Sonarqube version 9.9. Encryption Error: Invalid AES key length:

Must-share information (formatted with Markdown):

  • Sonarqube verion 9.9 CE in kubernetes cluster
  • helm
  • encrypt JDBC password. using the generated secret key
  • I followed the instruction from

and generated new secret which I added into my file, I restarted the pod and can see the page where I should be able to encrypt anything which I need to

However when I click on Encrypt, it say contact admin and print error message in the log as below

java.lang.IllegalStateException: Invalid AES key length: 6 bytes
I have tried passing various lengths for this field but still get the same error, so not sure what am I missing.

I created a secret and config map to create the file, which will point to the

$ cat

And I can see the base64 secret key

base64 -i /opt/sonar/sonar-secret.txt ab4iof70djuGCo--------CqWHxeq435FXSK5Ommg=

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hey there.

What does the content of /opt/sonar/sonar-secret.txt look like? It should look exactly like the content of the secret key you generated (nothing else).

Thanks Colin,

Yes it is the secret key which I copied from sonarqube UI and then added to the secret which is stored in this path

base64 -i /opt/sonar/sonar-secret.txt


To be clear:

ab4iof70djuGCoO3ZI0n6XgMCqWHxeq435FXSK5Ommg= is the output of base64 -i /opt/sonar/sonar-secret.txt, but you aren’t actually using ab4iof70djuGCoO3ZI0n6XgMCqWHxeq435FXSK5Ommg= anywhere, right?

No, I just copied it from sonarqube encrypt UI and added it to the secret and it not being used anywhere else as far as I am aware.

My understanding was that once this key is added to sonar-secret.txt, I will get the option to encrypt any property like jdbc password and I do get that option in the UI but the moment I enter anything in the UI and say encrypt it throws that error complaining about the length of the AES key, so not sure what wrong am I doing

I found the solution, so the secret key generated from sonarqube, looked like base64 so I did not base64 encoded it while adding into the secret. After I encoded the secret to base64, it worked and I dont get any error anymore… it was silly mistake on my part

I’m a bit perplexed because the raw secret from the SonarQube UI should be all you need to add to the file. No Base64 encoding.

Did you have to do something else than what was seen in my screenshot?

It may sound bit weird but, I tested it 2-3 times now and unless I do base64 conversion it does not work.

Here is my secret now, which is not what you get from sonrqube UI

base64 -i /opt/sonar/sonar-secret.txt (I replaced few characters)


Hi Colin

Is having encrypted password inside /opt/sonarqube/conf/ file enough like below?


or do I need to change my deployment to forcefully read it again from this file?


Yes, that should be enough.

Thanks, seems to work now.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.