Encryption_key Bug - Error 500 - Cannot be set using env variables, or with cake CLI.

[MartinHeim]

I get a similar error to (#346) . Setting Security.encryption_key in MISP v2.5.32 causes the application to crash with EncryptedValue conversion errors (same as error.log from Bratox). This occurs with Kubernetes Secret, or cake Admin setSetting CLI. The configuration worked in v2.5.10. If I set the secret beforehand, in code, like was done by Bratox, it works. However, I want to avoid having it be hardcoded and so visible. When the encryption key is set via cake Admin setSetting on a running instance, the web interface immediately becomes inaccessible with a 500 error.

Steps to reproduce
Method 1: Via environment variable

Deploy MISP v2.5.32
Set ENCRYPTION_KEY environment variable to any string ≥ 32 characters
Set ADMIN_PASSWORD environment variable
Start the container
Observe EncryptedValue errors in logs during init_user phase
Web interface returns "Internal Server Error"

Method 2: Via CLI on running instance

Deploy MISP v2.5.32 without ENCRYPTION_KEY (works normally)
Log in and confirm the web interface works
Run: cake Admin setSetting "Security.encryption_key" "any-alphanumeric-string-at-least-32-chars"
Immediately try to access the web interface
Browser reports "Unable to connect"
Removing the key does not restore functionality; a pod restart is required.

[UFOSmuggler]

I am guessing you are using the cake cli application as root. If I do what you're doing as root I get the same issue as the file permissions change and the application can no longer read the config.php file. Restarting the container causes the entrypoint to fix the permissions.

However it works fine if I call the cake application like this:

sudo -u www-data app/Console/cake admin setsetting Security.encryption_key 4cbd040533a2f43fc6691d773d510cda70f4126a

[UFOSmuggler]

The envar works fine for me otherwise in 2.5.32, can you paste the logs for method 1?

[MartinHeim]

Even if I use cake with the "www-data" user, it still causes the application to enter Error 500. Functionality is restored after the container is restarted, but this resets the encryption_key as well—meaning it remains empty. I've tried various workarounds, but I've yet to find one which seems to work.

For the logs, which ones do you want? error.log / debug.log?

[ostefano]

Whichever as long as it contains some error at the time of the 500

[UFOSmuggler]

complete stderr/stdout from the misp-core container would also be good. as would the permissions and content of the config.php file after the issue occurs.

feel free to redact secrets.

php and nginx logs can also be quite helpful to diagnose this kind of issue.

[UFOSmuggler]

just trying to get your method 1 error to occur, i can't seem to do so. i'm using the latest MISP/misp-docker commit, but setting CORE_RUNNING_TAG to v2.5.32 and using that version of the image. if you tell me what commit you're using, and perhaps anything else you're doing differently from me (perhaps you're not using docker compose or something else like that?), maybe i can encounter the problem.

.env file:

davidz@ocp:~/stuff/misp-docker$ grep -vP '(^#|^$)' .env
CORE_TAG=v2.5.34
MODULES_TAG=v3.0.6
GUARD_TAG=v1.2
PHP_VER=20240924
PYPI_SETUPTOOLS_VERSION="==80.3.1"
PYPI_SUPERVISOR_VERSION="==4.2.5"
CORE_RUNNING_TAG=v2.5.32
ADMIN_EMAIL=
ADMIN_ORG=
ADMIN_ORG_UUID=
ADMIN_KEY=
ADMIN_PASSWORD=4cbd040533a2f43fc6691d773d510cda70f4126a
GPG_PASSPHRASE=
CRON_USER_ID=
BASE_URL=
ENABLE_DB_SETTINGS=
ENCRYPTION_KEY=4cbd040533a2f43fc6691d773d510cda70f4126a
SALT=
UUID=
ENABLE_BACKGROUND_UPDATES=
ATTACHMENTS_DIR=
SMARTHOST_ADDRESS=
SMARTHOST_PORT=
SMARTHOST_USER=
SMARTHOST_PASSWORD=
SMARTHOST_ALIASES=
SYNCSERVERS=
SYNCSERVERS_1_URL=
SYNCSERVERS_1_NAME=
SYNCSERVERS_1_UUID=
SYNCSERVERS_1_KEY=
SYNCSERVERS_1_PULL_RULES=

full container log, no preexisting volumes or binds, everything fresh (edited, accidentally left gnupg bind first time):

misp-core-1  | 2026-03-11 21:53:39,570 WARN For [program:nginx], redirect_stderr=true but stderr_logfile has also been set to a filename, the filename has been ignored
misp-core-1  | 2026-03-11 21:53:39,570 WARN For [program:php-fpm], redirect_stderr=true but stderr_logfile has also been set to a filename, the filename has been ignored
misp-core-1  | 2026-03-11 21:53:39,570 WARN For [program:rsyslog], redirect_stderr=true but stderr_logfile has also been set to a filename, the filename has been ignored
misp-core-1  | 2026-03-11 21:53:39,570 INFO Included extra file "/etc/supervisor/conf.d/10-supervisor.conf" during parsing
misp-core-1  | 2026-03-11 21:53:39,570 INFO Included extra file "/etc/supervisor/conf.d/40-stunnel.conf" during parsing
misp-core-1  | 2026-03-11 21:53:39,570 INFO Included extra file "/etc/supervisor/conf.d/50-workers.conf" during parsing
misp-core-1  | 2026-03-11 21:53:39,570 INFO Set uid to user 0 succeeded
misp-core-1  | 2026-03-11 21:53:39,573 INFO RPC interface 'supervisor' initialized
misp-core-1  | 2026-03-11 21:53:39,578 INFO RPC interface 'supervisor' initialized
misp-core-1  | 2026-03-11 21:53:39,578 INFO supervisord started with pid 7
misp-core-1  | 2026-03-11 21:53:40,581 INFO spawned: 'nginx' with pid 8
misp-core-1  | 2026-03-11 21:53:40,582 INFO spawned: 'php-fpm' with pid 9
misp-core-1  | 2026-03-11 21:53:40,583 INFO spawned: 'rsyslog' with pid 10
misp-core-1  | INIT | Initialize MySQL ...
misp-core-1  | Configure PHP | Change PHP values ...
misp-core-1  | Configure PHP | Setting 'memory_limit = 2048M'
misp-core-1  | --------------
misp-core-1  | DESCRIBE attributes
misp-core-1  | --------------
misp-core-1  | 
misp-core-1  | ERROR 1146 (42S02) at line 1: Table 'misp.attributes' doesn't exist
misp-core-1  | ... database has not been initialized, importing MySQL scheme...
misp-core-1  | Configure PHP | Setting 'max_execution_time = 300'
misp-core-1  | Configure PHP | Setting 'upload_max_filesize = 50M'
misp-core-1  | Configure PHP | Setting 'max_file_uploads = 50'
misp-core-1  | Configure PHP | Setting 'post_max_size = 50M'
misp-core-1  | Configure PHP | Setting 'max_input_time = 300'
misp-core-1  | Configure PHP | Setting 'session.save_path = 'tcp://redis:6379?auth=redispassword'
misp-core-1  | Configure PHP | Setting 'date.timezone = UTC'
misp-core-1  | Configure PHP | Setting 'pm.max_children = 5'
misp-core-1  | Configure PHP | Setting 'pm.start_servers = 2'
misp-core-1  | Configure PHP | Setting 'pm.(min|max)_spare_servers = 2'
misp-core-1  | Configure PHP | Setting 'pm.max_requests = 0'
misp-core-1  | Configure PHP | Disabling 'pm.status_path'
misp-core-1  | Configure PHP | Disabling 'pm.status_listen'
misp-core-1  | Configure PHP | Starting PHP FPM
misp-core-1  | 2026-03-11 21:53:41,655 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:41,655 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:41,655 INFO success: rsyslog entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | INIT | Initialize NGINX ...
misp-core-1  | ... adjusting 'fastcgi_read_timeout' to 300s
misp-core-1  | ... adjusting 'fastcgi_send_timeout' to 300s
misp-core-1  | ... adjusting 'fastcgi_connect_timeout' to 300s
misp-core-1  | ... adjusting 'client_max_body_size' to 50M
misp-core-1  | ... adjusting Content-Security-Policy
misp-core-1  | ... no Content-Security-Policy header will be set as CONTENT_SECURITY_POLICY is not defined
misp-core-1  | ... adjusting X-Frame-Options
misp-core-1  | ... setting 'X-Frame-Options SAMEORIGIN'
misp-core-1  | ... adjusting HTTP Strict Transport Security (HSTS)
misp-core-1  | ... no HSTS header will be set as HSTS_MAX_AGE is not defined
misp-core-1  | ... enabling port 80 redirect
misp-core-1  | ... enabling IPv6 on port 80
misp-core-1  | ... enabling SSL redirect
misp-core-1  | ... enabling port 443
misp-core-1  | ... enabling IPv6 on port 443
misp-core-1  | ... generating new self-signed TLS certificate
misp-core-1  | ....+.....+.+.........+.....+.+...+..+...+.+...+..+......+.......+..+....+.....+++++++++++++++++++++++++++++++++++++++++++++*....+...+.+..+...+......+.+.....+....+...+++++++++++++++++++++++++++++++++++++++++++++*...........+....................................+......+......+....+...+...........+.........+.+..+....+...+...+..+......+.........+.............+..+.......+..........................+....+...........+.............+......+..............+......+.+..+.+..+.......+..+.+.....+.......+..+.....................+.......+...........+....+.....+.+.....+....+..................+........+.+...+..+.........+....+...........+....+..+...+...+...............+..........+...+......+..........................+.........+...+...+...+.......+............+..+...+.......+...+..+....+.....+....+...+..+............+...+.+......+......+...+......+........+..........+...+.................+.+...........+....+..............+...+............+.+............+............+...+............+..+....+..+.......+..+.+....................+...+.........+............+.+.........+.....+......+....+.....+..........+...........+........................+..........+......+..................+.....+.......+...+.........+.................+.+.....+.......+.....+...............+......+....+...........+......+...............................+.....+....+....................+.............+......+.....+.+......+...+..+....+......+...+......+..............+.........+......+.......+...+.........+..+.+.........+..............+.......+.....+..................+.........+......+......+...+.......+.....+...............+....+......+...+...........+...................+.....+.+............+..+...............+..........+...+.....+.......+...+...+.........+..+.............+.....+.+.....+..........+...........+....+..+..........+.....+.............+.........+.....+............+...................+..+...+......+...+................+.....+......+.+.....+.............+.................+....+........+.+......+........+...+...+.........+.......+...........+.........+................+...+.........+........+.............+.........+...+............+...+...+.....+.........+.+........................+...........+....+..+++++
misp-core-1  | .............+...+....+...............+...+..............+++++++++++++++++++++++++++++++++++++++++++++*...+...+..+.......+.....+.+.....+...............+.......+..+...+.+.....+.+..............+........................+...+...+......+.+..+..................+............+.+++++++++++++++++++++++++++++++++++++++++++++*.+..+.+..............+...+......+...............+................+......+..+..........+..+...+.............+...+..............+.......+...+........+....+......+...+.....+..........+......+.....+.+...+.........+.....+.............+..............+.+..+..........+......+.....................+...+..+.+........+.+.....+.+..+............................+...+.....+......+....+..+.........+.........+.......+..+.+......+...+..+.........+.+.........+......+...........+....+...+...........+.........+.+..+...................+......+..+......+.+...+..+++++
misp-core-1  | -----
misp-core-1  | ... nginx docroot set to /var/www/html/
misp-core-1  | INIT | Initialize MISP files and configurations ...
misp-core-1  | ... initialize configuration files
misp-core-1  | 14+1 records in
misp-core-1  | 14+1 records out
misp-core-1  | 7321 bytes (7.3 kB, 7.1 KiB) copied, 4.671e-05 s, 157 MB/s
misp-core-1  | 3+1 records in
misp-core-1  | 3+1 records out
misp-core-1  | 1811 bytes (1.8 kB, 1.8 KiB) copied, 3.6611e-05 s, 49.5 MB/s
misp-core-1  | 21+1 records in
misp-core-1  | 21+1 records out
misp-core-1  | 10814 bytes (11 kB, 11 KiB) copied, 5.746e-05 s, 188 MB/s
misp-core-1  | 31+1 records in
misp-core-1  | 31+1 records out
misp-core-1  | 16064 bytes (16 kB, 16 KiB) copied, 7.774e-05 s, 207 MB/s
misp-core-1  | 5+1 records in
misp-core-1  | 5+1 records out
misp-core-1  | 3002 bytes (3.0 kB, 2.9 KiB) copied, 2.8941e-05 s, 104 MB/s
misp-core-1  | 5+1 records in
misp-core-1  | 5+1 records out
misp-core-1  | 2618 bytes (2.6 kB, 2.6 KiB) copied, 2.798e-05 s, 93.6 MB/s
misp-core-1  | ... patch bootstrap.php settings not required
misp-core-1  | ... initialize database.php settings
misp-core-1  | ... initialize email.php settings
misp-core-1  | ... initialize app files
misp-core-1  | INIT | Update MISP app/files directory ...
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/browscap" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh "/var/www/MISP/app/files.dist/certs" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/community-metadata" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/empty" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/feed-metadata" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/geo-open" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh "/var/www/MISP/app/files.dist/img" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/misp-decaying-models" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/misp-galaxy" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh "/var/www/MISP/app/files.dist/misp-objects" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/misp-workflow-blueprints" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/noticelists" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/scripts" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh "/var/www/MISP/app/files.dist/taxonomies" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh "/var/www/MISP/app/files.dist/terms" "/var/www/MISP/app/files/"
misp-core-1  | ... rsync -azh --delete "/var/www/MISP/app/files.dist/warninglists" "/var/www/MISP/app/files/"
misp-core-1  | INIT | Enforce MISP permissions ...
misp-core-1  | ... chown -R www-data:www-data /var/www/MISP/app/tmp
misp-core-1  | ... chmod -R 0550 files /var/www/MISP/app/tmp
misp-core-1  | ... chmod -R 0770 directories /var/www/MISP/app/tmp
misp-core-1  | ... chmod -R u+w,g+w /var/www/MISP/app/tmp
misp-core-1  | ... chown -R www-data:www-data /var/www/MISP/app/files
misp-core-1  | ... chmod -R 0550 files /var/www/MISP/app/files
misp-core-1  | ... chmod -R 0770 directories /var/www/MISP/app/files
misp-core-1  | ... chmod -R u+w,g+w /var/www/MISP/app/files
misp-core-1  | ... chown -R www-data:www-data /var/www/MISP/app/Config
misp-core-1  | ... chmod -R 0550 files /var/www/MISP/app/Config ...
misp-core-1  | ... chmod -R 0770 directories /var/www/MISP/app/Config
misp-core-1  | ... chmod 600 /var/www/MISP/app/Config/{config,database,email}.php
misp-core-1  | INIT | Flip NGINX live ...
misp-core-1  | ... nginx docroot set to /var/www/MISP/app/webroot
misp-core-1  | ... nginx reloaded
misp-core-1  | 2026/03/11 21:53:46 [notice] 211#211: signal process started
misp-core-1  | INIT | Configure MISP installation ...
misp-core-1  | MISP | Update CA certificates ...
misp-core-1  | Updating certificates in /etc/ssl/certs...
misp-core-1  | 0 added, 0 removed; done.
misp-core-1  | Running hooks in /etc/ca-certificates/update.d...
misp-core-1  | done.
misp-core-1  | Updating /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem using curl data...
misp-core-1  | MISP | Apply minimum configuration directives ...
misp-core-1  | ... enforcing env var settings
misp-core-1  | Enforcing minimum_config setting 'GnuPG.binary' to env var or default value '/usr/bin/gpg'...
misp-core-1  | Enforcing minimum_config setting 'MISP.python_bin' to env var or default value '/usr/local/bin/python3'...
misp-core-1  | Enforcing minimum_config setting 'MISP.redis_host' to env var or default value 'redis'...
misp-core-1  | Enforcing minimum_config setting 'MISP.redis_password' to env var or default value 'redispassword'...
misp-core-1  | Enforcing minimum_config setting 'MISP.redis_port' to env var or default value '6379'...
misp-core-1  | Enforcing minimum_config setting 'Plugin.ZeroMQ_redis_host' to env var or default value 'redis'...
misp-core-1  | Enforcing minimum_config setting 'Plugin.ZeroMQ_redis_password' to env var or default value 'redispassword'...
misp-core-1  | Enforcing minimum_config setting 'Plugin.ZeroMQ_redis_port' to env var or default value '6379'...
misp-core-1  | Enforcing minimum_config setting 'SimpleBackgroundJobs.redis_host' to env var or default value 'redis'...
misp-core-1  | Enforcing minimum_config setting 'SimpleBackgroundJobs.redis_password' to env var or default value 'redispassword'...
misp-core-1  | Enforcing minimum_config setting 'SimpleBackgroundJobs.redis_port' to env var or default value '6379'...
misp-core-1  | Enforcing minimum_config setting 'SimpleBackgroundJobs.supervisor_host' to env var or default value '127.0.0.1'...
misp-core-1  | Enforcing minimum_config setting 'SimpleBackgroundJobs.supervisor_password' to env var or default value 'supervisor'...
misp-core-1  | Enforcing minimum_config setting 'SimpleBackgroundJobs.supervisor_user' to env var or default value 'supervisor'...
misp-core-1  | ... checking for unset default settings
misp-core-1  | Updating unset minimum_config setting 'MISP.attachments_dir' to '/var/www/MISP/app/files'...
misp-core-1  | Updating unset minimum_config setting 'MISP.background_jobs' to 'true'...
misp-core-1  | Updating unset minimum_config setting 'MISP.ca_path' to '/etc/ssl/certs/ca-certificates.crt'...
misp-core-1  | Updating unset minimum_config setting 'MISP.download_gpg_from_homedir' to 'false'...
misp-core-1  | Updating unset minimum_config setting 'MISP.menu_custom_right_link' to ''...
misp-core-1  | Updating unset minimum_config setting 'MISP.menu_custom_right_link_html' to ''...
misp-core-1  | Updating unset minimum_config setting 'MISP.online_version_check' to 'true'...
misp-core-1  | Updating unset minimum_config setting 'MISP.osuser' to 'www-data'...
misp-core-1  | Updating unset minimum_config setting 'MISP.redis_database' to '13'...
misp-core-1  | Updating unset minimum_config setting 'MISP.self_update' to 'false'...
misp-core-1  | Updating unset minimum_config setting 'MISP.tmpdir' to '/var/www/MISP/app/tmp'...
misp-core-1  | Updating unset minimum_config setting 'Plugin.ZeroMQ_enable' to 'false'...
misp-core-1  | Updating unset minimum_config setting 'Security.disable_instance_file_uploads' to 'false'...
misp-core-1  | Updating unset minimum_config setting 'Security.disable_local_feed_access' to 'false'...
misp-core-1  | Updating unset minimum_config setting 'Security.rest_client_enable_arbitrary_urls' to 'false'...
misp-core-1  | Updating unset minimum_config setting 'Security.salt' to ''...
misp-core-1  | Updating unset minimum_config setting 'SimpleBackgroundJobs.enabled' to 'true'...
misp-core-1  | Updating unset minimum_config setting 'SimpleBackgroundJobs.max_job_history_ttl' to '86400'...
misp-core-1  | Updating unset minimum_config setting 'SimpleBackgroundJobs.redis_database' to '1'...
misp-core-1  | Updating unset minimum_config setting 'SimpleBackgroundJobs.redis_namespace' to 'background_jobs'...
misp-core-1  | Updating unset minimum_config setting 'SimpleBackgroundJobs.supervisor_port' to '9001'...
misp-core-1  | MISP | Initialize configuration ...
misp-core-1  | ... enforcing env var settings
misp-core-1  | Enforcing db_enable setting 'MISP.system_setting_db' to env var or default value 'false'...
misp-core-1  | ... enforcing env var settings
misp-core-1  | Enforcing initialisation setting 'MISP.attachments_dir' to env var or default value '/var/www/MISP/app/files'...
misp-core-1  | Enforcing initialisation setting 'MISP.baseurl' to env var or default value 'https://localhost'...
misp-core-1  | Enforcing initialisation setting 'MISP.contact' to env var or default value 'admin@admin.test'...
misp-core-1  | Enforcing initialisation setting 'MISP.email' to env var or default value 'admin@admin.test'...
misp-core-1  | Enforcing initialisation setting 'Security.encryption_key' to env var or default value '4cbd040533a2f43fc6691d773d510cda70f4126a'...
misp-core-1  | Enforcing initialisation setting 'debug' to env var or default value '0'...
misp-core-1  | ... checking for unset default settings
misp-core-1  | Updating unset initialisation setting 'MISP.default_attribute_distribution' to 'event'...
misp-core-1  | Updating unset initialisation setting 'MISP.default_event_distribution' to '1'...
misp-core-1  | Updating unset initialisation setting 'MISP.default_event_tag_collection' to '0'...
misp-core-1  | Updating unset initialisation setting 'MISP.delegation' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.disable_user_login_change' to 'false'...
misp-core-1  | Updating unset initialisation setting 'MISP.enableEventBlocklisting' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.enableOrgBlocklisting' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.event_alert_republish_ban' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.event_alert_republish_ban_refresh_on_retry' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.event_alert_republish_ban_threshold' to '120'...
misp-core-1  | Updating unset initialisation setting 'MISP.full_tags_on_event_index' to '1'...
misp-core-1  | Updating unset initialisation setting 'MISP.incoming_tags_disabled_by_default' to 'false'...
misp-core-1  | Updating unset initialisation setting 'MISP.language' to 'eng'...
misp-core-1  | Updating unset initialisation setting 'MISP.log_auth' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.log_new_audit' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.proposals_block_attributes' to 'false'...
misp-core-1  | Updating unset initialisation setting 'MISP.server_settings_skip_backup_rotate' to 'false'...
misp-core-1  | Updating unset initialisation setting 'MISP.showCorrelationsOnIndex' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.showorg' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.showorgalternate' to 'false'...
misp-core-1  | Updating unset initialisation setting 'MISP.store_api_access_time' to 'false'...
misp-core-1  | Updating unset initialisation setting 'MISP.tagging' to 'true'...
misp-core-1  | Updating unset initialisation setting 'MISP.take_ownership_xml_import' to 'false'...
misp-core-1  | Updating unset initialisation setting 'MISP.terms_download' to 'false'...
misp-core-1  | Updating unset initialisation setting 'MISP.unpublishedprivate' to 'false'...
misp-core-1  | Updating unset initialisation setting 'MISP.user_email_notification_ban' to 'true'...
misp-core-1  | Updating unset initialisation setting 'SecureAuth.amount' to '5'...
misp-core-1  | Updating unset initialisation setting 'SecureAuth.expire' to '300'...
misp-core-1  | Updating unset initialisation setting 'Security.advanced_authkeys' to 'true'...
misp-core-1  | Updating unset initialisation setting 'Security.alert_on_suspicious_logins' to 'true'...
misp-core-1  | Updating unset initialisation setting 'Security.check_sec_fetch_site_header' to 'true'...
misp-core-1  | Updating unset initialisation setting 'Security.disable_browser_cache' to 'true'...
misp-core-1  | Updating unset initialisation setting 'Security.do_not_log_authkeys' to 'true'...
misp-core-1  | Updating unset initialisation setting 'Security.log_each_individual_auth_fail' to 'true'...
misp-core-1  | Updating unset initialisation setting 'Security.require_password_confirmation' to 'true'...
misp-core-1  | Updating unset initialisation setting 'Security.username_in_response_header' to 'true'...
misp-core-1  | MISP | Initialize workers ...
misp-core-1  | ... starting background workers
misp-core-1  | 2026-03-11 21:53:57,941 INFO spawned: 'default_00' with pid 2578
misp-core-1  | 2026-03-11 21:53:57,943 INFO spawned: 'default_01' with pid 2579
misp-core-1  | 2026-03-11 21:53:57,944 INFO spawned: 'default_02' with pid 2580
misp-core-1  | 2026-03-11 21:53:57,946 INFO spawned: 'default_03' with pid 2581
misp-core-1  | 2026-03-11 21:53:57,947 INFO spawned: 'default_04' with pid 2584
misp-core-1  | 2026-03-11 21:53:57,948 INFO spawned: 'email_00' with pid 2587
misp-core-1  | 2026-03-11 21:53:57,949 INFO spawned: 'email_01' with pid 2590
misp-core-1  | 2026-03-11 21:53:57,950 INFO spawned: 'email_02' with pid 2595
misp-core-1  | 2026-03-11 21:53:57,952 INFO spawned: 'email_03' with pid 2607
misp-core-1  | 2026-03-11 21:53:57,953 INFO spawned: 'email_04' with pid 2611
misp-core-1  | 2026-03-11 21:53:57,955 INFO spawned: 'cache_00' with pid 2622
misp-core-1  | 2026-03-11 21:53:57,956 INFO spawned: 'cache_01' with pid 2631
misp-core-1  | 2026-03-11 21:53:57,957 INFO spawned: 'cache_02' with pid 2638
misp-core-1  | 2026-03-11 21:53:57,959 INFO spawned: 'cache_03' with pid 2651
misp-core-1  | 2026-03-11 21:53:57,961 INFO spawned: 'cache_04' with pid 2657
misp-core-1  | 2026-03-11 21:53:57,962 INFO spawned: 'prio_00' with pid 2665
misp-core-1  | 2026-03-11 21:53:57,964 INFO spawned: 'prio_01' with pid 2672
misp-core-1  | 2026-03-11 21:53:57,965 INFO spawned: 'prio_02' with pid 2677
misp-core-1  | 2026-03-11 21:53:57,966 INFO spawned: 'prio_03' with pid 2685
misp-core-1  | 2026-03-11 21:53:57,968 INFO spawned: 'prio_04' with pid 2696
misp-core-1  | 2026-03-11 21:53:57,970 INFO spawned: 'update_00' with pid 2699
misp-core-1  | 2026-03-11 21:53:57,972 INFO spawned: 'scheduler_00' with pid 2710
misp-core-1  | 2026-03-11 21:53:59,061 INFO success: default_00 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: default_01 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: default_02 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: default_03 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: default_04 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: email_00 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: email_01 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: email_02 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: email_03 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: email_04 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: cache_00 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: cache_01 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: cache_02 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: cache_03 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: cache_04 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: prio_00 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: prio_01 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: prio_02 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: prio_03 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: prio_04 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: update_00 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | 2026-03-11 21:53:59,062 INFO success: scheduler_00 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | misp-workers:default_00: started
misp-core-1  | misp-workers:default_01: started
misp-core-1  | misp-workers:default_02: started
misp-core-1  | misp-workers:default_03: started
misp-core-1  | misp-workers:default_04: started
misp-core-1  | misp-workers:email_00: started
misp-core-1  | misp-workers:email_01: started
misp-core-1  | misp-workers:email_02: started
misp-core-1  | misp-workers:email_03: started
misp-core-1  | misp-workers:email_04: started
misp-core-1  | misp-workers:cache_00: started
misp-core-1  | misp-workers:cache_01: started
misp-core-1  | misp-workers:cache_02: started
misp-core-1  | misp-workers:cache_03: started
misp-core-1  | misp-workers:cache_04: started
misp-core-1  | misp-workers:prio_00: started
misp-core-1  | misp-workers:prio_01: started
misp-core-1  | misp-workers:prio_02: started
misp-core-1  | misp-workers:prio_03: started
misp-core-1  | misp-workers:prio_04: started
misp-core-1  | misp-workers:update_00: started
misp-core-1  | misp-workers:scheduler_00: started
misp-core-1  | MISP | Apply DB updates ...
misp-core-1  | Executing all updates to bring the database up to date with the current version.
misp-core-1  | Executing 127.................Done
misp-core-1  | Executing 128.................Done
misp-core-1  | Executing 129.................Done
misp-core-1  | Executing 130.................Done
misp-core-1  | Executing 131.................Done
misp-core-1  | Executing 132.................Done
misp-core-1  | Executing 133.................Done
misp-core-1  | Executing 134.................Done
misp-core-1  | Executing 135.................Done
misp-core-1  | Executing 136.................Done
misp-core-1  | Executing 137.................Done
misp-core-1  | Executing 138.................Done
misp-core-1  | Executing 139.................Done
misp-core-1  | Executing 140.................Done
misp-core-1  | Executing 141.................Done
misp-core-1  | Executing 142.................Done
misp-core-1  | Executing 143.................Done
misp-core-1  | Executing 144.................Done
misp-core-1  | Executing 145.................Done
misp-core-1  | Executing 146.................Done
misp-core-1  | All updates completed.
misp-core-1  | MISP | Configure GPG key ...
misp-core-1  | ... generating new GPG key in /var/www/MISP/.gnupg
misp-core-1  | gpg: WARNING: unsafe permissions on homedir '/var/www/MISP/.gnupg'
misp-core-1  | gpg: keybox '/var/www/MISP/.gnupg/pubring.kbx' created
misp-core-1  | gpg: Generating a basic OpenPGP key
misp-core-1  | gpg: /var/www/MISP/.gnupg/trustdb.gpg: trustdb created
misp-core-1  | gpg: directory '/var/www/MISP/.gnupg/openpgp-revocs.d' created
misp-core-1  | gpg: revocation certificate stored as '/var/www/MISP/.gnupg/openpgp-revocs.d/FFF49EBF6F1A751E701D1034945B50A209BA2B94.rev'
misp-core-1  | gpg: Done
misp-core-1  | ... exporting GPG key
misp-core-1  | ... enforcing env var settings
misp-core-1  | Enforcing gpg setting 'GnuPG.email' to env var or default value 'admin@admin.test'...
misp-core-1  | Enforcing gpg setting 'GnuPG.homedir' to env var or default value '/var/www/MISP/.gnupg'...
misp-core-1  | Enforcing gpg setting 'GnuPG.password' to env var or default value 'passphrase'...
misp-core-1  | ... checking for unset default settings
misp-core-1  | Updating unset gpg setting 'GnuPG.onlyencrypted' to 'false'...
misp-core-1  | Updating unset gpg setting 'SMIME.enabled' to 'false'...
misp-core-1  | MISP | Init default user and organization ...
misp-core-1  | ... valid admin key for admin user found, not changing
misp-core-1  | ... setting admin password to '4cbd040533a2f43fc6691d773d510cda70f4126a'
misp-core-1  | Password for admin@admin.test changed.
misp-core-1  | MISP | Resolve critical issues ...
misp-core-1  | ... enforcing env var settings
misp-core-1  | Enforcing critical setting 'MISP.external_baseurl' to env var or default value 'https://localhost'...
misp-core-1  | Enforcing critical setting 'Security.rest_client_baseurl' to env var or default value 'https://localhost'...
misp-core-1  | ... checking for unset default settings
misp-core-1  | Updating unset critical setting 'MISP.host_org_id' to '1'...
misp-core-1  | Updating unset critical setting 'Plugin.Enrichment_hover_enable' to 'false'...
misp-core-1  | Updating unset critical setting 'Plugin.Enrichment_hover_popover_only' to 'false'...
misp-core-1  | Updating unset critical setting 'Security.csp_enforce' to 'true'...
misp-core-1  | Updating unset critical setting 'Security.auth' to 'Array()'...
misp-core-1  | MISP | Start component updates ...
misp-core-1  | Galaxies updated
misp-core-1  | Successfully updated 162 taxonomies.
misp-core-1  | 119 warninglists updated, 0 fails
misp-core-1  | Notice lists updated
misp-core-1  | Successfully updated 373 object templates.
misp-core-1  | MISP | Resolve non-critical issues ...
misp-core-1  | ... enforcing env var settings
misp-core-1  | Enforcing optional setting 'Plugin.Action_services_url' to env var or default value 'http://misp-modules'...
misp-core-1  | Enforcing optional setting 'Plugin.Enrichment_services_url' to env var or default value 'http://misp-modules'...
misp-core-1  | Enforcing optional setting 'Plugin.Export_services_url' to env var or default value 'http://misp-modules'...
misp-core-1  | Enforcing optional setting 'Plugin.Import_services_url' to env var or default value 'http://misp-modules'...
misp-core-1  | ... checking for unset default settings
misp-core-1  | Updating unset optional setting 'MISP.log_client_ip' to 'true'...
misp-core-1  | Updating unset optional setting 'MISP.log_user_ips' to 'true'...
misp-core-1  | Updating unset optional setting 'MISP.log_user_ips_authkeys' to 'true'...
misp-core-1  | Updating unset optional setting 'MISP.welcome_text_bottom' to ''...
misp-core-1  | Updating unset optional setting 'MISP.welcome_text_top' to ''...
misp-core-1  | Updating unset optional setting 'Plugin.Action_services_enable' to 'true'...
misp-core-1  | Updating unset optional setting 'Plugin.Cortex_services_enable' to 'false'...
misp-core-1  | Updating unset optional setting 'Plugin.Enrichment_hover_timeout' to '5'...
misp-core-1  | Updating unset optional setting 'Plugin.Enrichment_services_enable' to 'true'...
misp-core-1  | Updating unset optional setting 'Plugin.Enrichment_timeout' to '30'...
misp-core-1  | Updating unset optional setting 'Plugin.Export_services_enable' to 'true'...
misp-core-1  | Updating unset optional setting 'Plugin.Import_services_enable' to 'true'...
misp-core-1  | Updating unset optional setting 'Plugin.Workflow_enable' to 'true'...
misp-core-1  | MISP | Configure storage ...
misp-core-1  | MISP | Create sync servers ...
misp-core-1  | ... admin key auto configuration is required to configure sync servers
misp-core-1  | MISP | Set Up OIDC ...
misp-core-1  | ... OIDC authentication disabled
misp-core-1  | MISP | Set Up apachesecureauth ...
misp-core-1  | ... LDAP APACHESECUREAUTH authentication disabled
misp-core-1  | MISP | Set Up LDAP ...
misp-core-1  | ... LDAPAUTH authentication disabled
misp-core-1  | MISP | Set Up AAD ...
misp-core-1  | ... Entra (AzureAD) authentication disabled
misp-core-1  | MISP | Set Up Session ...
misp-core-1  | ... Session configured
misp-core-1  | MISP | Set Up Proxy ...
misp-core-1  | ... Proxy disabled
misp-core-1  | MISP | Create default Scheduled Tasks ...
misp-core-1  | MISP | Configure misp-guard CA certificate ...
misp-core-1  | MISP | Mark instance live
misp-core-1  | MISP | Version: 2.5.32
misp-core-1  | Set live status to True in Redis.
misp-core-1  | Set live status in PHP config file.
misp-core-1  | MISP is now live. Users can now log in.
misp-core-1  | INIT | Configure PHP ...
misp-core-1  | 2026-03-11 21:55:03,419 INFO waiting for php-fpm to stop
misp-core-1  | Entrypoint FPM caught SIGTERM signal!
misp-core-1  | Killing process 47
misp-core-1  | 2026-03-11 21:55:03,420 WARN stopped: php-fpm (exit status 143)
misp-core-1  | 2026-03-11 21:55:03,422 INFO spawned: 'php-fpm' with pid 3749
misp-core-1  | Configure PHP | Change PHP values ...
misp-core-1  | Configure PHP | Setting 'memory_limit = 2048M'
misp-core-1  | Configure PHP | Setting 'max_execution_time = 300'
misp-core-1  | Configure PHP | Setting 'upload_max_filesize = 50M'
misp-core-1  | Configure PHP | Setting 'max_file_uploads = 50'
misp-core-1  | Configure PHP | Setting 'post_max_size = 50M'
misp-core-1  | Configure PHP | Setting 'max_input_time = 300'
misp-core-1  | Configure PHP | Setting 'session.save_path = 'tcp://redis:6379?auth=redispassword'
misp-core-1  | Configure PHP | Setting 'date.timezone = UTC'
misp-core-1  | Configure PHP | Setting 'pm.max_children = 5'
misp-core-1  | Configure PHP | Setting 'pm.start_servers = 2'
misp-core-1  | Configure PHP | Setting 'pm.(min|max)_spare_servers = 2'
misp-core-1  | Configure PHP | Setting 'pm.max_requests = 0'
misp-core-1  | Configure PHP | Disabling 'pm.status_path'
misp-core-1  | Configure PHP | Disabling 'pm.status_listen'
misp-core-1  | Configure PHP | Starting PHP FPM
misp-core-1  | 2026-03-11 21:55:04,464 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp-core-1  | php-fpm: stopped
misp-core-1  | php-fpm: started
misp-core-1  | INIT | Done ...

container works:

davidz@ocp:~/stuff/misp-docker$ curl -kw "\nrescode: %{http_code}\n" https://localhost/users/heartbeat
{
    "message": "Additional supply depots required."
}
rescode: 200

[UFOSmuggler]

also regarding method 2:

root@8bf5ad9fa0e9:/var/www/MISP# sudo -u www-data app/Console/cake Admin setSetting "Security.encryption_key" "any-alphanumeric-string-at-least-32-chars"
Setting "Security.encryption_key" changed to "any-alphanumeric-string-at-least-32-chars"
root@8bf5ad9fa0e9:/var/www/MISP# curl -kw "\nrescode: %{http_code}\n" https://localhost/users/heartbeat
{
    "message": "We require more minerals."
}
rescode: 200
root@8bf5ad9fa0e9:/var/www/MISP# grep encryption_key app/Config/config.php
    'encryption_key' => 'any-alphanumeric-string-at-least-32-chars',

if you can help me encounter the issue here as well, it will be very helpful

[UFOSmuggler]

Just realised you're using kubernetes. Stood up a k3s stack using 2.5.32:

davidz@trash:~/misp-docker/kubernetes$ cat instance-secrets.env 
REDIS_PASSWORD=replacemewithsomethingelse
ADMIN_KEY=REPLACEMEWITHANACTUALKEYTHATWILLWORKFORU
ADMIN_PASSWORD=sometimespasswordsarelongsometimespasswordsareshort
ENCRYPTION_KEY=4cbd040533a2f43fc6691d773d510cda70f4126a
BASE_URL=https://localhost:9002

logs:

Enforcing initialisation setting 'Security.encryption_key' to env var or default value '<hidden>'...
...
... setting admin password from environment variable
Password for admin@admin.test changed.

config seems fine

davidz@trash:~/misp-docker/kubernetes$ kubectl exec -n misp -it misp-779488877-99p8v misp -c misp -- grep encryption_key app/Config/config.php
    'encryption_key' => '4cbd040533a2f43fc6691d773d510cda70f4126a',

application seems fine

davidz@trash:~/misp-docker/kubernetes/manifests$curl -kw "\nrescode: %{http_code}\n" https://localhost:31521/users/heartbeat
{
    "message": "You've not enough minerals."
}
rescode: 200

cake cli as www-data vs root:

davidz@trash:~/misp-docker/kubernetes/manifests$ kubectl exec -n misp -it misp-779488877-99p8v misp -c misp -- runuser -u www-data -- app/Console/cake admin setsetting Security.encryption_key a530b3c812dd27d972c709c15744c7ccb3f062eb

Setting "Security.encryption_key" changed to "a530b3c812dd27d972c709c15744c7ccb3f062eb"

davidz@trash:~/misp-docker/kubernetes/manifests$ curl -kw "\nrescode: %{http_code}\n" https://localhost:31521/users/heartbeat
{
    "message": "We require more minerals."
}
rescode: 200

davidz@trash:~/misp-docker/kubernetes/manifests$ kubectl exec -n misp -it misp-779488877-99p8v misp -c misp -- ls -lha app/Config/config.php
-rw------- 1 www-data www-data 5.0K Mar 12 01:59 app/Config/config.php

davidz@trash:~/misp-docker/kubernetes/manifests$ kubectl exec -n misp -it misp-779488877-99p8v misp -c misp -- app/Console/cake admin setsetting Security.encryption_key b530b3c812dd27d972c709c15744c7ccb3f062eb

Setting "Security.encryption_key" changed to "b530b3c812dd27d972c709c15744c7ccb3f062eb"

davidz@trash:~/misp-docker/kubernetes/manifests$ curl -kw "\nrescode: %{http_code}\n" https://localhost:31521/users/heartbeat

rescode: 302

davidz@trash:~/misp-docker/kubernetes/manifests$ kubectl exec -n misp -it misp-779488877-99p8v misp -c misp -- ls -lha app/Config/config.php
-rw------- 1 root root 5.0K Mar 12 02:00 app/Config/config.php

i am wondering if EncryptedValue errors are an issue with your sealed secrets, etcd, kms, or whatever it is you're using.

definitely going to need to see the logs.

[MartinHeim]

Just to clarify, setting the key explicitly in the code ENCRYPTION_KEY=4cbd040533a2f43fc6691d773d510cda70f4126a works for me too. However, I want to set it as a Kubernetes secret so that it does not get committed to Git. It might be due to the way kubernetes secrets operates, but I've looked at the stored key in the container, and it does indeed conform to the one set as a secret. Also, just to be clear, I've created the secret before the pods start, so timing should not be an issue.

MISP | Init default user and organization ...
... valid admin key for admin user found, not changing
... setting admin password from environment variable
Notice Error: Object of class EncryptedValue could not be converted to int in [/var/www/MISP/app/Model/User.php, line 451]
 
2026-03-12 13:29:28 Notice: Object of class EncryptedValue could not be converted to int in [/var/www/MISP/app/Model/User.php, line 451]
Notice Error: Object of class EncryptedValue could not be converted to int in [/var/www/MISP/app/Model/User.php, line 456]
 
2026-03-12 13:29:28 Notice: Object of class EncryptedValue could not be converted to int in [/var/www/MISP/app/Model/User.php, line 456]
Error: It is not possible convert to string encrypted JSON value.
#0 [internal function]: EncryptedValue->__toString()
#1 /var/www/MISP/app/Model/User.php(484): preg_match()
#2 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Validator/CakeValidationRule.php(275): User->complexPassword()
#3 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Validator/CakeValidationSet.php(135): CakeValidationRule->process()
#4 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/ModelValidator.php(269): CakeValidationSet->validate()
#5 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/ModelValidator.php(100): ModelValidator->errors()
#6 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Model.php(3503): ModelValidator->validates()
#7 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Model.php(1839): Model->validates()
#8 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Model.php(1761): Model->_doSave()
#9 /var/www/MISP/app/Console/Command/UserShell.php(466): Model->save()
#10 /var/www/MISP/app/Lib/cakephp/lib/Cake/Console/Shell.php(459): UserShell->change_pw()
#11 /var/www/MISP/app/Lib/cakephp/lib/Cake/Console/ShellDispatcher.php(222): Shell->runCommand()
#12 /var/www/MISP/app/Lib/cakephp/lib/Cake/Console/ShellDispatcher.php(66): ShellDispatcher->dispatch()
#13 /var/www/MISP/app/Console/cake.php(47): ShellDispatcher::run()
#14 {main}
MISP | Resolve critical issues ...
... enforcing env var settings
```

[UFOSmuggler]

you'll notice my last example was using the secrets file in a k3s misp deployment, but i assume you're using k8s.

anyway, the log has helped me enormously so thanks for that. i don't think this issue has anything to do with secret handling.

i am assuming you are using ENABLE_DB_SETTINGS=true in the container environment. this problem only seems to occur when that is set, ENCRYPTION_KEY contains a value, and you attempt to use the cake console tool to change a user's password (either by envar or cli):

root@e338c4bbac8f:/var/www/MISP/app# sudo -u www-data /var/www/MISP/app/Console/cake User change_pw "admin@admin.test" admin
Notice Error: Object of class EncryptedValue could not be converted to int in [/var/www/MISP/app/Model/User.php, line 451]

2026-03-12 23:23:24 Notice: Object of class EncryptedValue could not be converted to int in [/var/www/MISP/app/Model/User.php, line 451]
Notice Error: Object of class EncryptedValue could not be converted to int in [/var/www/MISP/app/Model/User.php, line 456]

2026-03-12 23:23:24 Notice: Object of class EncryptedValue could not be converted to int in [/var/www/MISP/app/Model/User.php, line 456]
Error: It is not possible convert to string encrypted JSON value.
#0 [internal function]: EncryptedValue->__toString()
#1 /var/www/MISP/app/Model/User.php(484): preg_match()
#2 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Validator/CakeValidationRule.php(275): User->complexPassword()
#3 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Validator/CakeValidationSet.php(135): CakeValidationRule->process()
#4 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/ModelValidator.php(269): CakeValidationSet->validate()
#5 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/ModelValidator.php(100): ModelValidator->errors()
#6 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Model.php(3503): ModelValidator->validates()
#7 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Model.php(1839): Model->validates()
#8 /var/www/MISP/app/Lib/cakephp/lib/Cake/Model/Model.php(1761): Model->_doSave()
#9 /var/www/MISP/app/Console/Command/UserShell.php(466): Model->save()
#10 /var/www/MISP/app/Lib/cakephp/lib/Cake/Console/Shell.php(459): UserShell->change_pw()
#11 /var/www/MISP/app/Lib/cakephp/lib/Cake/Console/ShellDispatcher.php(222): Shell->runCommand()
#12 /var/www/MISP/app/Lib/cakephp/lib/Cake/Console/ShellDispatcher.php(66): ShellDispatcher->dispatch()
#13 /var/www/MISP/app/Console/cake.php(47): ShellDispatcher::run()
#14 {main}

it seems that if i don't set those in the environment, but make equivalent changes once the container init finishes, it works:

root@0be63232c636:/var/www/MISP# sudo -u www-data /var/www/MISP/app/Console/cake admin setSetting Security.encryption_key 4cbd040533a2f43fc6691d773d510cda70f4126a
Setting "Security.encryption_key" changed to "4cbd040533a2f43fc6691d773d510cda70f4126a"
root@0be63232c636:/var/www/MISP# sudo -u www-data /var/www/MISP/app/Console/cake admin setSetting MISP.system_setting_db true
Setting "MISP.system_setting_db" changed to true
root@0be63232c636:/var/www/MISP# sudo -u www-data /var/www/MISP/app/Console/cake User change_pw "admin@admin.test" 'oc*HX0vq$^UHQM0kQ&&huAayy1rZSZ6a'
Password for admin@admin.test changed.

or other order:

root@7c0213621507:/var/www/MISP# sudo -u www-data /var/www/MISP/app/Console/cake admin setSetting MISP.system_setting_db true
Setting "MISP.system_setting_db" changed to true
root@7c0213621507:/var/www/MISP# sudo -u www-data /var/www/MISP/app/Console/cake admin setSetting Security.encryption_key 4cbd040533a2f43fc6691d773d510cda70f4126a
Setting "Security.encryption_key" changed to "4cbd040533a2f43fc6691d773d510cda70f4126a"
root@7c0213621507:/var/www/MISP# sudo -u www-data /var/www/MISP/app/Console/cake User change_pw "admin@admin.test" "oc*HX0vq$^UHQM0kQ&&huAayy1rZSZ6a"
Password for admin@admin.test changed.

this suggests we could rejig the init sequence to avoid this, but also a misp bug that there is an order in which this can happen. i will investigate further and raise a PR.

[UFOSmuggler]

The admin password change functionality in the container init changes the values of the password_policy settings, which will store in the db and not the config file when db settings is enabled as a result, so we kind of have to wait for the application to fix this bug unless we want to do a whole heap of ugly temporary kludges, which i don't feel like doing.

for now i recommend you just leave ENCRYPTION_KEY blank in the environment, leave Security.encryption_key blank in the config file, and delete it from the DB system_settings table.