🐛 Bug Report: "config error: ENCRYPTION_KEY must be at least 16 bytes long" - Docker Compose container restarts #635

New Issue

Open

opened 2026-02-04 20:42:12 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-04 20:42:12 +03:00

Owner

Copy Link

Originally created by @Zydepoint on GitHub (Jan 29, 2026).

hello, i seem to get issues whenever i try to run pocket-id via docker container. i didn't find this issue so i am suspecting the issue might be on my side..

Reproduction steps

what my current docker compose config is:

services:

# auth.x.x
  pocket-id:
    image: ghcr.io/pocket-id/pocket-id:latest
    container_name: pocket-id
    security_opt:
      - no-new-privileges=true
    read_only: true
    user: 1000:1000
    cap_drop:
      - ALL
    ports:
      - "1411:1411"
    volumes:
      - "./data:/app/data"
      - ".key:/key:ro"
    healthcheck:
      test: [ "CMD", "/app/pocket-id", "healthcheck" ]
      interval: 1m30s
      timeout: 5s
      retries: 2
      start_period: 10s
    networks:
      POCKETID-NET:
    restart: unless-stopped

networks:
  POCKETID-NET:
    external: true

what i've tried:

• use different methods to create the key: -base64 32 and -hex 32. also -base64 64
• pinpointed the image to older version: v2.0.0 and i've tried latest v2.2.0

right now, the key is in a specified file and i define the path to the file in the .env file:

APP_URL="https://auth.x.x"
ENCRYPTION_KEY_FILE=/key
TRUST_PROXY="true"
#MAXMIND_LICENSE_KEY=
PUID="1000"
PGID="1000"

Expected behavior

I expected either -base64 32 or -hex 32 methods to work, at least after destroying the docker container and rebuilding it from the latest image.

Actual Behavior

the pocked-id docker container restarts endlessly.

Pocket ID Version

v2.0.0 or latest. I run latest right now but i've tried to pinpoint to v2.0.0 and the issue persists

Database

SQLite i'd assume since i don't run a postgres container beside pocket id.

OS and Environment

Docker running on an Ubuntu VM, see versions below:

sudo docker compose version
Docker Compose version v5.0.0

sudo docker version
Client: Docker Engine - Community
Version: 29.1.3
API version: 1.52
Go version: go1.25.5
Git commit: f52814d
Built: Fri Dec 12 15:05:45 2025
OS/Arch: linux/amd64
Context: default

lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 25.04
Release: 25.04
Codename: plucky

Log Output

pocket-id  | config error: ENCRYPTION_KEY must be at least 16 bytes long
pocket-id  | config error: ENCRYPTION_KEY must be at least 16 bytes long
pocket-id  | config error: ENCRYPTION_KEY must be at least 16 bytes long
pocket-id  | config error: ENCRYPTION_KEY must be at least 16 bytes long
pocket-id  | config error: ENCRYPTION_KEY must be at least 16 bytes long
pocket-id  | config error: ENCRYPTION_KEY must be at least 16 bytes long
pocket-id  | config error: ENCRYPTION_KEY must be at least 16 bytes long
pocket-id  | config error: ENCRYPTION_KEY must be at least 16 bytes long
pocket-id  | config error: ENCRYPTION_KEY must be at least 16 bytes long
[...]
pocket-id exited with code 1 (restarting)

Originally created by @Zydepoint on GitHub (Jan 29, 2026). hello, i seem to get issues whenever i try to run pocket-id via docker container. i didn't find this issue so i am suspecting the issue might be on my side.. ### Reproduction steps what my current docker compose config is: ``` services: # auth.x.x pocket-id: image: ghcr.io/pocket-id/pocket-id:latest container_name: pocket-id security_opt: - no-new-privileges=true read_only: true user: 1000:1000 cap_drop: - ALL ports: - "1411:1411" volumes: - "./data:/app/data" - ".key:/key:ro" healthcheck: test: [ "CMD", "/app/pocket-id", "healthcheck" ] interval: 1m30s timeout: 5s retries: 2 start_period: 10s networks: POCKETID-NET: restart: unless-stopped networks: POCKETID-NET: external: true ``` what i've tried: - use different methods to create the key: -base64 32 and -hex 32. also -base64 64 - pinpointed the image to older version: v2.0.0 and i've tried latest v2.2.0 right now, the key is in a specified file and i define the path to the file in the .env file: ``` APP_URL="https://auth.x.x" ENCRYPTION_KEY_FILE=/key TRUST_PROXY="true" #MAXMIND_LICENSE_KEY= PUID="1000" PGID="1000" ``` ### Expected behavior I expected either -base64 32 or -hex 32 methods to work, at least after destroying the docker container and rebuilding it from the latest image. ### Actual Behavior the pocked-id docker container restarts endlessly. ### Pocket ID Version v2.0.0 or latest. I run latest right now but i've tried to pinpoint to v2.0.0 and the issue persists ### Database SQLite i'd assume since i don't run a postgres container beside pocket id. ### OS and Environment Docker running on an Ubuntu VM, see versions below: `sudo docker compose version` Docker Compose version v5.0.0 `sudo docker version` Client: Docker Engine - Community Version: 29.1.3 API version: 1.52 Go version: go1.25.5 Git commit: f52814d Built: Fri Dec 12 15:05:45 2025 OS/Arch: linux/amd64 Context: default `lsb_release -a` Distributor ID: Ubuntu Description: Ubuntu 25.04 Release: 25.04 Codename: plucky ### Log Output ``` pocket-id | config error: ENCRYPTION_KEY must be at least 16 bytes long pocket-id | config error: ENCRYPTION_KEY must be at least 16 bytes long pocket-id | config error: ENCRYPTION_KEY must be at least 16 bytes long pocket-id | config error: ENCRYPTION_KEY must be at least 16 bytes long pocket-id | config error: ENCRYPTION_KEY must be at least 16 bytes long pocket-id | config error: ENCRYPTION_KEY must be at least 16 bytes long pocket-id | config error: ENCRYPTION_KEY must be at least 16 bytes long pocket-id | config error: ENCRYPTION_KEY must be at least 16 bytes long pocket-id | config error: ENCRYPTION_KEY must be at least 16 bytes long [...] pocket-id exited with code 1 (restarting) ```

OVERLORD commented 2026-02-04 20:42:17 +03:00

Author

Owner

Copy Link

@l-maciej commented on GitHub (Jan 30, 2026):

You have to regenerate the key with fitting value in .env file

@l-maciej commented on GitHub (Jan 30, 2026): You have to regenerate the key with fitting value in .env file

OVERLORD commented 2026-02-04 20:42:20 +03:00

Author

Owner

Copy Link

@Zydepoint commented on GitHub (Feb 2, 2026):

i have done that? the guide says "openssl rand -base64 32" but i've tried that and other methods, and none of them works apparently

@Zydepoint commented on GitHub (Feb 2, 2026): i have done that? the guide says "openssl rand -base64 32" but i've tried that and other methods, and none of them works apparently

OVERLORD commented 2026-02-04 20:42:25 +03:00

Author

Owner

Copy Link

@Zydepoint commented on GitHub (Feb 2, 2026):

I see now that the installation guide mentions: "The ENCRYPTION_KEY environment variable is now mandatory. You must set this variable to a at least 16 characters long random string. You can generate a secure random string using openssl rand -base64 32."

but the error suggests the issue is in the size of the encryption key? i tried now using different lengths but none works, tried 16, 32, 64, and a very long one.

@Zydepoint commented on GitHub (Feb 2, 2026): I see now that the installation guide mentions: "The ENCRYPTION_KEY environment variable is now mandatory. You must set this variable to a at least 16 characters long random string. You can generate a secure random string using openssl rand -base64 32." but the error suggests the issue is in the size of the encryption key? i tried now using different lengths but none works, tried 16, 32, 64, and a very long one.

OVERLORD commented 2026-02-04 20:42:28 +03:00

Author

Owner

Copy Link

@l-maciej commented on GitHub (Feb 2, 2026):

@Zydepoint Checked .env on my other machine

I've just used some key bbut it is not encrypted. Application started without any issues.
Latest version and env from documentation

@l-maciej commented on GitHub (Feb 2, 2026): @Zydepoint Checked .env on my other machine <img width="764" height="267" alt="Image" src="https://github.com/user-attachments/assets/a35bfdea-a01d-4d08-adcf-3466c09d3021" /> I've just used some key bbut it is not encrypted. Application started without any issues. Latest version and env from documentation

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/email-verification

oidc-scopes

default-env-db-keys

slog-gorm

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

bug

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#635