How to recover the master.key

Patrick Russell
2019-01-23 00:15

Subject 

How to recover a lost or corrupted master.key.

Affected Versions

5.7.0 – Latest

Description

Artifactory High Availability generates and uses a master.key file for encrypted database communications. The system allows users to specify their own key if desired. However, using a user-generated key may cause problems. Artifactory may also experience a key mismatch error after upgrading, or the original master.key file can be lost. It is important to back up master.key in a secure location.

For all these problems, the solution is to reset the master.key file. As this requires deleting several table entries from the Artifactory database, these steps should be only considered if other options have been exhausted. Please consult Support Team to confirm that this is the case.

Resolution

If you encounter a “Bad padding exception” a bad master.key file may be the cause. If you do not have a "master.key" file in the $ARTIFACTORY_HOME/etc/security folder, and are above Artifactory 5.6, you will need to cycle the master.key to recover the database.

These are the steps required to recover from a lost master.key. This process requires direct manipulation of the database and the db.properties file. Please keep in mind that this process removes all mention of the master.key’s information, and may have unintended side effects.

The steps will delete any encrypted configuration setting in the database. This includes any encrypted passwords such as the database password in the db.properties file.

These steps should only be taken in emergencies:

0. Make a backup of the database
[MySQL – Example]
mysqldump -u root -p artdb > backup.dump

1. Change the db.properties password from its encrypted form to clear-text.

2. Open the db.properties file for reference:

cat $ARTIFACTORY_HOME/etc/db.properties

3. Go onto the external database (You can use the db.properties file’s credentials)

[example]

mysql -u artifactory -p

Password: <PASSWORD>

4. Switch to the Artifactory database

use artdb;

5. Remove all encrypted passwords from the configuration tables:

delete from access_configs where data LIKE 'JE%';

delete from configs where data LIKE 'JE%' or data LIKE 'AM%';

delete from access_master_key_status where status = 'on';

Note: There may also be a table master_key_status that contains a row similar to access_master_key_status. Remove this row using a similar command to the three above.

6. (Optional) If you are rotating (not resetting) the master.key, remove the master.key from all nodes.

7. Restart the primary node.