(I HAVE the key) Decryption failed. Please provide a valid key and try again

ERPNext Support
1

I’m having trouble restoring a back up on a new server.

I’ve gone through this process before (worst case disaster recover), whereby I create a fresh AWS EC2 instance, fresh frappe/erpnext install, update config files etc, then restore my encrypted backups. Sadly, I’m getting this error now when trying to restore the backup:

Encrypted backup file detected. Decrypting using site config.
Decryption failed. Please provide a valid key and try again.
  • I have the encryption key, every time I do a manual backup I save a copy of the site_config.json.
  • My mariadb.cnf file is the same as the old server, pointing to the .enc .key files that I SCP’d to the new server.
  • My site is named the same as the original

Any suggestions would be really appreciated!

Shaun.

# The MariaDB configuration file
#
# The MariaDB/MySQL tools read configuration files in the following order:
# 0. "/etc/mysql/my.cnf" symlinks to this file, reason why all the rest is read.
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# 4. "~/.my.cnf" to set user-specific options.
#
# If the same option is defined multiple times, the last one will apply.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# If you are new to MariaDB, check out https://mariadb.com/kb/en/basic-mariadb-articles/

#
# This group is read both by the client and the server
# use it for options that affect everything
#
[client-server]
# Port or socket location where to connect
# port = 3306
socket = /run/mysqld/mysqld.sock

# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

[mysqld]
character-set-client-handshake = FALSE
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci

[mysql]
default-character-set = utf8mb4

[mariadb]
# File Key Management
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CTR

# InnoDB/XtraDB Encryption
innodb_encrypt_tables = FORCE
innodb_encrypt_tables = ON
innodb_encrypt_temporary_tables = ON
innodb_encrypt_log = ON
innodb_encryption_threads = 4
innodb_encryption_rotate_key_age = 0

{
 "backup_encryption_key": "xxxxx",
 "db_name": "xxxx",
 "db_password": "xxxxx",
 "db_type": "mariadb",
 "developer_mode": 1,
 "domains": [
  "mydomain"
 ],
 "enable_two_factor_auth": true,
 "encryption_key": "xxxxx",
 "maintenance_mode": 0,
 "pause_scheduler": 0,
 "ssl_certificate": "/etc/letsencrypt/live/mydomain/fullchain.pem",
 "ssl_certificate_key": "/etc/letsencrypt/live/mydomain/privkey.pem"
}
2

I just figured this out. Here was the solution for anyone facing the same issue.

I assumed that restore used the encryption_key variable, yet it creates the new variable backup_encryption_key, with a random key for some reason when I restore. I’ve never noticed this before. I simply copied the valid key to backup_encryption_key and was able to restore the backups.

{
 **"backup_encryption_key": "aaaaa",**
 "db_name": "xxx",
 "db_password": "xxxxx",
 "db_type": "mariadb",
 "developer_mode": 1,
 "domains": [
  "oscarmike.tech"
 ],
 "enable_two_factor_auth": true,
 **"encryption_key": "aaaaa",**
 "maintenance_mode": 0,
 "pause_scheduler": 0,
 "ssl_certificate": "/etc/letsencrypt/live/mydomain/fullchain.pem",
 "ssl_certificate_key": "/etc/letsencrypt/live/mydomain/privkey.pem"
}
3

Hi All,

I’m getting the same error. I’ve followed above solution but not working.