catch invalid token exception, add error message for restoring encryp…

…ted server state (#2797)

Co-authored-by: Chris Lenk <clenk@users.noreply.github.com>

app/service/file_svc.py

@@ -5,10 +5,11 @@
 import json
 import os
 import subprocess
+import sys
 
 from aiohttp import web
 from multidict import CIMultiDict
-from cryptography.fernet import Fernet
+from cryptography.fernet import Fernet, InvalidToken
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
@@ -239,7 +240,17 @@ def _read(self, filename):
         with open(filename, 'rb') as f:
             buf = f.read()
         if self.encryptor and buf.startswith(bytes(FILE_ENCRYPTION_FLAG, encoding='utf-8')):
-            buf = self.encryptor.decrypt(buf[len(FILE_ENCRYPTION_FLAG):])
+            try:
+                buf = self.encryptor.decrypt(buf[len(FILE_ENCRYPTION_FLAG):])
+            except InvalidToken:
+                self.log.error('Failed to decrypt saved CALDERA state due to incorrect encryption key.\n'
+                               ' - If attempting to restore secure backup, verify that conf/local.yml exists with '
+                               'correct encryption_key value, and that the server is being run without --insecure.\n'
+                               ' - If attempting to restore insecure backup, verify that conf/default.yml exists '
+                               'with correct encryption_key value, and that the server is being run with --insecure.\n'
+                               ' - If correct encryption_key value cannot be recovered, rerun the server with --fresh '
+                               'to disregard stored server state.')
+                sys.exit(1)
         return buf
 
     def _get_encryptor(self):