dm(encrypt): refine error message for secret key not initialized #12476

bimakw · 2025-12-24T04:46:36Z

Summary

Improve the error message when dmctl encrypt/decrypt is called without initializing the secret key.

Before:

Error: secret key is not initialized

After:

Error: secret key not initialized. To enable encryption:
1. Create a file containing a 32-byte (64-character) hexadecimal AES-256 secret key.
2. Set 'secret-key-path' in DM-master's configuration file to point to this key file.
3. Restart DM-master to apply the configuration.
For details, see: https://docs.pingcap.com/tidb/stable/dm-customized-secret-key

Changes

dm/pkg/encrypt/encrypt.go: Updated error message with actionable steps
dm/tests/dmctl_basic/run.sh: Updated test to match new error message

Issue Number: close #12046

Release Note

DM: improve error message for "secret key not initialized" to include actionable resolution steps

Improve the error message when dmctl encrypt/decrypt is called without initializing the secret key. The new message provides actionable steps to resolve the issue: 1. Create a 32-byte hexadecimal AES-256 secret key file 2. Set 'secret-key-path' in DM-master configuration 3. Restart DM-master to apply the configuration 4. Link to documentation for details This helps users quickly understand how to fix the issue instead of just seeing "secret key is not initialized". Fixes pingcap#12046 Signed-off-by: Gregorius Bima Kharisma Wicaksana <[email protected]>

ti-chi-bot · 2025-12-24T04:46:46Z

Hi @bimakw. Thanks for your PR.

I'm waiting for a pingcap member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

ti-chi-bot · 2025-12-24T04:46:46Z

Welcome @bimakw!

It looks like this is your first PR to pingcap/tiflow 🎉.

I'm the bot to help you request reviewers, add labels and more, See available commands.

We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to pingcap/tiflow. 😃

gemini-code-assist · 2025-12-24T04:46:47Z

Summary of Changes

Hello @bimakw, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on improving the user experience by refining an unhelpful error message related to uninitialized secret keys for encryption. The change provides clear, actionable guidance directly within the error output, helping users quickly resolve configuration issues and align with best practices for command-line interface feedback. This enhancement ensures that users are not left guessing when encountering encryption-related setup problems.

Highlights

Improved Error Message: The error message displayed when dmctl encrypt/decrypt is called without an initialized secret key has been significantly enhanced to provide actionable steps and a documentation link.
Configuration Guidance: The new error message now guides users on how to enable encryption by detailing steps to create a secret key file, configure secret-key-path, and restart DM-master.
Test Update: The dmctl_basic test suite has been updated to reflect the new, more descriptive error message, ensuring test compatibility with the change.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

pingcap-cla-assistant · 2025-12-24T04:46:48Z

All committers have signed the CLA.

gemini-code-assist

Code Review

This pull request significantly improves the user experience by providing a much more helpful and actionable error message when the secret key for encryption is not initialized. The change is clear, and the corresponding test update is correct. I have one suggestion to make the Go code more idiomatic and slightly more performant.

gemini-code-assist · 2025-12-24T04:54:45Z

dm/pkg/encrypt/encrypt.go

+const secretKeyNotInitializedError = `secret key not initialized. To enable encryption:
+1. Create a file containing a 32-byte (64-character) hexadecimal AES-256 secret key.
+2. Set 'secret-key-path' in DM-master's configuration file to point to this key file.
+3. Restart DM-master to apply the configuration.
+For details, see: https://docs.pingcap.com/tidb/stable/dm-customized-secret-key`
+
 func (n *notInitializedCipher) Encrypt([]byte) ([]byte, error) {
-	return nil, errors.New("secret key is not initialized")
+	return nil, errors.New(secretKeyNotInitializedError)
 }

 func (n *notInitializedCipher) Decrypt([]byte) ([]byte, error) {
-	return nil, errors.New("secret key is not initialized")
+	return nil, errors.New(secretKeyNotInitializedError)
 }


While the new error message is a great improvement, the implementation can be made more idiomatic and performant. Instead of defining a const string and creating a new error with errors.New() on each call, it's better to define a package-level error variable. This avoids repeated memory allocations and allows for error identity checking with errors.Is, which is a common Go practice.

Suggested change

const secretKeyNotInitializedError = `secret key not initialized. To enable encryption:

1. Create a file containing a 32-byte (64-character) hexadecimal AES-256 secret key.

2. Set 'secret-key-path' in DM-master's configuration file to point to this key file.

3. Restart DM-master to apply the configuration.

For details, see: https://docs.pingcap.com/tidb/stable/dm-customized-secret-key`

func (n *notInitializedCipher) Encrypt([]byte) ([]byte, error) {

return nil, errors.New("secret key is not initialized")

return nil, errors.New(secretKeyNotInitializedError)

}

func (n *notInitializedCipher) Decrypt([]byte) ([]byte, error) {

return nil, errors.New("secret key is not initialized")

return nil, errors.New(secretKeyNotInitializedError)

}

var errSecretKeyNotInitialized = errors.New(`secret key not initialized. To enable encryption:

1. Create a file containing a 32-byte (64-character) hexadecimal AES-256 secret key.

2. Set 'secret-key-path' in DM-master's configuration file to point to this key file.

3. Restart DM-master to apply the configuration.

For details, see: https://docs.pingcap.com/tidb/stable/dm-customized-secret-key`)

func (n *notInitializedCipher) Encrypt([]byte) ([]byte, error) {

return nil, errSecretKeyNotInitialized

}

func (n *notInitializedCipher) Decrypt([]byte) ([]byte, error) {

return nil, errSecretKeyNotInitialized

}

lance6716 · 2025-12-29T13:42:44Z

/ok-to-test

lance6716 · 2025-12-29T13:43:01Z

/cc @OliverS929 @GMHDBJD @D3Hunter

bimakw · 2025-12-29T14:34:50Z

tbh this error just gets converted to string via err.Error() for the user message, nothing checks its identity. but happy to change if you prefer the var style

lance6716 · 2025-12-29T14:43:19Z

/retest

bimakw · 2025-12-29T14:44:36Z

/retest pull-dm-integration-test

ti-chi-bot · 2025-12-29T14:44:53Z

@bimakw: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

/test pull-cdc-integration-kafka-test

/test pull-cdc-integration-mysql-test

/test pull-cdc-integration-pulsar-test

/test pull-cdc-integration-storage-test

/test pull-dm-compatibility-test

/test pull-dm-integration-test

/test pull-error-log-review

/test pull-syncdiff-integration-test

/test pull-verify

/test wip-pull-build

/test wip-pull-check

/test wip-pull-unit-test-cdc

/test wip-pull-unit-test-dm

/test wip-pull-unit-test-engine

Use /test all to run the following jobs that were automatically triggered:

pingcap/tiflow/ghpr_verify

pingcap/tiflow/pull_cdc_integration_kafka_test

pingcap/tiflow/pull_cdc_integration_pulsar_test

pingcap/tiflow/pull_cdc_integration_storage_test

pingcap/tiflow/pull_cdc_integration_test

pingcap/tiflow/pull_dm_compatibility_test

pingcap/tiflow/pull_dm_integration_test

pingcap/tiflow/pull_syncdiff_integration_test

pull-error-log-review

Details

In response to this:

/retest pull-dm-integration-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

lance6716 · 2025-12-30T01:45:09Z

/lgtm

ti-chi-bot · 2026-01-04T02:18:28Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: D3Hunter, lance6716

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~dm/OWNERS~~ [D3Hunter,lance6716]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

ti-chi-bot · 2026-01-04T02:18:35Z

[LGTM Timeline notifier]

Timeline:

2025-12-30 01:45:37.745847686 +0000 UTC m=+61893.564156118: ☑️ agreed by lance6716.
2026-01-04 02:18:34.118147436 +0000 UTC m=+495869.936455868: ☑️ agreed by D3Hunter.

gemini-code-assist bot reviewed Dec 24, 2025

View reviewed changes

ti-chi-bot bot added ok-to-test Indicates a PR is ready to be tested. and removed needs-ok-to-test Indicates a PR created by contributors and need ORG member send '/ok-to-test' to start testing. labels Dec 29, 2025

ti-chi-bot bot requested review from D3Hunter, GMHDBJD and OliverS929 December 29, 2025 13:43

ti-chi-bot bot added needs-1-more-lgtm Indicates a PR needs 1 more LGTM. approved labels Dec 30, 2025

D3Hunter approved these changes Jan 4, 2026

View reviewed changes

ti-chi-bot bot added lgtm and removed needs-1-more-lgtm Indicates a PR needs 1 more LGTM. labels Jan 4, 2026

ti-chi-bot bot merged commit 45426b8 into pingcap:master Jan 4, 2026
24 checks passed

dm(encrypt): refine error message for secret key not initialized #12476

dm(encrypt): refine error message for secret key not initialized #12476

Uh oh!

Conversation

bimakw commented Dec 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Release Note

Uh oh!

ti-chi-bot bot commented Dec 24, 2025

Uh oh!

ti-chi-bot bot commented Dec 24, 2025

Uh oh!

gemini-code-assist bot commented Dec 24, 2025

Summary of Changes

Highlights

Footnotes

Uh oh!

pingcap-cla-assistant bot commented Dec 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

gemini-code-assist bot Dec 24, 2025

Choose a reason for hiding this comment

Uh oh!

lance6716 commented Dec 29, 2025

Uh oh!

lance6716 commented Dec 29, 2025

Uh oh!

bimakw commented Dec 29, 2025

Uh oh!

lance6716 commented Dec 29, 2025

Uh oh!

bimakw commented Dec 29, 2025

Uh oh!

ti-chi-bot bot commented Dec 29, 2025

Uh oh!

lance6716 commented Dec 30, 2025

Uh oh!

ti-chi-bot bot commented Jan 4, 2026

Uh oh!

ti-chi-bot bot commented Jan 4, 2026

[LGTM Timeline notifier]

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

bimakw commented Dec 24, 2025 •

edited

Loading

pingcap-cla-assistant bot commented Dec 24, 2025 •

edited

Loading