"Secret cannot be decrypted" error starting Confluence version 9.2.x

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When you upgrade from Confluence 8.x.x to 9.2.x, you may encounter a startup issue where Confluence boostrapping gets blocked due to decryption errors. Usually the error encountered is:

2025-04-24 03:24:58,164 INFO [Catalina-utility-1] [atlassian.confluence.cluster.DefaultClusterConfigurationHelper] lambda$populateExistingClusterSetupConfig$5 Populating setup configuration if running with Cluster mode... 2025-04-24 03:24:58,589 ERROR [Catalina-utility-1] [atlassian.confluence.setup.ConfluenceConfigurationListener] contextInitialized An error was encountered while bootstrapping Confluence (see below): \nThis secret cannot be decrypted with the configured encryption key com.atlassian.secrets.api.SecretServiceException: This secret cannot be decrypted with the configured encryption key at com.atlassian.secrets.service.aes.AESEncryptionBackend.unseal(AESEncryptionBackend.java:122) at com.atlassian.secrets.service.DefaultSecretService.get(DefaultSecretService.java:75) at com.atlassian.confluence.impl.security.ConfluenceSecretService.get(ConfluenceSecretService.java:121) at com.atlassian.confluence.impl.setup.ConfluenceApplicationConfig

Environment

Confluence Data Center 9.2.x and above

Diagnosis

  1. Upgrade Conflluence 8.5.x version to 9.2.3

  2. Check if the database username and password are present as plain text under home/confluence.cfg.xml

  3. Start the upgraded Confluence

Cause

Newer versions of Confluence are using an encryption/decryption file to parse through encrypted password. After the upgrade, if the password is still in present in plain text, the bootstrap process fails.

Solution

Edit setenv.sh and restart Confluence

Add the following property into the setenv.sh file and restart Confluence:

CATALINA_OPTS="-Datlassian.secret.service.state=disabled" ${CATALINA_OPTS}"

Updated on May 19, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community