/
Move the Security and Encryption app to a new Confluence Data Center instance

Move the Security and Encryption app to a new Confluence Data Center instance

This guide will help you ensure the Security and Encryption for Confluence app works error-free after moving from one Data Center to another. It outlines the steps to avoid the most common issues with the Secure macro after the transition.

Ensure the Secure macro works after moving to a new Data Center

Secure macro contents are decrypted using a special PGP (Pretty Good Privacy) encryption key. Without this key, the macro will display an error when you try to open it on the new Data Center instance. Each Confluence instance has a unique PGP encryption key, so the key from your new instance will not match the old Secure macros. Because the PGP key is not automatically transferred during migration, you need to back it up and later move it manually to ensure the Secure macro works on the new Confluence Data Center instance.

Create a backup of your database’s PGP encryption key

When moving the Security and Encryption app to a new Confluence Data Center instance, a new PGP encryption key is generated in the database tables. This prevents access to the old Secure macros since they were encrypted with a different key.

To open Secure macros created on the previous Data Center instance, it’s important to back up the source Confluence PGP encryption key and restore it to the new instance. This will replace the newly created PGP encryption key on the new instance.

To create a backup of your source database’s PGP encryption key:

  1. Find the AO_DCA036_GLOBAL_KEY_PAIR table in the database of your source Confluence instance where the PGP encryption key is stored.

  2. Back up the entire table.

  3. Import the table into the database of your new Confluence instance.

Note that the encrypted content is already embedded within the body content, so you don't need to back up that data separately.

To avoid unnecessary database table backups, don’t use an instance that contains the following deprecated macros:

  • secure-pass (Legacy)

  • secure-data (Legacy)

Restore PGP encryption key from backup

After moving your Confluence Data Center instance to a new one, you need to restore the PGP encryption key from the backup and update the database of the new Confluence instance. This key is necessary to decrypt the old Secure macros on the new Confluence instance.

Test in a staging instance first

The following procedure involves making direct changes to the database. Before proceeding, we strongly recommend creating the necessary backups and testing these steps in a staging instance first. This test run will help ensure that the steps are followed correctly and that the necessary changes are made accurately without disrupting your currently active Confluence instance.

To retrieve the PGP encryption key, follow these steps:

  1. Restore the backup: Restore the backup of your original Confluence instance into a new instance with a separate database. For this example, we'll call this instance Data Center A.

  2. Access the PGP key: In Data Center A, access the AO_DCA036_GLOBAL_KEY_PAIR database table. Note the values for PASS_PHRASE, PRIVATE_KEY, and PUBLIC_KEY.

  3. Update the new instance: Go to your new Confluence instance and open its AO_DCA036_GLOBAL_KEY_PAIR database table. Update this table with the keys from Data Center A using the following command:

UPDATE AO_DCA036_GLOBAL_KEY_PAIR SET PASS_PHRASE=‘DATA Center A PASSPHRASE’, PRIVATE_KEY='DATA Center A PRIVATE_KEY', PUBLIC_KEY='DATA Center A PUBLIC_KEY' WHERE NAME ='_GLOBAL_SECURE_MACRO_';

  1. Clear the plugin cache: Clear the plugin cache as recommended by Atlassian to ensure the changes take effect.

Now, you can use the restored PGP key to decrypt both the Secure macros moved from the old Confluence Data Center instance and any new Secure macros created on the new instance.

Verify the PGP encryption key is moved successfully

To confirm the PGP encryption key was moved successfully, follow these steps:

  1. Navigate to a Secure macro you’ve moved from the old Confluence Data Center instance.

  2. Try to open the Secure macro.

If the Secure macro opens without issues, the PGP encryption key has been moved successfully. If you see an error message like the one below, double-check the steps above or contact our support team for assistance.

An image showing an empty error box with the title Error that appears when the Secure macro doesn't work with the PGP encryption key.

Access additional resources and support

 

 

Need support? Create a request with our support team.

Copyright © 2005 - 2025 Appfire | All rights reserved.