[Koha] Issue logging into staff interface [Plack log complains about missing encryption key]

Martin Morris martinbmorris at gmail.com
Sat Nov 11 11:37:29 NZDT 2023

Hi David

That did it, thank you!  Switching from 2FA back to Password, and then reenabling 2FA in the interface works perfectly.  Thank you very much for this.

It does indeed look like an unintended consequence of that change – so I’ll file a bug.

Thanks again,


From: David Nind <david at davidnind.com>
Date: Friday, 10 November 2023 at 17:23
To: Martin Morris <martinbmorris at gmail.com>
Cc: koha at lists.katipo.co.nz <koha at lists.katipo.co.nz>
Subject: Re: [Koha] Issue logging into staff interface [Plack log complains about missing encryption key]
Hi Martin

This is what I tried, not sure whether this helps or not.... as it is not something I know a great deal about.

Using the koha-testing-docker (or KTD, the environment used for testing by many in the Koha Community), I set an encryption key, enabled the two-factor authentication system preference, then set up 2FA for a patron - could log in OK (used Aegis as my authenticator app).

If I changed the encryption key, then restarted everything, I can no longer log in - the code I enter from the App doesn't work, and I get an error trace:

Error decoding what should be base32 data: ��gHZxr �ZCP���*9i �� at /kohadevbox/koha/C4/Auth.pm line 886.

 at /usr/lib/x86_64-linux-gnu/perl-base/Carp.pm line 289
So, maybe changing the encryption key is a bad thing with 2FA already enabled is?

A relatively recent change in behavour (added in 23.05.01, 22.11.07) was made by bug 33934 (https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33934), which doesn't allow the use of __ENCRYPTION_KEY__ - it needs to be something else other than this.

Maybe this is an unintended consequence of that change? I'll let others comment on that if that is the case.

To resolve the issue, I changed the user in the database - I could then log in again (I'm not sure whether this is the right way, but it worked for me):
update borrowers set auth_method="password" where borrowernumber="XXXX";

I'm not really sure how this should be managed - that is, if you change your encryption key, then all your patrons with two-factor authentication set up won't be able to log in.

David Nind
New Zealand

More information about the Koha mailing list