For On-Prem installations of Looker that want to use version 22.8 or higher, migration to AES-256 GCM encryption is needed.
Summary of that process is:
- Create backups
- Create Customer Master Key (CMK)
- We need to store this key value in a safe place, it’s recommended that this is stored on a file, if this key is lost, the internal database will be lost as well.
- Set environment variables
- Encrypt the internal database
For this last step, we might be using a command like this one:
$ java -jar looker.jar migrate_encryption
Which should return the following message:
Encryption migration succeeded
That command works as intended when we are using the local HyperSQL database that is created by Looker, to use as the internal database, if we use that HyperSQL database, and we get the new jar files, Looker should start with no problem afterwards.
However, if our internal database is not the local HyperSQL database (most of the time it’s an external MySQL database), then, after we get the new jar files and we try to start Looker again like this:
$ ./looker start
We get the following message:
This Looker instance must be migrated to GCM encryption using 'migrate_encryption'
That is because we need to provide the external database credentials on the
migrate_encrytpion command, as described here: https://cloud.google.com/looker/docs/migrating-to-aes-256-gcm-encryption#:~:text=If%20your%20Looker%20instance%20starts%20with%20either%20the
Encryption migration succeeded message is a false positive in this case, as it executed on the local HyperSQL database, not the external database, so, the correct command we need to use for this kind of setup is similar to this:
$ java -jar looker.jar migrate_encryption -d /path/file