Fix second node startup failure due to encryption key issue on Jira DC

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Jira fails to start on the second node due to a database secret encryption error, specifically indicating that the secret can't be decrypted with the configured encryption key. The first node starts without issues using the same configuration.

Environment

Jira Data Center version 9 and higher

Diagnosis

When attempting to start the second node, the startup fails, and an error similar to the example below is seen in the atlassian-jira.log file:

2025-06-11 10:34:37,708+0000 main ERROR [c.a.jira.startup.ComponentContainerLauncher] A fatal error occurred during initialisation. JIRA has been locked. net.sf.ehcache.CacheException: java.util.concurrent.CompletionException: com.google.common.util.concurrent.UncheckedExecutionException: com.atlassian.secrets.api.SecretServiceException: This secret cannot be decrypted with the configured encryption key at net.sf.ehcache.CacheManager.init(CacheManager.java:426) at net.sf.ehcache.CacheManager.<init>(CacheManager.java:270) at net.sf.ehcache.CacheManager.newInstance(CacheManager.java:1116) at net.sf.ehcache.CacheManager.newInstance(CacheManager.java:1092) Caused by: java.util.concurrent.CompletionException: com.google.common.util.concurrent.UncheckedExecutionException: com.atlassian.secrets.api.SecretServiceException: This secret cannot be decrypted with the configured encryption key

Cause

The issue is related to the encryption used for cluster cache and index replication. As the node is unable to decrypt the necessary secrets, it can't join the cluster or communicate with other nodes via RMI. For more information, please refer to Jira Data Center cluster authentication | Atlassian Support | Atlassian Documentation.

Solution

Regenerate the authentication key

  1. Execute the following SQL statement in your Jira database and commit the changes:

    delete from securityproperty where property_key = 'rmi.socket.cluster.auth.secret.key';

  2. You don't need to restart Jira. The new key will be generated within a minute.

  3. During this transition, communication will temporarily continue to use the old key, then seamlessly switch to the new key to ensure uninterrupted and secure communication.

This process ensures that there will be no unauthenticated communication between nodes.

Updated on June 19, 2025
Platform
Data Center only
Products
Jira Core Data Center
Jira Software Data Center
Jira Service Management Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community