On-Prem install gets "This Looker instance must be migrated to GCM encryption" message after successful migration/encryption

  • 13 October 2022
  • 0 replies

For On-Prem installations of Looker that want to use version 22.8 or higher, migration to AES-256 GCM encryption is needed.


Summary of that process is:

  1. Create backups
  2. Create Customer Master Key (CMK)
    1. We need to store this key value in a safe place, it’s recommended that this is stored on a file, if this key is lost, the internal database will be lost as well.
  3. Set environment variables 
    1. export LKR_MASTER_KEY_FILE=<path_to_key_file>
  4. Encrypt the internal database

For this last step, we might be using a command like this one:

$ java -jar looker.jar migrate_encryption


Which should return the following message:


Encryption migration succeeded


That command works as intended when we are using the local HyperSQL database that is created by Looker, to use as the internal database, if we use that HyperSQL database, and we get the new jar files, Looker should start with no problem afterwards.


However, if our internal database is not the local HyperSQL database (most of the time it’s an external MySQL database), then, after we get the new jar files and we try to start Looker again like this:


$ ./looker start


We get the following message:


This Looker instance must be migrated to GCM encryption using 'migrate_encryption'


That is because we need to provide the external database credentials on the migrate_encrytpion command, as described here: https://cloud.google.com/looker/docs/migrating-to-aes-256-gcm-encryption#:~:text=If%20your%20Looker%20instance%20starts%20with%20either%20the


The Encryption migration succeeded message is a false positive in this case, as it executed on the local HyperSQL database, not the external database, so, the correct command we need to use for this kind of setup is similar to this:

$ java -jar looker.jar migrate_encryption -d /path/file

0 replies

Be the first to reply!