GitHub user dosubot[bot] added a comment to the discussion: Superset 5.0.0 Upgrade — Invalid Decryption Key Error After psycopg2 Fix
<!-- Answer --> The `superset re-encrypt-secrets` command is designed for situations where you rotate or change your SECRET_KEY—it scans the database for encrypted fields, decrypts them with the previous key, and re-encrypts them with the new key, all inside a transaction for safety [details](https://github.com/apache/superset/blob/master/superset/utils/encrypt.py). If your SECRET_KEY hasn't changed, running this command is unnecessary and won't fix decryption errors [docs](https://github.com/apache/superset/issues/36107). Re-encryption itself does not cause data loss or corruption if the correct keys are provided and the process completes successfully [implementation](https://github.com/apache/superset/blob/master/superset/utils/encrypt.py). The only risk of data loss is if you manually clear encrypted fields in the database as a last resort. To resolve your decryption error, focus on confirming that Superset is actually loading the correct SECRET_KEY everywhere: 1. Check your Helm `values.yaml` for any `SUPERSET_SECRET_KEY` or `SECRET_KEY` values in `extraEnv`, `extraSecretEnv`, and `configOverrides`. The environment variable always takes precedence. 2. Inspect the rendered `superset_config.py` in your Kubernetes secret/configmap or Helm manifest to confirm the key value. 3. Make sure there are no typos, whitespace, or accidental changes in the key. 4. Ensure only one configOverrides block is present. 5. After confirming the correct key is set everywhere, restart all Superset pods. If you still see the error and are sure the key is correct, it's possible the database contains data encrypted with a different key. If you can't recover the previous key, you can clear encrypted fields (like `password` and `encrypted_extra` in the `dbs` table) and re-enter credentials [thread](https://github.com/apache/superset/issues/33595). Let me know if you want a step-by-step for any of these checks. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/e763a010-82e6-48f5-9467-fb92a23fa6b9?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/e763a010-82e6-48f5-9467-fb92a23fa6b9?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/e763a010-82e6-48f5-9467-fb92a23fa6b9?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/e763a010-82e6-48f5-9467-fb92a23fa6b9?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/e763a010-82e6-48f5-9467-fb92a23fa6b9?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/e763a010-82e6-48f5-9467-fb92a23fa6b9?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/e763a010-82e6-48f5-9467-fb92a23fa6b9?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20%60superset%20re-encrypt-secrets%60%20command%20is%20designed%20for%20situations%20where%20you%20rotate%20or%20change%20your%20SECRET_KEY%E2%80%94it%20scans%20the%20database%20for%20encrypted%20fields%2C%20decrypts%20them%20with%20the%20previous%20key%2C%20and%20re-encrypts%20them%20with%20the%20new%20key%2C%20all%20inside%20a%20transaction%20for%20safety%C2%A0%5Bdetails%5D%28https%3A//github.com/apache/superset/blob/master/superset/utils/encrypt.py%29.%20If%20your%20SECRET_KEY%20hasn%27t%20changed%2C%20running%20this%20command%20is%20unnecessary%20and%20won%27t%20fix%20decryption%20errors%C2%A0%5Bdocs%5D%28https%3A//github.com/apache/superset/issues/36107%29.%0A%0ARe-encryption%20itself%20does%20not%20cause%20data%20loss%20or%20corruption%20if% 20the%20correct%20keys%20are%20provided%20and%20the%20process%20completes%20successfully%C2%A0%5Bimplementation%5D%28https%3A//github.com/apache/superset/blob/master/superset/utils/encrypt.py%29.%20The%20only%20risk%20of%20data%20loss%20is%20if%20you%20manually%20clear%20encrypted%20fields%20in%20the%20database%20as%20a%20last%20resort.%0A%0ATo%20resolve%20your%20decryption%20error%2C%20focus%20on%20confirming%20that%20Superset%20is%20actually%20loading%20the%20correct%20SECRET_KEY%20everywhere%3A%0A%0A1.%20Check%20your%20Helm%20%60values.yaml%60%20for%20any%20%60SUPERSET_SECRET_KEY%60%20or%20%60SECRET_KEY%60%20values%20in%20%60extraEnv%60%2C%20%60extraSecretEnv%60%2C%20and%20%60configOverrides%60.%20The%20environment%20variable%20always%20takes%20precedence.%0A2.%20Inspect%20the%20rendered%20%60superset_config.py%60%20in%20your%20Kubernetes%20secret/configmap%20or%20Helm%20manifest%20to%20confirm%20the%20key%20value.%0A3.%20Make%20sure%20there%20are%20no%20typos%2C%20whitespace%2C% 20or%20accidental%20changes%20in%20the%20key.%0A4.%20Ensure%20only%20one%20configOverrides%20block%20is%20present.%0A5.%20After%20confirming%20the%20correct%20key%20is%20set%20everywhere%2C%20restart%20all%20Superset%20pods.%0A%0AIf%20you%20still%20see%20the%20error%20and%20are%20sure%20the%20key%20is%20correct%2C%20it%27s%20possible%20the%20database%20contains%20data%20encrypted%20with%20a%20different%20key.%20If%20you%20can%27t%20recover%20the%20previous%20key%2C%20you%20can%20clear%20encrypted%20fields%20%28like%20%60password%60%20and%20%60encrypted_extra%60%20in%20the%20%60dbs%60%20table%29%20and%20re-enter%20credentials%C2%A0%5Bthread%5D%28https%3A//github.com/apache/superset/issues/33595%29.%0A%0ALet%20me%20know%20if%20you%20want%20a%20step-by-step%20for%20any%20of%20these%20checks.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36340) GitHub link: https://github.com/apache/superset/discussions/36340#discussioncomment-15122338 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
