Recreate default secured secrets in Confluence
Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When running a Confluence instance with secure secrets, you might not be able to start up the instance if there's any problem reading or validating the encrypted secrets.
Diagnosis
Confirm if secured property missing
Presence of logs indicating issues to validate one or more secrets in the application or Catalina logs.
2025-07-23 13:38:54,097 ERROR [Catalina-utility-1] [atlassian.confluence.setup.ConfluenceConfigurationListener] contextInitialized An error was encountered while bootstrapping Confluence (see below): \nSecured property not found in SecretService confluence.property.synchrony.service.authtoken
java.lang.IllegalStateException: Secured property not found in SecretService confluence.property.synchrony.service.authtoken
at com.atlassian.confluence.impl.setup.ConfluenceApplicationConfig.lambda$load$0(ConfluenceApplicationConfig.java:95)
at java.base/java.lang.Iterable.forEach(Unknown Source)Cause
There are many different possible causes for which we might need to recreate these secrets, such as:
The absence of any of the three following files that should be present in the shared-home:
secrets-config.yaml
keys (folder)
secured (folder)
If the cluster nodes became out of sync and these files were overwritten (for example, while re-mapping the shared home).
It’s important to note that you must take the files above with the instance whenever you migrate to a different server or shared home folder.
Solution
Recreating the secrets
Locate all encrypted secrets in use and convert them to plain text: The list of encrypted secrets will depend on exactly how your Confluence has been deployed. Here’s a table of possible encrypted secrets and how to revert to plain text:
Secret | How to revert to plaintext |
| Located in Replace with a 40-character-long string containing random characters between '0'-'9' and 'a'-'f'. |
| Located in Replace with a 32-character-long string containing random characters between '0'-'9' and 'a'-'f' |
| Located in Replace with Confluence’s database user password |
| Located in Replace with OpenSearch plaintext password (absent if Open Search is not configured) |
| Located in Replace with the respective passwords from your AWS environment (absent if the deployment is not in AWS) |
| Located in the Database. Find the correct row in the
Replace the
You can alternatively DELETE the whole |
Backup and delete the three related files in the
shared-home:secrets-config.yaml
keys (folder)
secured (folder)
You can either:
Add
-Datlassian.secret.service.state=disabledto the system properties to disable the encryption completely, orRestart Confluence for it to automatically re-encrypt all the plain text and re-create everything.
The mail server password must be forcibly re-encrypted. To do so:
Head to
<confluence-base-url>/admin/force-upgrade.actionSelect secureMailServerSecretUpgradeTask and click Force upgrade
Additional resources:
Was this helpful?