[GH-ISSUE #6225] Angular Error : Invalid Encryption type #35324

Closed
opened 2026-07-13 20:08:00 -05:00 by GiteaMirror · 4 comments
Owner

Originally created by @Deytron on GitHub (Aug 25, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6225

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.1-6
  • Web-vault version: voidc_button-v2025.5.1-3
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Alpine)
  • Database type: PostgreSQL
  • Database version: PostgreSQL 17.5 on x86_64-pc-linux-musl, compiled by gcc (Alpine 14.2.0) 14.2.0, 64-bit
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • TZ environment: Europe/Paris
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SENDS_ALLOWED, SIGNUPS_ALLOWED, SIGNUPS_VERIFY, ORG_CREATION_USERS, INVITATIONS_ALLOWED, EMERGENCY_ACCESS_ALLOWED, SHOW_PASSWORD_HINT, ORGANIZATION_INVITE_AUTO_ACCEPT, ADMIN_TOKEN, REQUIRE_DEVICE_EMAIL, SSO_ONLY, SSO_SIGNUPS_MATCH_EMAIL, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_FROM

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://*****************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******************",
  "domain_origin": "*****://******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": false,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "GBNA Santé DSIH",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "***",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "organization_invite_auto_accept": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*********************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": true,
  "sso_authority": "https://auth.gbna-sante.fr/application/o/vaultwarden/",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "https://pass.gbna-sante.fr/identity/connect/oidc-signin",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "ZGQ3P2rH4Q9qBFZUdrSiBtKTOFMWOrBsStFNR0UC",
  "sso_client_secret": "***",
  "sso_debug_force_fail_auth_code": false,
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_organizations_all_collections": true,
  "sso_organizations_enabled": true,
  "sso_organizations_groups_enabled": true,
  "sso_organizations_id_mapping": "",
  "sso_organizations_invite": false,
  "sso_organizations_revocation": false,
  "sso_organizations_token_path": "/vw-groups",
  "sso_pkce": true,
  "sso_roles_default_to_user": true,
  "sso_roles_enabled": true,
  "sso_roles_token_path": "/roles",
  "sso_scopes": "openid email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "/web-vault_button",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.1-6

Deployment method

Other method

Custom deployment method

Kubernetes, using timshel\OIDCWarden

Reverse Proxy

traefik 3.4.4

Host/Server Operating System

Linux

Operating System Version

Kubernetes 1.33.3

Clients

Web Vault

Client Version

Firefox 142 - Vaultwarden Web 2025.5.1

Steps To Reproduce

  1. Login to your account that's joined to an organization
  2. Items will load indefinitely, orgs settings as well

Expected Result

Items in orgs are displayed on the page

Actual Result

Items load indefinitely

Logs

Unhandled error in angular Error: Invalid encryption type.
    rsaDecrypt encrypt.service.implementation.ts:501
    Rn main.91b1d4d6d52bc118910f.js:436
    L zone.js:2702
    Rn main.91b1d4d6d52bc118910f.js:436
    rsaDecrypt main.91b1d4d6d52bc118910f.js:436
    decapsulateKeyUnsigned encrypt.service.implementation.ts:405
    Rn main.91b1d4d6d52bc118910f.js:436
    L zone.js:2702
    Rn main.91b1d4d6d52bc118910f.js:436
    decapsulateKeyUnsigned main.91b1d4d6d52bc118910f.js:436
    decrypt encrypted-organization-key.ts:34
    22848/$/< main.91b1d4d6d52bc118910f.js:206

Screenshots or Videos

Image

Additional Context

This happened after restoring a PostgreSQL backup. I tried creating new users, inviting them to the org etc... But it didn't seem to work. At this point I don't know if there's something wrong on the server side of things and the ciphers, or the users
If I had a way to simply export the org vault from somewhere, I would gladly do it
All 5000 entries are still present in the database

Originally created by @Deytron on GitHub (Aug 25, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6225 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.1-6 * Web-vault version: voidc_button-v2025.5.1-3 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Alpine) * Database type: PostgreSQL * Database version: PostgreSQL 17.5 on x86_64-pc-linux-musl, compiled by gcc (Alpine 14.2.0) 14.2.0, 64-bit * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: Europe/Paris * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SENDS_ALLOWED, SIGNUPS_ALLOWED, SIGNUPS_VERIFY, ORG_CREATION_USERS, INVITATIONS_ALLOWED, EMERGENCY_ACCESS_ALLOWED, SHOW_PASSWORD_HINT, ORGANIZATION_INVITE_AUTO_ACCEPT, ADMIN_TOKEN, REQUIRE_DEVICE_EMAIL, SSO_ONLY, SSO_SIGNUPS_MATCH_EMAIL, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_FROM **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://*****************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://******************", "domain_origin": "*****://******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": false, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "GBNA Santé DSIH", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "***", "org_events_enabled": false, "org_groups_enabled": true, "organization_invite_auto_accept": true, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*************************", "smtp_from_name": "Vaultwarden", "smtp_host": "*********************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": true, "sso_authority": "https://auth.gbna-sante.fr/application/o/vaultwarden/", "sso_authorize_extra_params": "", "sso_callback_path": "https://pass.gbna-sante.fr/identity/connect/oidc-signin", "sso_client_cache_expiration": 0, "sso_client_id": "ZGQ3P2rH4Q9qBFZUdrSiBtKTOFMWOrBsStFNR0UC", "sso_client_secret": "***", "sso_debug_force_fail_auth_code": false, "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_organizations_all_collections": true, "sso_organizations_enabled": true, "sso_organizations_groups_enabled": true, "sso_organizations_id_mapping": "", "sso_organizations_invite": false, "sso_organizations_revocation": false, "sso_organizations_token_path": "/vw-groups", "sso_pkce": true, "sso_roles_default_to_user": true, "sso_roles_enabled": true, "sso_roles_token_path": "/roles", "sso_scopes": "openid email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "/web-vault_button", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.1-6 ### Deployment method Other method ### Custom deployment method Kubernetes, using timshel\OIDCWarden ### Reverse Proxy traefik 3.4.4 ### Host/Server Operating System Linux ### Operating System Version Kubernetes 1.33.3 ### Clients Web Vault ### Client Version Firefox 142 - Vaultwarden Web 2025.5.1 ### Steps To Reproduce 1. Login to your account that's joined to an organization 2. Items will load indefinitely, orgs settings as well ### Expected Result Items in orgs are displayed on the page ### Actual Result Items load indefinitely ### Logs ```text Unhandled error in angular Error: Invalid encryption type. rsaDecrypt encrypt.service.implementation.ts:501 Rn main.91b1d4d6d52bc118910f.js:436 L zone.js:2702 Rn main.91b1d4d6d52bc118910f.js:436 rsaDecrypt main.91b1d4d6d52bc118910f.js:436 decapsulateKeyUnsigned encrypt.service.implementation.ts:405 Rn main.91b1d4d6d52bc118910f.js:436 L zone.js:2702 Rn main.91b1d4d6d52bc118910f.js:436 decapsulateKeyUnsigned main.91b1d4d6d52bc118910f.js:436 decrypt encrypted-organization-key.ts:34 22848/$/< main.91b1d4d6d52bc118910f.js:206 ``` ### Screenshots or Videos <img width="2310" height="1294" alt="Image" src="https://github.com/user-attachments/assets/6546f106-61f3-4f27-82f0-aa0fe4267a0c" /> ### Additional Context This happened after restoring a PostgreSQL backup. I tried creating new users, inviting them to the org etc... But it didn't seem to work. At this point I don't know if there's something wrong on the server side of things and the ciphers, or the users If I had a way to simply export the org vault from somewhere, I would gladly do it All 5000 entries are still present in the database
GiteaMirror added the bug label 2026-07-13 20:08:00 -05:00
Author
Owner

@dani-garcia commented on GitHub (Aug 25, 2025):

That's very strange, it looks like the user's copy of the organization key is invalid.

Can you check the entry in the users_organizations table? There should be a column called akey which should contain a string of the format NUMBER.BASE64, something like 4.a8b9h....., can you tell us what number you see before the period?

<!-- gh-comment-id:3220828995 --> @dani-garcia commented on GitHub (Aug 25, 2025): That's very strange, it looks like the user's copy of the organization key is invalid. Can you check the entry in the `users_organizations` table? There should be a column called `akey` which should contain a string of the format `NUMBER.BASE64`, something like `4.a8b9h.....`, can you tell us what number you see before the period?
Author
Owner

@Deytron commented on GitHub (Aug 26, 2025):

Hello, thanks for the quick answer!

There's a 2.Brn+... in the akey column. The exact same value is present in the users table.
Ciphers also start with a 2.
I tried changed the value to 4.Brn+y..., and I get a different error:

Unhandled error in angular TypeError: SubtleCrypto.decrypt: Argument 3 could not be converted to any of: ArrayBufferView, ArrayBuffer.
    rsaDecrypt web-crypto-function.service.ts:350
    o main.91b1d4d6d52bc118910f.js:436
    invoke zone.js:369
    onInvoke ng_zone.ts:470
    invoke zone.js:368
    run zone.js:111
    D zone.js:2538
    invokeTask zone.js:402
    onInvokeTask ng_zone.ts:447
    invokeTask zone.js:401
    runTask zone.js:159
    y zone.js:581

I believe there was another issue that mentioned this exact error, maybe https://github.com/dani-garcia/vaultwarden/discussions/5060 ?

Either way, I don't think changing the key like this is a good idea, but at least this gives some insight. One thing I did not try is downgrading the Vaultwarden instance to 1.32.0. I can do it if you believe this can help

<!-- gh-comment-id:3222162313 --> @Deytron commented on GitHub (Aug 26, 2025): Hello, thanks for the quick answer! There's a `2.Brn+...` in the `akey` column. The exact same value is present in the `users` table. Ciphers also start with a 2. I tried changed the value to `4.Brn+y...`, and I get a different error: ``` Unhandled error in angular TypeError: SubtleCrypto.decrypt: Argument 3 could not be converted to any of: ArrayBufferView, ArrayBuffer. rsaDecrypt web-crypto-function.service.ts:350 o main.91b1d4d6d52bc118910f.js:436 invoke zone.js:369 onInvoke ng_zone.ts:470 invoke zone.js:368 run zone.js:111 D zone.js:2538 invokeTask zone.js:402 onInvokeTask ng_zone.ts:447 invokeTask zone.js:401 runTask zone.js:159 y zone.js:581 ``` I believe there was another issue that mentioned this exact error, maybe https://github.com/dani-garcia/vaultwarden/discussions/5060 ? Either way, I don't think changing the key like this is a good idea, but at least this gives some insight. One thing I did not try is downgrading the Vaultwarden instance to 1.32.0. I can do it if you believe this can help
Author
Owner

@dani-garcia commented on GitHub (Aug 26, 2025):

Yeah just changing the number is not going to work, because the keys are different formats.

The user table's akey and private_key are simmetrically encrypted keys, and so should start with 2., but the users_organizations akey should start with 4., as it's using asymmetric encryption. Having a key starting with 2. on users_organizations means that something has gone wrong, I'm just not sure what.

Is the backup you restored particularly old? Maybe there is some data migration that is just not being applied correctly. If so, I'd try to restore it into an older Vaultwarden release, and seeing if that works.

<!-- gh-comment-id:3225615150 --> @dani-garcia commented on GitHub (Aug 26, 2025): Yeah just changing the number is not going to work, because the keys are different formats. The `user` table's `akey` and `private_key` are simmetrically encrypted keys, and so should start with `2.`, but the `users_organizations` `akey` should start with `4.`, as it's using asymmetric encryption. Having a key starting with `2.` on `users_organizations` means that something has gone wrong, I'm just not sure what. Is the backup you restored particularly old? Maybe there is some data migration that is just not being applied correctly. If so, I'd try to restore it into an older Vaultwarden release, and seeing if that works.
Author
Owner

@Deytron commented on GitHub (Sep 16, 2025):

Hello, sorry for taking so long to answer.

So some updates, after fiddling in the database by creating a new org and trying to copy an akey to the old org, I get the following result :

Image

My guess is that something must have gone severely wrong, and it would be better now to start from scratch with an old backup. You can close the issue if you want :)

<!-- gh-comment-id:3296800722 --> @Deytron commented on GitHub (Sep 16, 2025): Hello, sorry for taking so long to answer. So some updates, after fiddling in the database by creating a new org and trying to copy an akey to the old org, I get the following result : <img width="221" height="149" alt="Image" src="https://github.com/user-attachments/assets/aa6642f4-b56b-40e4-913b-7bfeed39aace" /> My guess is that something must have gone severely wrong, and it would be better now to start from scratch with an old backup. You can close the issue if you want :)
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#35324