Two Factor Authentication: error 500: ArgumentError OpenSSL::Cipher::CipherError (bad decrypt):

Hello everyone,

I’ve already searched but I didn’t find a solution yet.

Each time I’m trying to enable 2FA on my profile I get an error 500.

Here is the log :

Started GET "/profile/two_factor_auth" for *.*.*.* at 2019-04-16 17:15:59 +0200
Processing by Profiles::TwoFactorAuthsController#show as HTML
Completed 500 Internal Server Error in 23ms (ActiveRecord: 1.6ms)

OpenSSL::Cipher::CipherError (bad decrypt):

app/controllers/profiles/two_factor_auths_controller.rb:7:in `show'
lib/gitlab/i18n.rb:55:in `with_locale'
lib/gitlab/i18n.rb:61:in `with_user_locale'
app/controllers/application_controller.rb:434:in `set_locale'
lib/gitlab/middleware/multipart.rb:103:in `call'
lib/gitlab/request_profiler/middleware.rb:16:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/correlation_id.rb:16:in `block in call'
lib/gitlab/correlation_id.rb:15:in `use_id'
lib/gitlab/middleware/correlation_id.rb:15:in `call'
lib/gitlab/middleware/read_only/controller.rb:40:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/request_context.rb:26:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:29:in `call'
lib/gitlab/middleware/release_env.rb:13:in `call'

I’m running latest version of gitlab-ce 11.9.8 (48528bc) on Debian 9

Has anyone experienced the same issue ?

Thanks in advance,



1 Like

Hello Jeremy,

Could you please open a support ticket about that over at We’d love to help you out.


Is there a fix or workaround for this? I have the same problem for just one user (that I know of so far). I also opened a ticket, fwiw…


The solution for us, based on information here:, was to set encrypted_otp_secret to null for that user.

It repopulated when I impersonated the user, who was sent directly to the 2fa setup page upon login because a group he was in required it. So I don’t know for sure whether it was the login or the 2fa setup page that did the repopulation.