 "metabot.instance$start_instance_monitor_BANG_$fn__58982.invoke(instance.clj:129)"]

Hi @madkap

Post “Diagnostic Info” from Admin > Troubleshooting.

Have you always had the encryption enabled, or did you enable it after some time?

It’s not an error, it’s a warning, but I cannot see if Metabase is not able to start or if it is just one of the values in setting or metabase_database.details that isn’t encrypted yet, since you enabled encryption at a later time.

Hi @flamber
I believe we had encryption enabled before, but we migrated backends from postgres to google cloud postgres and this is the first time I’ve noticed this warning.

Here is the diagnostic info

{
“browser-info”: {
“language”: “en-US”,
“platform”: “Linux x86_64”,
“userAgent”: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36”,
“vendor”: “Google Inc.”
},
“system-info”: {
“file.encoding”: “UTF-8”,
“java.runtime.name”: “OpenJDK Runtime Environment”,
“java.runtime.version”: “11.0.7+10-jvmci-20.1-b02”,
“java.vendor”: “GraalVM Community”,
“java.vendor.url”: “https://www.graalvm.org/”,
“java.version”: “11.0.7”,
“java.vm.name”: “OpenJDK 64-Bit Server VM”,
“java.vm.version”: “11.0.7+10-jvmci-20.1-b02”,
“os.name”: “Linux”,
“os.version”: “5.3.0-1035-aws”,
“user.language”: “en”,
“user.timezone”: “America/Los_Angeles”
},
“metabase-info”: {
“databases”: [
“bigquery”,
“postgres”
],
“hosting-env”: “unknown”,
“application-database”: “postgres”,
“application-database-details”: {
“database”: {
“name”: “PostgreSQL”,
“version”: “11.8”
},
“jdbc-driver”: {
“name”: “PostgreSQL JDBC Driver”,
“version”: “42.2.8”
}
},
“run-mode”: “prod”,
“version”: {
“date”: “2020-10-09”,
“tag”: “v0.36.7”,
“branch”: “release-0.36.x-with-new-build-scripts”,
“hash”: “ec751f0”
},
“settings”: {
“report-timezone”: “US/Pacific”
}
}
}

@madkap Okay, then you probably didn’t have encryption from the beginning.
Check setting table for any not-encrypted values - reapplying the specific setting will save it with correct encryption.
And the same for metabase_database.details - just re-save the database connections.