Issue Summary

After importing an XML backup created on Confluence for Windows into a Confluence instance running on Linux, logging in via Crowd is not possible.

Steps to Reproduce

1. Install Confluence on a Windows environment
2. Setup Crowd
3. Add crowd as a user directory in Confluence
4. Verify you're able to login as a user from Crowd directory
5. Generate a site XML backup
6. Setup new Confluence instance on Linux
7. Restore the site XML back from step 4 to the new instance (Linux)

Expected Results

Confluence can find the encryption/decryption keys file successfully and the user can log into Confluence (via Crowd).

Actual Results

Confluence couldn't find the encryption/decryption keys file and the authentication attempt (via Crowd) fails with the below exception thrown in the atlassian-confluence.log

2025-04-10 14:48:36,249 ERROR [lighthouse-cache-invalidation-timer] [ciphers.algorithm.serialization.SerializationFile] read Couldn't read file needed for encryption/decryption. Tried to read file under: /var/atlassian/application-data/confluence/shared/keys\\javax.crypto.spec.SecretKeySpec_1744293320897
 -- url: /confluence/setup/setupdbtype.action | userName: anonymous | action: setupdbtype | referer: https://linux-97576.prod.atl-cd.net/confluence/setup/setupcluster-start.action | traceId: 00a7bc6b1ed6f718
java.io.FileNotFoundException: /var/atlassian/application-data/confluence/shared/keys\javax.crypto.spec.SecretKeySpec_1744293320897 (No such file or directory)
	at java.base/java.io.FileInputStream.open0(Native Method)
	at java.base/java.io.FileInputStream.open(FileInputStream.java:213)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:152)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:106)
	at com.atlassian.db.config.password.ciphers.algorithm.serialization.SerializationFile.read(SerializationFile.java:44)
	at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.tryFromParamsThenEnvThenThrow(AlgorithmCipher.java:338)
	at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:164)
	at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:156)
	at com.atlassian.crowd.crypto.ClusterAwareCipherWrapper.decrypt(ClusterAwareCipherWrapper.java:68)
	at com.atlassian.crowd.crypto.DbConfigPasswordCipherEncryptor.decrypt(DbConfigPasswordCipherEncryptor.java:62)
	at com.atlassian.crowd.crypto.CachedEncryptor.lambda$new$1(CachedEncryptor.java:42)
	at com.atlassian.crowd.crypto.CachedEncryptor$1.load(CachedEncryptor.java:57)
	at com.atlassian.crowd.crypto.CachedEncryptor$1.load(CachedEncryptor.java:53)

Inspecting the tables BANDANA and cwd_directory_attribute shows back slashes:

BANDANA

cwd_directory_attribute

Workaround

1. Stop Confluence after the import
2. Run the SQL queries below:
   • Workaround for Postgres,Oracle,MySQL

     update BANDANA set BANDANAVALUE = replace(BANDANAVALUE, 'KEY_DIR\javax.crypto.spec.SecretKeySpec_', 'KEY_DIR/javax.crypto.spec.SecretKeySpec_') where BANDANAKEY = 'crowd.encryption.encryptor.AES.keyPath';
     
     update cwd_directory_attribute set attribute_value = replace(attribute_value, 'KEY_DIR\\javax.crypto.spec.SecretKeySpec_', 'KEY_DIR/javax.crypto.spec.SecretKeySpec_') where attribute_name = 'application.password';
     

   • Workaround for MSSQL

     update BANDANA set BANDANAVALUE = replace(cast(BANDANAVALUE as nvarchar(max)), 'KEY_DIR\javax.crypto.spec.SecretKeySpec_', 'KEY_DIR/javax.crypto.spec.SecretKeySpec_') where BANDANAKEY = 'crowd.encryption.encryptor.AES.keyPath';
     
     update cwd_directory_attribute set attribute_value = replace(attribute_value, 'KEY_DIR\\javax.crypto.spec.SecretKeySpec_', 'KEY_DIR/javax.crypto.spec.SecretKeySpec_') where attribute_name = 'application.password';
     

3. Copy the content from <confluence-windows-shared-home>\keys to <confluence-linux-shared-home>/keys
4. Start Confluence and confirm you're able to login via Crowd