How to retrieve the PGP Encryption Key from a backup

Summary

When migrating the instance to another server, the existing Secure macros may fail to be decrypted due to a PGP Encryption key mismatch. When this happens, you will see an error similar to the image below.

To solve this, you need to migrate the data of the AO_DCA036_GLOBAL_KEY_PAIR table from the old database to the newly migrated instance's database.

Environment

Confluence Server or Data Center

Diagnostics Steps

When decrypting a Secure macro after migration, an "Error" box appears (shown above).

Cause

PGP Encryption key mismatch after migration.

Resolution

Before proceeding with the steps below, we strongly suggest creating the necessary backups or testing the steps first in a staging instance. The steps result in direct database changes. By doing a test run, you can ensure steps are followed correctly and are making the necessary changes.

restore the old backup into a new instance with a separate database

After restoring the backup into the new instance (let's name this instance Server A)

check the PASS_PHRASE, PRIVATE_KEY, and PUBLIC_KEY from AO_DCA036_GLOBAL_KEY_PAIR database table of Server A

with the data, move to the new instance and update AO_DCA036_GLOBAL_KEY_PAIR table with the copied keys from Server A
UPDATE public."AO_DCA036_GLOBAL_KEY_PAIR" SET"PASS_PHRASE" = Server A PASS_PHRASE, "PRIVATE_KEY" = Server A PRIVATE_KEY, "PUBLIC_KEY" = Server A PUBLIC_KEY;

After this

clear the plugin cache (as recommended by Atlassian)

check if the migrated secure macros can be decrypted

On updating AO_DCA036_GLOBAL_KEY_PAIR with the new keys, any secure macros which were created previously in the instance will not be decryptable.