Backups ignore --no-encryption flag

[paulgrainger85]

Describe the issue

Set encryption key to something larger than 256 bits, e.g.
export ENCRYPTION_KEY=$(openssl rand -hex 33)

          encryption:
            secret-key: $ENCRYPTION_KEY

Try to create a backup with no encryption

root@d9c9d730c50e:/app# ./kestra backups create FULL --no-encryption
2025-02-14 13:36:08,853 INFO  main         org.flywaydb.core.FlywayExecutor Database: jdbc:postgresql://postgres:5432/kestra (PostgreSQL 17.2)
2025-02-14 13:36:08,888 INFO  main         o.f.core.internal.command.DbValidate Successfully validated 46 migrations (execution time 00:00.023s)
2025-02-14 13:36:08,895 INFO  main         o.f.core.internal.command.DbMigrate Current version of schema "public": 2.19
2025-02-14 13:36:08,896 INFO  main         o.f.core.internal.command.DbMigrate Schema "public" is up to date. No migration necessary.
2025-02-14 13:36:09,484 INFO  create       i.kestra.core.plugins.PluginScanner Registered 126 core plugins (scan done in 68ms)
2025-02-14 13:36:09,819 INFO  create       i.kestra.core.plugins.PluginScanner Registered 557 plugins from 111 groups (scan done in 333ms)
2025-02-14 13:36:09,853 INFO  create       i.k.ee.context.KestraBeansFactory Enabling per-tenant secret configuration with the default secret 'jdbc', you can disable it via 'kestra.ee.tenants.dedicated-secret=false'.
2025-02-14 13:36:09,878 INFO  create       i.k.ee.context.KestraBeansFactory Enabling per-tenant storage configuration with the default storage 'local', you can disable it via 'kestra.ee.tenants.dedicated-storage=false'.
java.security.InvalidKeyException: Invalid AES key length: 49 bytes
        at java.base/com.sun.crypto.provider.AESCrypt.makeSessionKey(Unknown Source)
        at java.base/com.sun.crypto.provider.AESCrypt.init(Unknown Source)
        at java.base/com.sun.crypto.provider.GaloisCounterMode.init(Unknown Source)
        at java.base/com.sun.crypto.provider.GaloisCounterMode.engineInit(Unknown Source)
        at java.base/javax.crypto.Cipher.implInit(Unknown Source)
        at java.base/javax.crypto.Cipher.chooseProvider(Unknown Source)
        at java.base/javax.crypto.Cipher.init(Unknown Source)
        at java.base/javax.crypto.Cipher.init(Unknown Source)
        at io.kestra.core.encryption.EncryptionService.encrypt(EncryptionService.java:56)
        at io.kestra.ee.backup.BackupService.backupResource(BackupService.java:432)
        at io.kestra.ee.backup.BackupService.backupFull(BackupService.java:241)
        at io.kestra.ee.cli.backups.CreateCommand.call(CreateCommand.java:65)
        at io.kestra.ee.cli.backups.CreateCommand.call(CreateCommand.java:17)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2045)
        at picocli.CommandLine.access$1500(CommandLine.java:148)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2465)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2457)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2419)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2277)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2421)
        at picocli.CommandLine.execute(CommandLine.java:2174)
        at io.kestra.cli.App.execute(App.java:67)
        at io.kestra.ee.cli.App.main(App.java:23)

Environment

• Kestra Version: 0.21.2

[loicmathieu]

I'm not sure but maybe options needs to be passed before parameters so can you try ./kestra backups create --no-encryption FULL

[paulgrainger85]

no, the argument still appears to be ignored

root@38f8b618758a:/app# ./kestra backups create --no-encryption FULL
2025-02-17 12:03:42,259 INFO  main         org.flywaydb.core.FlywayExecutor Database: jdbc:postgresql://postgres:5432/kestra (PostgreSQL 17.2)
2025-02-17 12:03:42,299 INFO  main         o.f.core.internal.command.DbValidate Successfully validated 47 migrations (execution time 00:00.025s)
2025-02-17 12:03:42,307 INFO  main         o.f.core.internal.command.DbMigrate Current version of schema "public": 2.19
2025-02-17 12:03:42,309 INFO  main         o.f.core.internal.command.DbMigrate Schema "public" is up to date. No migration necessary.
2025-02-17 12:03:43,037 INFO  create       i.kestra.core.plugins.PluginScanner Registered 127 core plugins (scan done in 68ms)
2025-02-17 12:03:43,407 INFO  create       i.kestra.core.plugins.PluginScanner Registered 560 plugins from 111 groups (scan done in 368ms)
2025-02-17 12:03:43,449 INFO  create       i.k.ee.context.KestraBeansFactory Enabling per-tenant secret configuration with the default secret 'jdbc', you can disable it via 'kestra.ee.tenants.dedicated-secret=false'.
2025-02-17 12:03:43,473 INFO  create       i.k.ee.context.KestraBeansFactory Enabling per-tenant storage configuration with the default storage 'local', you can disable it via 'kestra.ee.tenants.dedicated-storage=false'.
java.security.InvalidKeyException: Invalid AES key length: 49 bytes```