Invalid Keyseed Demystified

Invalid Keyseed Demystified

When starting paxata server, if you see invalid keyseed error such as:

com.paxata.encryption.PXEncryptionException: Invalid key seed for PES service

What does it mean? And how to resolve this?

Paxata relies on /usr/local/paxata/server/config/ as keyseed to encrypt/decrypt metadata in MongoDB. If this file is missing, then Paxata will not know how to decrypt the encrypted fields in MongoDB.

So the first step is to recover the Is it possible the locate the old when paxata-server was fresh installed? It should be under /usr/local/paxata/server/config/ by default.

If that is not possible, that means existing encrypted fields, such as user password, can no longer be recovered. If you are okay to not using these existing users and existing connector configuration with passwords, then you can remove the guardrail check to prevent server from starting up.

command to remove the guardrail.


use paxata

db.guardraillimits.remove({guardRailTypeName: “guardrail.encryption.pes.keyseed”}) 
0 Replies