dm(encrypt): refine error message for secret key not initialized (#12476)

bimakw · web-flow · commit 45426b87a012 · 2026-01-04T02:22:53.000Z
close #12046
diff --git a/dm/pkg/encrypt/encrypt.go b/dm/pkg/encrypt/encrypt.go
@@ -59,12 +59,18 @@ func IsInitialized() bool {
 // we use a notInitializedCipher to always return error.
 type notInitializedCipher struct{}
 
+const secretKeyNotInitializedError = `secret key not initialized. To enable encryption:
+1. Create a file containing a 32-byte (64-character) hexadecimal AES-256 secret key.
+2. Set 'secret-key-path' in DM-master's configuration file to point to this key file.
+3. Restart DM-master to apply the configuration.
+For details, see: https://docs.pingcap.com/tidb/stable/dm-customized-secret-key`
+
 func (n *notInitializedCipher) Encrypt([]byte) ([]byte, error) {
-	return nil, errors.New("secret key is not initialized")
+	return nil, errors.New(secretKeyNotInitializedError)
 }
 
 func (n *notInitializedCipher) Decrypt([]byte) ([]byte, error) {
-	return nil, errors.New("secret key is not initialized")
+	return nil, errors.New(secretKeyNotInitializedError)
 }
 
 type aesCipher struct {
diff --git a/dm/tests/dmctl_basic/run.sh b/dm/tests/dmctl_basic/run.sh
@@ -503,7 +503,7 @@ function run() {
 	check_rpc_alive $cur/../bin/check_master_online 127.0.0.1:$MASTER_PORT
 	run_dm_ctl_cmd_mode $WORK_DIR "127.0.0.1:$MASTER_PORT" \
 		"encrypt a" \
-		"secret key is not initialized" 1
+		"secret key not initialized" 1
 }
 
 cleanup_data dmctl

Original file line number	Diff line number	Diff line change
`@@ -503,7 +503,7 @@ function run() {`
`503`	`503`	`check_rpc_alive $cur/../bin/check_master_online 127.0.0.1:$MASTER_PORT`
`504`	`504`	`run_dm_ctl_cmd_mode $WORK_DIR "127.0.0.1:$MASTER_PORT" \`
`505`	`505`	`"encrypt a" \`
`506`		`- "secret key is not initialized" 1`
	`506`	`+ "secret key not initialized" 1`
`507`	`507`	`}`
`508`	`508`
`509`	`509`	`cleanup_data dmctl`