All Categories Zscaler Private Access ZPA App Connector : Cannot decrypt data from instance_id.crypt

ZPA App Connector : Cannot decrypt data from instance_id.crypt

In normal day-to-day operations, sometimes ZPA App connector will be shown disconnected in the ZPA Admin Portal due to different reasons.

To understand what has actually happen, we will need to login to the ZPA App Connector and issue "sudo systemctl status zpa-connector". This command will show the status of the ZPA App Connector, and tell us what the nature of the error if there is any. As per the screenshot below, you can see the error as "Cannot decrypt data from instance_id.crypt". This is one of the common issue that is faced when a ZPA App Connector disconnected from the ZPA Admin Portal.


This error normally means that the fingerprint (hardware) ID has changed, and this ZPA App Connector can no longer identify itself. Therefore, the process is terminated as part of a security aspect.

A fingerprint ID is an ID for the connector to identify itself. It is calculated at the initialization stage and is a combination of the system's mac addresses info, VM info, and disk info. If any of the info above gets changed, the hardware ID will change.

To fix this issue, do follow the below steps:

  1. Create a new provisioning key or reuse an existing provisioning keys in the ZPA Admin Portal.

    Note: Please make sure that you haven't exceeded the maximum number of App Connectors count mentioned on the ZPA portal for the provisioning key that you are planning to reuse.

  2. Stop the zpa connector using the below command:

    [admin@zpa-connector ~]$ sudo systemctl stop zpa-connector

  3. Use one of the following options to remove the old provisioning key file

    • Enter a command to get full root access, and then enter the remove command.

      [admin@zpa-connector ~]$ sudo su
      [admin@zpa-connector /home/admin]# rm -f /opt/zscaler/var/*

    • Enter the remove command in a subshell.

      [admin@zpa-connector ~]$ sudo bash -c "rm -f /opt/zscaler/var/*"

  4. Create a new provisioning key file with 644 permissions, at /opt/zscaler/var/provision_key. For example:

    [admin@zpa-connector ~]$ sudo touch /opt/zscaler/var/provision_key
    [admin@zpa-connector ~]$ sudo chmod 644 /opt/zscaler/var/provision_key

  5. Copy the provisioning key from the ZPA Admin Portal, paste it into the file, and save. Use an editor, such as nano.

    [admin@zpa-connector ~]$ sudo nano /opt/zscaler/var/provision_key

    If you are unfamiliar with the nano editor, you can also use the following echo and tee commands to paste in the provisioning key:

    echo "<App Connector Provisioning Key>" | sudo tee /opt/zscaler/var/provision_key

    Make sure that the key is within double quotes (").

  6. Enter the following command to verify the file's content:

    [admin@zpa-connector ~]$ sudo cat /opt/zscaler/var/provision_key

  7. Enter the following command to start the zpa-connector service:

    [admin@zpa-connector ~]$ sudo systemctl start zpa-connector

Once the steps above are completed, you should see a new App Connector appearing in the ZPA Admin Portal. This would mean that the issue has been successfully fixed.