"This secret cannot be decrypted" error in Bitbucket Data Center

Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

The application link, mail notification, and the search features fail in Bitbucket Data Center. The error message that appears is:

"com.atlassian.secrets.api.SecretServiceException:This secret cannot be decrypted with the configured encryption key."

Concurrently, the error 'LDAP: error code 49 - Invalid Credentials' is also present, leading to failures in external user logins and directory synchronization.

Environment

Bitbucket Data Center 9.4.9, but may apply to other versions.

Diagnosis

There are four common scenarios that will point to this error. They are detailed below.

Scenario 1

The atlassian-bitbucket.log will display the following error when an external directory user attempts to log in to Bitbucket or when the user clicks the synchronization button for the external directory. This may also occur in the situation if <Bitbucket-Home-Directory>/shared/keys/javax.crypto.spec.SecretKeySpec_<unixtimestamp> file is deleted from the fileserver.

2025-08-27 16:42:05,744 ERROR [http-nio-7991-exec-5] @TSEX42x1002x194x0 10.255.11.2 "POST /rest/tsv/1.0/authenticate HTTP/1.1" c.a.c.d.LdapContextSourceFactory$CrowdPooledContextSource Error when creating ContextSource org.springframework.dao.DataAccessResourceFailureException: Failed to borrow DirContext from pool.; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] at org.springframework.ldap.pool2.factory.MutablePooledContextSource.getContext(MutablePooledContextSource.java:53) at com.atlassian.crowd.directory.LdapContextSourceFactory$CrowdPooledContextSource.getContext(LdapContextSourceFactory.java:119) at org.springframework.ldap.pool2.factory.PooledContextSource.getReadWriteContext(PooledContextSource.java:246) at org.springframework.ldap.transaction.compensating.manager.TransactionAwareContextSourceProxy.getReadWriteContext(TransactionAwareContextSourceProxy.java:88) . . at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73) at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:85) at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) at java.base/java.lang.Thread.run(Thread.java:840) ... 271 frames trimmed Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:191) . . at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:349) at org.springframework.ldap.pool2.factory.MutablePooledContextSource.getContext(MutablePooledContextSource.java:50) ... 130 common frames omitted Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3260) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206) . . at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42) at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:351) ... 138 common frames omitted 2025-08-27 16:42:05,749 ERROR [http-nio-7991-exec-5] @TSEX42x1002x194x0 10.255.11.2 "POST /rest/tsv/1.0/authenticate HTTP/1.1" c.a.c.m.a.ApplicationServiceGeneric Directory 'LDAP server (32770)' is not functional during authentication of 'user1'. Skipped.

Scenario 2

The atlassian-bitbucket.log will show the following error when Bitbucket attempts to connect to the Search process.

2025-08-27 16:38:11,070 INFO [spring-startup] c.a.b.i.s.c.c.DefaultClusterJobManager Registering job for SearchSynchronizeJob 2025-08-27 16:38:11,097 ERROR [spring-startup] c.a.b.i.s.c.s.DefaultSearchSettingsService Failed to get property PASSWORD from secure storage com.atlassian.secrets.api.SecretServiceException: This secret cannot be decrypted with the configured encryption key at com.atlassian.secrets.service.aes.AESEncryptionBackend.unseal(AESEncryptionBackend.java:122) at com.atlassian.secrets.service.DefaultSecretService.get(DefaultSecretService.java:75) . . at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:160) at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:128) at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:949) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:594) at javax.servlet.GenericServlet.init(GenericServlet.java:143) at java.base/java.lang.Thread.run(Thread.java:840) ... 38 frames trimmed

Scenario 3

The atlassian-bitbucket.log will show the following error when Bitbucket tries to send an email to the mail server. Upon reviewing the Settings > Mail server page, the password field is blank, despite the mail server configuration containing a password before this issue occurred.

2025-08-27 20:40:01,086 ERROR [http-nio-7991-exec-2] user1 @HBK1E0x1240x64x0 u6stkt 10.255.11.2 "POST /admin/mail-server HTTP/1.1" c.a.s.i.s.ApplicationPropertiesServiceImpl Failed to get property MAIL_HOST_PASSWORD from secure storage com.atlassian.secrets.api.SecretServiceException: This secret cannot be decrypted with the configured encryption key at com.atlassian.secrets.service.aes.AESEncryptionBackend.unseal(AESEncryptionBackend.java:122) at com.atlassian.secrets.service.DefaultSecretService.get(DefaultSecretService.java:75) at com.atlassian.stash.internal.secrets.BitbucketSecretService$1.load(BitbucketSecretService.java:54) . . at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:85) at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) at java.base/java.lang.Thread.run(Thread.java:840) ... 323 frames trimmed 2025-08-27 20:40:01,107 WARN [http-nio-7991-exec-2] user1 @HBK1E0x1240x64x0 u6stkt 10.255.11.2 "POST /admin/mail-server HTTP/1.1" c.a.s.i.w.a.MailServerConfigurationController Failed to send a test email message to user1@gmail.com com.atlassian.bitbucket.mail.MailAuthenticationException: Authentication with the mail server failed. Please verify the mail server configuration and check the logs for details. at com.atlassian.stash.internal.mail.MailServiceImpl.sendMessageSynchronously(MailServiceImpl.java:331) at com.atlassian.stash.internal.mail.MailServiceImpl.sendTest(MailServiceImpl.java:297) . . at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:85) at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) at java.base/java.lang.Thread.run(Thread.java:840) ... 313 frames trimmed Caused by: org.springframework.mail.MailAuthenticationException: Authentication failed; nested exception is javax.mail.AuthenticationFailedException: failed to connect, no password specified? at org.springframework.mail.javamail.JavaMailSenderImpl.doSend(JavaMailSenderImpl.java:440) at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:361) at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:378) at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:366) at com.atlassian.stash.internal.mail.MailServiceImpl.sendMessageSynchronously(MailServiceImpl.java:325) ... 50 common frames omitted Caused by: javax.mail.AuthenticationFailedException: failed to connect, no password specified? at javax.mail.Service.connect(Service.java:376) at org.springframework.mail.javamail.JavaMailSenderImpl.connectTransport(JavaMailSenderImpl.java:518) at com.atlassian.stash.internal.mail.OAuthJavaMailSenderImpl.connectTransport(OAuthJavaMailSenderImpl.java:28) at org.springframework.mail.javamail.JavaMailSenderImpl.doSend(JavaMailSenderImpl.java:437) ... 54 common frames omitted

Scenario 4: Existing application links will show a 'Network error' from the Bitbucket side while appearing connected from the Jira/Bamboo side, and the atlassian-bitbucket.log will show the following error:

2025-08-27 18:21:50,657 WARN [http-nio-7991-exec-1] user1 @1BMZ4F4x1101x296x1 1nwezlp 10.255.11.2 "GET /rest/applinks/3.0/status/dc68790a-eb4e-3e11-ae25-7550d5420928 HTTP/1.1" c.a.a.c.DefaultApplinkStatusService Unrecognized error while attempting to retrieve status of Application Link 'dc68790a-eb4e-3e11-ae25-7550d5420928'

If you attempt to recreate the application links, a "Config Error" will be displayed. When editing the same application link in Bitbucket, an error message states, "The local outgoing connection uses Auth, however it's disabled on <app-link-name>." Attempting to change the status from disabled to OAuth on the Jira/bamboo side and saving the app link is not permitted, fails with error message: "We can't enable the incoming authentication because <Bitbucket-app-link-name> is not reachable". The atlassian-bitbucket.log will also contain the following error.

2025-08-27 17:04:57,269 DEBUG [http-nio-7991-exec-4] @TSEX42x1024x1588x0 10.255.11.7 "GET /mvc/error500 HTTP/1.1" c.a.s.i.i18n.PluginI18nService No values found in any valid locale for key ProviderManager.providerNotFound and locales [en_US, en] 2025-08-27 17:04:57,271 ERROR [http-nio-7991-exec-4] @TSEX42x1024x1588x0 10.255.11.7 "GET /mvc/error500 HTTP/1.1" c.a.s.i.web.ErrorPageController There was an unhandled exception loading [/plugins/servlet/oauth/consumer-info] com.atlassian.secrets.api.SecretServiceException: This secret cannot be decrypted with the configured encryption key at com.atlassian.secrets.service.aes.AESEncryptionBackend.unseal(AESEncryptionBackend.java:122) at com.atlassian.secrets.service.DefaultSecretService.get(DefaultSecretService.java:75) at com.atlassian.stash.internal.secrets.BitbucketSecretService$1.load(BitbucketSecretService.java:54) . . at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73) at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:85) at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) at java.base/java.lang.Thread.run(Thread.java:840) ... 275 frames trimmed

Cause

These errors usually arise when Bitbucket's database is overwritten, while the data in the shared home directory on the filesystem is not up-to-date.

Bitbucket securely stores the user directory, mail, search server passwords, and OAuth consumer secrets in the database, while the corresponding encrypted keys are kept in the filesystem. If the database from another Bitbucket instance or from an older backup, which does not share the same key, is overwritten and the shared home directory data is not updated accordingly, the errors may appear.

Solution

For Test instance:

If this is the test instance, the easiest and straightforward approach is to refresh the entire data of staging from prod by following How to setup staging or test server environments for Bitbucket Data Center article. Doing so will not only resolve all these issues but also ensure you have an exact replica of the production environment, allowing you to assess how changes will perform in a production-like setting accurately.

For Production instance:

If it's a production environment, roll back the instance using the backup taken prior to the activity, as these issues are not the only ones that may arise. However, if a rollback isn't feasible or if these errors are due to a different issue, attempt a resolution specific to the scenario. However, this doesn’t mean that it will fix other errors and issues of the Bitbucket instance.

  • Scenario 1 Resolution: Log in with a local user account that has sysadmin privileges, navigate to Settings > User Directories, edit the user directory, enter the correct password in the Password field, and save it. This will generate a new file named <Bitbucket-Home-Directory>/shared/keys/javax.crypto.spec.SecretKeySpec_<unixtimestamp>, which will re-encrypt the directory password. As a result, directory synchronization and external user login will begin functioning again.

  • Scenario 2 Resolution: Log in with a user account that has sysadmin privileges(if external users are not working, log in with a local user), go to Settings > Server settings, enter the correct password in the 'Search server password' field, test it, and save it. If you are using a bundled search and the password is unknown, refer to "Access Denied" when testing connection to search server in Bitbucket Data Center for all the necessary steps.

  • Scenario 3 Resolution: Log in with a user account that has sysadmin privileges(if external users are not working, log in with a local user), navigate to Settings > Mail server, enter the correct password in the Password field, and save it. Test the feature by sending a test email.

  • Scenario 4 Resolution: Take a complete backup of the Bitbucket instance. Please refer to the Data recovery and backups article. Do not proceed without taking a backup. Additionally, make a separate backup of the bb_sealed_secret table from the Bitbucket database.

  1. Shut down all Bitbucket applications in the cluster.

  2. Delete the row with identifier 'bitbucket.secrets.external.com.atlassian.oauth.consumer.ConsumerService:host.__HOST_SERVICE__' from the bb_sealed_secret table:

  3. delete from bb_sealed_secret where bb_sealed_secret.identifier like 'bitbucket.secrets.external.com.atlassian.oauth.consumer.ConsumerService:host.__HOST_SERVICE__';

  4. Start a Bitbucket application and recreate the application link.

  5. Verify that the application link is functioning properly and that other Bitbucket functionalities work as expected. Start the Bitbucket applications on the remaining nodes.

Updated on November 10, 2025
Platform
Data Center only
App
Bitbucket Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community