Encryption key is invalid, Please check site_config.json on restore

The issue I have with this is that it’s so arbitrary. I mean why does the current procedure NOT include the site directory? The procedure archives: database, private files and public files. So, that covers everything, obviously! Not so much.

It’s also bizarre that the site_config.json file and the private folder have rw-r--r-- permissions. Private directory is readable by anyone! Seriously?

@MartinHBramwell
Hello, you can easily solve the issue of Encryption_key, just by resetting the Email id and password in the Email Notifications.

2 Likes

I understand your frustration. Just keep in mind, this is an open source software. What you make of it is up to you… You cannot rely on someone else to make sure your backup works. If you are looking for that, check out the solution provider list https://erpnext.org/service-providers

1 Like

I am well aware that this is Open Source. I’ve been working with OSS for decades and understand all the risks and pressures that derive from it’s use. I invested a huge amount of time in the OpenERP (before Odoo) forums supporting other users, contributing fixes, tutorials and more. Then they started closing it up and sowing land mines to make it harder and harder to avoid paying them for hosting and support … despite being a nearly full-time contributor.

ErpNext looks like what I wanted from Odoo. But I have only been evaluating it for a few weeks and kind of freak out when I see the sorts of defects we are talking about here. I am particularly dismayed by the defects in the installation and getting started process. I want ErpNext to succeed, so a rocky installation sequence sends a very bad signal.

Btw. Thank you for stepping in and responding to my concerns. I see that both you and @clarkej are concerned about managing perceptions, which is a good thing … unless it’s lipstick on a pig. I’m not saying you are doing that! But, I have lost time on other OSS (and commercial products for that matter) that manage perceptions while ignoring fundamentals. In my evaluation I’m trying to see whether I am again going to be throwing months of my life at a dead end.

Are you saying that the encryption key is for one single email password and nothing else?

Hi @MartinHBramwell,

thanks for your feedback and explanation. I understand your concern and I know that getting started, as you say, involves a heavy learning curve. From what I can say, it is worth it. But you have to judge this for yourself. Would be happy to see you as part of this community.

As for the encryption key, this is used to encrypt/decrpyt all password fields.

1 Like

You are not alone @James_Robertson advocated for attention to that here Files Handling Security Issue

Also on the security topic (that I know of) these may interest you -

Unfortunately this kind of stuff is a big reason why I moved away from ERPNext to another platform. The devs seem to be much more interested in cool new stuff and forget about core functionality and security. I can’t run a business off of a platform that is not secure and does not do the basics right. The issue I opened on this security issue 2 years ago is still open and looks to be in some kind of limbo. Sad really.

3 Likes

Out of curiosity, what did you move to?

We went with ERP5. Supports local installs (and cloud if you want), written in Python which we are good at and the modularity of the system makes our lives easier. The interface is a little old-school, but if my users are fine I am too.

1 Like

this really saved my day… I copied the key on the newly restored server and there are now two keys and working perfectly…
if you replace the key you get server internal error…

Thank you

i dont really get it, am not a programmer, i wnted to apply for army forma nd am getting this
Encryption key is invalid, Please check site_config.json

With so few technical details from you, there is no way anyone can help you with that.

Are you the system manager?

@Khadija I do the same steps but the same error occur. Any alternative solutions?

gulp could you link your security issue please?

I have to say I agree. So far there doesn’t seem to be a way to check if your development will be accepted before you write it. So you could propose something, ask for a review, which doesn’t happen, develop & submit it and it gets rejected because they thought of a different way of doing it or don’t like it.

Can you please explain this one. I’m not able to understand what is encryption key here?
I enable the developer mode on, now I’m not able to open my local host.

Some services in ERPNext need to store sensitive items such as access tokens for Google, Facebook. etc.

All such things are stored encrypted.

The internal encryption system is unlocked by a single key.

That key is kept in this file:

.
├── apps
├── config
├── env
├── logs
├── patches.txt
├── Procfile
└─── sites
    ├── apps.txt
    ├── assets
    ├── common_site_config.json
    ├── currentsite.txt
    └── dev.erpnext.host
       ├── error-snapshots
       ├── indexes
       ├── locks
       ├── logs
       ├── private
       ├── public
       └── site_config.json  <===  critical site start up data

The contents of site_config.json look like this:

{
  "db_name": "_bdf39badcdead42ec90",
  "db_password": "ILCnhgnrheCRzjvC",
  "db_type": "mariadb",
  "domains": [                         the key
    "dev.erpnext.host"               **** | ****
  ],                                      v
  "encryption_key": "ikK6v8vzXT-5BwqmBfakedHl6oH5ARzSEDUxfh6ufbns=",
  "developer_mode": 1
}

You will not see “encryption_key” appear in that file until you have created some encrypted material, such as setting up connection to a 3rd party email service.

You’ll have to provide further details here before anyone can help you.

However, if you altered site_config.json incorrectly, that would stop your site from starting. You can confirm that it’s structure is valid here: Validate and format JSON

1 Like

Something like this needs to be surfaced somewhere better - an alert to the admin somewhere in the console besides the error console. This caused some serious issues for our company not realizing emails were not being sent out.

Suggestion would be to add the alert or follow up items/tasks for an admin user to see upon log in - such as on the version splash screen that shows there is an updated version available

I just got hit by this too, after moving ERPNext to another server.

Unfortunately for me, since the new server seems to be “just fine”, the previous server was wiped entirely.

Even https://docs.erpnext.com/docs/v13/user/manual/en/setting-up/data/download-backup did not mention a single “encryption” word.

Oh well, at least I’ve learned (even if too late).

1 Like