From 19350fbc3ebddd0c1812ccbc9271922777ef90f6 Mon Sep 17 00:00:00 2001 From: jubnl Date: Wed, 1 Apr 2026 08:43:10 +0200 Subject: [PATCH] fix: point upgraders to ./data/.jwt_secret in ENCRYPTION_KEY error and docs The startup error now tells operators exactly where to find the old key value (./data/.jwt_secret) rather than just saying "your old JWT_SECRET". docker-compose.yml and README updated to mark ENCRYPTION_KEY as required and remove the stale "auto-generated" comments. --- README.md | 4 ++-- docker-compose.yml | 2 +- server/src/config.ts | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 003afa4..566a503 100644 --- a/README.md +++ b/README.md @@ -136,7 +136,7 @@ services: environment: - NODE_ENV=production - PORT=3000 - - ENCRYPTION_KEY=${ENCRYPTION_KEY:-} # Auto-generated if not set. If upgrading, set to your old JWT_SECRET value to keep existing encrypted secrets readable. + - ENCRYPTION_KEY=${ENCRYPTION_KEY} # Required. Generate with: openssl rand -hex 32. Upgrading? Set this to the contents of ./data/.jwt_secret to keep existing encrypted secrets readable. - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-} # Comma-separated origins for CORS and email notification links - TZ=${TZ:-UTC} # Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin) - LOG_LEVEL=${LOG_LEVEL:-info} # info = concise user actions; debug = verbose admin-level details @@ -246,7 +246,7 @@ trek.yourdomain.com { | **Core** | | | | `PORT` | Server port | `3000` | | `NODE_ENV` | Environment (`production` / `development`) | `production` | -| `ENCRYPTION_KEY` | At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC); auto-generated and saved to `data/` if not set. **Upgrading:** set to your old `JWT_SECRET` value to keep existing encrypted data readable, then re-save credentials to migrate | Auto-generated | +| `ENCRYPTION_KEY` | **Required.** At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC). Generate with `openssl rand -hex 32`. **Upgrading:** set to the contents of `./data/.jwt_secret` to keep existing encrypted data readable. | — | | `TZ` | Timezone for logs, reminders and cron jobs (e.g. `Europe/Berlin`) | `UTC` | | `LOG_LEVEL` | `info` = concise user actions, `debug` = verbose details | `info` | | `ALLOWED_ORIGINS` | Comma-separated origins for CORS and email links | same-origin | diff --git a/docker-compose.yml b/docker-compose.yml index 42979a1..edcdca2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,7 +18,7 @@ services: environment: - NODE_ENV=production - PORT=3000 - - ENCRYPTION_KEY=${ENCRYPTION_KEY:-} # Auto-generated if not set. If upgrading, set to your old JWT_SECRET value to keep existing encrypted secrets readable. + - ENCRYPTION_KEY=${ENCRYPTION_KEY} # Required. Generate with: openssl rand -hex 32. Upgrading? Set this to the contents of ./data/.jwt_secret to keep existing encrypted secrets readable. - TZ=${TZ:-UTC} # Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin) - LOG_LEVEL=${LOG_LEVEL:-info} # info = concise user actions; debug = verbose admin-level details - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-} # Comma-separated origins for CORS and email notification links diff --git a/server/src/config.ts b/server/src/config.ts index 1663478..a0fc620 100644 --- a/server/src/config.ts +++ b/server/src/config.ts @@ -48,8 +48,8 @@ const ENCRYPTION_KEY: string = process.env.ENCRYPTION_KEY || ''; if (!ENCRYPTION_KEY) { console.error('FATAL: ENCRYPTION_KEY is not set.'); - console.error('If this occurs after an update from a version that derived encryption from JWT_SECRET,'); - console.error('set ENCRYPTION_KEY to the value of your old JWT_SECRET to keep existing secrets readable.'); + console.error('If this occurs after an update, set ENCRYPTION_KEY to the value of your old JWT secret.'); + console.error('Your JWT secret is stored in data/.jwt_secret (host path: ./data/.jwt_secret).'); console.error('For a fresh install, generate a random key: openssl rand -hex 32'); process.exit(1); }