Magento – Changing encryption key on Magento 2.3 | secret key size should be SODIUM_CRYPTO_AEAD_CHACHA20POLY1305_IETF_KEYBYTES bytes

Magento 2.3 has introduced a new encryption method and requires the encryption key to be 32 characters long / 32 bytes in size.

If you run a setup:upgrade with a wrongly sized encryption key you will get the below error:

secret key size should be SODIUM_CRYPTO_AEAD_CHACHA20POLY1305_IETF_KEYBYTES bytes

You can regenerate the encryption key before the upgrade using the admin panel, but it seems to append the new encryption key to the old one. I believe this is an intended feature for archiving purposes / decrypting old data?

The problem I am facing is: I can update my encryption key on Magento 2.2.x and it will append the new (correctly sized) encryption key to the old one in app/etc/env.php. Everything still works.

But when you upgrade to 2.3, you will still get the error message from above when doing a setup:upgrade. It must look at the field in app/etc/env.php as a whole, and figure out it isn't 32 characters long (because the old encryption key is on the line above the new one).

Does anyone know if appending the new encryption key to the old one is intended behaviour? And if it is safe to remove the old encryption key so we can proceed with the 2.3 upgrade?

Thanks

Best Answer

This can be fixed by adding a 32 character key on a newline to the key. (this is not ideal but does work). For example, before: app/etc/config.php

'crypt' => [
        'key' => 'akeythatisnolongenough',
    ],

after:
app/etc/config.php

'crypt' => [
        'key' => 'akeythatisnolongenough
    0000athirtytwocharacterstring000',
    ],

This allows magento to try the first key, but then use the new key for future. We hit this issue whilst automatically upgrading instances on Mdoq

Best Answer

Related Solutions

Magento – Moving Products from 1.4 to 1.7 – dilemma

Magento – Specify encryption key during CLI install

Related Topic