refactor: remove pre1 migration path (#4356)

This removes pre1 migrations and improves a lot of tooling.
2022-11-25 23:44:55 +11:00 · 2022-11-25 23:44:55 +11:00 · 3e4ac7821d
parent 3c291b5685
commit 3e4ac7821d
31 changed files with 871 additions and 1216 deletions
--- a/config.template.yml
+++ b/config.template.yml
@ -863,7 +863,8 @@ regulation:
 ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
 # storage:
  ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
-  ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
+  ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use
  ## the CLI to change this in the database if you want to change it from a previously configured value.
  # encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
  ##
--- a/docs/content/en/contributing/guidelines/database-schema.md
+++ b/docs/content/en/contributing/guidelines/database-schema.md
@ -2,7 +2,7 @@
 title: "Database Schema"
 description: "Authelia Development Database Schema Guidelines"
 lead: "This section covers the database schema guidelines we use for development."
-date: 2022-11-09T09:20:18+11:00
+date: 2022-11-19T16:47:09+11:00
 draft: false
 images: []
 menu:
--- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md
@ -40,7 +40,6 @@ authelia storage migrate down --target 20 --encryption-key b3453fde-ecc2-4a1f-94
 ```
      --destroy-data   confirms you want to destroy data with this migration
  -h, --help           help for down
      --pre1           sets pre1 as the version to migrate to
  -t, --target int     sets the version to migrate to
 ```
--- a/docs/content/en/reference/integrations/database-integrations.md
+++ b/docs/content/en/reference/integrations/database-integrations.md
@ -2,7 +2,7 @@
 title: "Database Integrations"
 description: "A database integration reference guide"
 lead: "This section contains a database integration reference guide for Authelia."
-date: 2022-11-10T11:03:47+11:00
+date: 2022-11-19T16:47:09+11:00
 draft: false
 images: []
 menu:
--- a/docs/content/en/reference/integrations/introduction.md
+++ b/docs/content/en/reference/integrations/introduction.md
@ -2,7 +2,7 @@
 title: "Integrations"
 description: "A collection of integration reference guides"
 lead: "This section contains integration reference guides for Authelia."
-date: 2022-11-10T11:03:47+11:00
+date: 2022-11-19T16:47:09+11:00
 draft: false
 images: []
 menu:
--- a/internal/commands/const.go
+++ b/internal/commands/const.go
@ -554,6 +554,45 @@ const (
 	cmdFlagUsageCharacters = "sets the explicit characters for the random string"
 	cmdFlagNameLength      = "length"
 	cmdFlagUsageLength     = "sets the character length for the random string"
 	cmdFlagNameNewEncryptionKey = "new-encryption-key"
 	cmdFlagNameFile        = "file"
 	cmdFlagNameUsers       = "users"
 	cmdFlagNameServices    = "services"
 	cmdFlagNameSectors     = "sectors"
 	cmdFlagNameIdentifier  = "identifier"
 	cmdFlagNameService     = "service"
 	cmdFlagNameSector      = "sector"
 	cmdFlagNameDescription = "description"
 	cmdFlagNameAll         = "all"
 	cmdFlagNameKeyID       = "kid"
 	cmdFlagNameVerbose     = "verbose"
 	cmdFlagNameSecret      = "secret"
 	cmdFlagNameSecretSize  = "secret-size"
 	cmdFlagNamePeriod      = "period"
 	cmdFlagNameDigits      = "digits"
 	cmdFlagNameAlgorithm   = "algorithm"
 	cmdFlagNameIssuer      = "issuer"
 	cmdFlagNameForce       = "force"
 	cmdFlagNameFormat      = "format"
 	cmdFlagNamePath        = "path"
 	cmdFlagNameTarget      = "target"
 	cmdFlagNameDestroyData = "destroy-data"
 	cmdFlagNameEncryptionKey      = "encryption-key"
 	cmdFlagNameSQLite3Path        = "sqlite.path"
 	cmdFlagNameMySQLHost          = "mysql.host"
 	cmdFlagNameMySQLPort          = "mysql.port"
 	cmdFlagNameMySQLDatabase      = "mysql.database"
 	cmdFlagNameMySQLUsername      = "mysql.username"
 	cmdFlagNameMySQLPassword      = "mysql.password"
 	cmdFlagNamePostgreSQLHost     = "postgres.host"
 	cmdFlagNamePostgreSQLPort     = "postgres.port"
 	cmdFlagNamePostgreSQLDatabase = "postgres.database"
 	cmdFlagNamePostgreSQLSchema   = "postgres.schema"
 	cmdFlagNamePostgreSQLUsername = "postgres.username"
 	cmdFlagNamePostgreSQLPassword = "postgres.password"
 )
 const (
@ -591,6 +630,7 @@ var (
 const (
 	identifierServiceOpenIDConnect = "openid"
 	invalid                        = "invalid"
 )
 var (
--- a/internal/commands/crypto_hash.go
+++ b/internal/commands/crypto_hash.go
@ -3,12 +3,10 @@ package commands
 import (
 	"fmt"
 	"strings"
 	"syscall"
 	"github.com/go-crypt/crypt"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"golang.org/x/term"
 	"github.com/authelia/authelia/v4/internal/authentication"
 	"github.com/authelia/authelia/v4/internal/configuration"
@ -433,7 +431,7 @@ func cmdCryptoHashGetPassword(cmd *cobra.Command, args []string, useArgs, useRan
 		noConfirm bool
 	)
-	if data, err = hashReadPasswordWithPrompt("Enter Password: "); err != nil {
+	if data, err = termReadPasswordWithPrompt("Enter Password: ", "password"); err != nil {
 		err = fmt.Errorf("failed to read the password from the terminal: %w", err)
 		return
@ -448,8 +446,7 @@ func cmdCryptoHashGetPassword(cmd *cobra.Command, args []string, useArgs, useRan
 	}
 	if noConfirm, err = cmd.Flags().GetBool(cmdFlagNameNoConfirm); err == nil && !noConfirm {
-		if data, err = hashReadPasswordWithPrompt("Confirm Password: "); err != nil {
+		if data, err = termReadPasswordWithPrompt("Confirm Password: ", ""); err != nil {
 			err = fmt.Errorf("failed to read the password from the terminal: %w", err)
 			return
 		}
@ -467,22 +464,6 @@ func cmdCryptoHashGetPassword(cmd *cobra.Command, args []string, useArgs, useRan
 	return
 }
 func hashReadPasswordWithPrompt(prompt string) (data []byte, err error) {
 	fmt.Print(prompt)
 	if data, err = term.ReadPassword(int(syscall.Stdin)); err != nil { //nolint:unconvert,nolintlint
 		if err.Error() == "inappropriate ioctl for device" {
 			return nil, fmt.Errorf("the terminal doesn't appear to be interactive either use the '--password' flag or use an interactive terminal: %w", err)
 		}
 		return nil, err
 	}
 	fmt.Println("")
 	return data, nil
 }
 func cmdFlagConfig(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringSliceP(cmdFlagNameConfig, "c", []string{"configuration.yml"}, "configuration files to load")
 }
--- a/internal/commands/errors.go
+++ b/internal/commands/errors.go
@ -0,0 +1,8 @@
 package commands
 import (
 	"errors"
 )
 // ErrStdinIsNotTerminal is returned when Stdin is not an interactive terminal.
 var ErrStdinIsNotTerminal = errors.New("stdin is not a terminal")
--- a/internal/commands/storage.go
+++ b/internal/commands/storage.go
@ -23,22 +23,22 @@ func newStorageCmd() (cmd *cobra.Command) {
 	cmdWithConfigFlags(cmd, true, []string{"configuration.yml"})
-	cmd.PersistentFlags().String("encryption-key", "", "the storage encryption key to use")
+	cmd.PersistentFlags().String(cmdFlagNameEncryptionKey, "", "the storage encryption key to use")
-	cmd.PersistentFlags().String("sqlite.path", "", "the SQLite database path")
+	cmd.PersistentFlags().String(cmdFlagNameSQLite3Path, "", "the SQLite database path")
-	cmd.PersistentFlags().String("mysql.host", "", "the MySQL hostname")
+	cmd.PersistentFlags().String(cmdFlagNameMySQLHost, "", "the MySQL hostname")
-	cmd.PersistentFlags().Int("mysql.port", 3306, "the MySQL port")
+	cmd.PersistentFlags().Int(cmdFlagNameMySQLPort, 3306, "the MySQL port")
-	cmd.PersistentFlags().String("mysql.database", "authelia", "the MySQL database name")
+	cmd.PersistentFlags().String(cmdFlagNameMySQLDatabase, "authelia", "the MySQL database name")
-	cmd.PersistentFlags().String("mysql.username", "authelia", "the MySQL username")
+	cmd.PersistentFlags().String(cmdFlagNameMySQLUsername, "authelia", "the MySQL username")
-	cmd.PersistentFlags().String("mysql.password", "", "the MySQL password")
+	cmd.PersistentFlags().String(cmdFlagNameMySQLPassword, "", "the MySQL password")
-	cmd.PersistentFlags().String("postgres.host", "", "the PostgreSQL hostname")
+	cmd.PersistentFlags().String(cmdFlagNamePostgreSQLHost, "", "the PostgreSQL hostname")
-	cmd.PersistentFlags().Int("postgres.port", 5432, "the PostgreSQL port")
+	cmd.PersistentFlags().Int(cmdFlagNamePostgreSQLPort, 5432, "the PostgreSQL port")
-	cmd.PersistentFlags().String("postgres.database", "authelia", "the PostgreSQL database name")
+	cmd.PersistentFlags().String(cmdFlagNamePostgreSQLDatabase, "authelia", "the PostgreSQL database name")
-	cmd.PersistentFlags().String("postgres.schema", "public", "the PostgreSQL schema name")
+	cmd.PersistentFlags().String(cmdFlagNamePostgreSQLSchema, "public", "the PostgreSQL schema name")
-	cmd.PersistentFlags().String("postgres.username", "authelia", "the PostgreSQL username")
+	cmd.PersistentFlags().String(cmdFlagNamePostgreSQLUsername, "authelia", "the PostgreSQL username")
-	cmd.PersistentFlags().String("postgres.password", "", "the PostgreSQL password")
+	cmd.PersistentFlags().String(cmdFlagNamePostgreSQLPassword, "", "the PostgreSQL password")
 	cmd.PersistentFlags().String("postgres.ssl.mode", "disable", "the PostgreSQL ssl mode")
 	cmd.PersistentFlags().String("postgres.ssl.root_certificate", "", "the PostgreSQL ssl root certificate file location")
 	cmd.PersistentFlags().String("postgres.ssl.certificate", "", "the PostgreSQL ssl certificate file location")
@ -83,7 +83,7 @@ func newStorageEncryptionCheckCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().Bool("verbose", false, "enables verbose checking of every row of encrypted data")
+	cmd.Flags().Bool(cmdFlagNameVerbose, false, "enables verbose checking of every row of encrypted data")
 	return cmd
 }
@ -99,7 +99,7 @@ func newStorageEncryptionChangeKeyCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().String("new-encryption-key", "", "the new key to encrypt the data with")
+	cmd.Flags().String(cmdFlagNameNewEncryptionKey, "", "the new key to encrypt the data with")
 	return cmd
 }
@ -154,7 +154,7 @@ func newStorageUserIdentifiersExportCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().StringP("file", "f", "user-opaque-identifiers.yml", "The file name for the YAML export")
+	cmd.Flags().StringP(cmdFlagNameFile, "f", "user-opaque-identifiers.yml", "The file name for the YAML export")
 	return cmd
 }
@ -170,7 +170,7 @@ func newStorageUserIdentifiersImportCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().StringP("file", "f", "user-opaque-identifiers.yml", "The file name for the YAML import")
+	cmd.Flags().StringP(cmdFlagNameFile, "f", "user-opaque-identifiers.yml", "The file name for the YAML import")
 	return cmd
 }
@ -186,9 +186,9 @@ func newStorageUserIdentifiersGenerateCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().StringSlice("users", nil, "The list of users to generate the opaque identifiers for")
+	cmd.Flags().StringSlice(cmdFlagNameUsers, nil, "The list of users to generate the opaque identifiers for")
-	cmd.Flags().StringSlice("services", []string{identifierServiceOpenIDConnect}, fmt.Sprintf("The list of services to generate the opaque identifiers for, valid values are: %s", strings.Join(validIdentifierServices, ", ")))
+	cmd.Flags().StringSlice(cmdFlagNameServices, []string{identifierServiceOpenIDConnect}, fmt.Sprintf("The list of services to generate the opaque identifiers for, valid values are: %s", strings.Join(validIdentifierServices, ", ")))
-	cmd.Flags().StringSlice("sectors", []string{""}, "The list of sectors to generate identifiers for")
+	cmd.Flags().StringSlice(cmdFlagNameSectors, []string{""}, "The list of sectors to generate identifiers for")
 	return cmd
 }
@ -205,9 +205,9 @@ func newStorageUserIdentifiersAddCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().String("identifier", "", "The optional version 4 UUID to use, if not set a random one will be used")
+	cmd.Flags().String(cmdFlagNameIdentifier, "", "The optional version 4 UUID to use, if not set a random one will be used")
-	cmd.Flags().String("service", identifierServiceOpenIDConnect, fmt.Sprintf("The service to add the identifier for, valid values are: %s", strings.Join(validIdentifierServices, ", ")))
+	cmd.Flags().String(cmdFlagNameService, identifierServiceOpenIDConnect, fmt.Sprintf("The service to add the identifier for, valid values are: %s", strings.Join(validIdentifierServices, ", ")))
-	cmd.Flags().String("sector", "", "The sector identifier to use (should usually be blank)")
+	cmd.Flags().String(cmdFlagNameSector, "", "The sector identifier to use (should usually be blank)")
 	return cmd
 }
@ -257,9 +257,9 @@ func newStorageUserWebAuthnDeleteCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().Bool("all", false, "delete all of the users webauthn devices")
+	cmd.Flags().Bool(cmdFlagNameAll, false, "delete all of the users webauthn devices")
-	cmd.Flags().String("description", "", "delete a users webauthn device by description")
+	cmd.Flags().String(cmdFlagNameDescription, "", "delete a users webauthn device by description")
-	cmd.Flags().String("kid", "", "delete a users webauthn device by key id")
+	cmd.Flags().String(cmdFlagNameKeyID, "", "delete a users webauthn device by key id")
 	return cmd
 }
@ -295,14 +295,14 @@ func newStorageUserTOTPGenerateCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().String("secret", "", "Optionally set the TOTP shared secret as base32 encoded bytes (no padding), it's recommended to not set this option unless you're restoring an TOTP config")
+	cmd.Flags().String(cmdFlagNameSecret, "", "set the shared secret as base32 encoded bytes (no padding), it's recommended that you do not use this option unless you're restoring a configuration")
-	cmd.Flags().Uint("secret-size", schema.TOTPSecretSizeDefault, "set the TOTP secret size")
+	cmd.Flags().Uint(cmdFlagNameSecretSize, schema.TOTPSecretSizeDefault, "set the secret size")
-	cmd.Flags().Uint("period", 30, "set the TOTP period")
+	cmd.Flags().Uint(cmdFlagNamePeriod, 30, "set the period between rotations")
-	cmd.Flags().Uint("digits", 6, "set the TOTP digits")
+	cmd.Flags().Uint(cmdFlagNameDigits, 6, "set the number of digits")
-	cmd.Flags().String("algorithm", "SHA1", "set the TOTP algorithm")
+	cmd.Flags().String(cmdFlagNameAlgorithm, "SHA1", "set the algorithm to either SHA1 (supported by most applications), SHA256, or SHA512")
-	cmd.Flags().String("issuer", "Authelia", "set the TOTP issuer")
+	cmd.Flags().String(cmdFlagNameIssuer, "Authelia", "set the issuer description")
-	cmd.Flags().BoolP("force", "f", false, "forces the TOTP configuration to be generated regardless if it exists or not")
+	cmd.Flags().BoolP(cmdFlagNameForce, "f", false, "forces the configuration to be generated regardless if it exists or not")
-	cmd.Flags().StringP("path", "p", "", "path to a file to create a PNG file with the QR code (optional)")
+	cmd.Flags().StringP(cmdFlagNamePath, "p", "", "path to a file to create a PNG file with the QR code (optional)")
 	return cmd
 }
@ -333,7 +333,7 @@ func newStorageUserTOTPExportCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().String("format", storageTOTPExportFormatURI, fmt.Sprintf("sets the output format, valid values are: %s", strings.Join(validStorageTOTPExportFormats, ", ")))
+	cmd.Flags().String(cmdFlagNameFormat, storageTOTPExportFormatURI, fmt.Sprintf("sets the output format, valid values are: %s", strings.Join(validStorageTOTPExportFormats, ", ")))
 	cmd.Flags().String("dir", "", "used with the png output format to specify which new directory to save the files in")
 	return cmd
@ -431,7 +431,7 @@ func newStorageMigrateUpCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().IntP("target", "t", 0, "sets the version to migrate to, by default this is the latest version")
+	cmd.Flags().IntP(cmdFlagNameTarget, "t", 0, "sets the version to migrate to, by default this is the latest version")
 	return cmd
 }
@ -448,9 +448,8 @@ func newStorageMigrateDownCmd() (cmd *cobra.Command) {
 		DisableAutoGenTag: true,
 	}
-	cmd.Flags().IntP("target", "t", 0, "sets the version to migrate to")
+	cmd.Flags().IntP(cmdFlagNameTarget, "t", 0, "sets the version to migrate to")
-	cmd.Flags().Bool("pre1", false, "sets pre1 as the version to migrate to")
+	cmd.Flags().Bool(cmdFlagNameDestroyData, false, "confirms you want to destroy data with this migration")
 	cmd.Flags().Bool("destroy-data", false, "confirms you want to destroy data with this migration")
 	return cmd
 }
--- a/internal/commands/storage_run.go
+++ b/internal/commands/storage_run.go
@ -10,6 +10,7 @@ import (
 	"image/png"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
 	"github.com/google/uuid"
@ -48,31 +49,32 @@ func storagePersistentPreRunE(cmd *cobra.Command, _ []string) (err error) {
 	}
 	mapping := map[string]string{
-		"encryption-key": "storage.encryption_key",
+		cmdFlagNameEncryptionKey: "storage.encryption_key",
 		"sqlite.path":    "storage.local.path",
-		"mysql.host":     "storage.mysql.host",
+		cmdFlagNameSQLite3Path: "storage.local.path",
 		"mysql.port":     "storage.mysql.port",
 		"mysql.database": "storage.mysql.database",
 		"mysql.username": "storage.mysql.username",
 		"mysql.password": "storage.mysql.password",
-		"postgres.host":                 "storage.postgres.host",
+		cmdFlagNameMySQLHost:     "storage.mysql.host",
-		"postgres.port":                 "storage.postgres.port",
+		cmdFlagNameMySQLPort:     "storage.mysql.port",
-		"postgres.database":             "storage.postgres.database",
+		cmdFlagNameMySQLDatabase: "storage.mysql.database",
-		"postgres.schema":               "storage.postgres.schema",
+		cmdFlagNameMySQLUsername: "storage.mysql.username",
-		"postgres.username":             "storage.postgres.username",
+		cmdFlagNameMySQLPassword: "storage.mysql.password",
-		"postgres.password":             "storage.postgres.password",
+
 		cmdFlagNamePostgreSQLHost:       "storage.postgres.host",
 		cmdFlagNamePostgreSQLPort:       "storage.postgres.port",
 		cmdFlagNamePostgreSQLDatabase:   "storage.postgres.database",
 		cmdFlagNamePostgreSQLSchema:     "storage.postgres.schema",
 		cmdFlagNamePostgreSQLUsername:   "storage.postgres.username",
 		cmdFlagNamePostgreSQLPassword:   "storage.postgres.password",
 		"postgres.ssl.mode":             "storage.postgres.ssl.mode",
 		"postgres.ssl.root_certificate": "storage.postgres.ssl.root_certificate",
 		"postgres.ssl.certificate":      "storage.postgres.ssl.certificate",
 		"postgres.ssl.key":              "storage.postgres.ssl.key",
-		"period":      "totp.period",
+		cmdFlagNamePeriod:     "totp.period",
-		"digits":      "totp.digits",
+		cmdFlagNameDigits:     "totp.digits",
-		"algorithm":   "totp.algorithm",
+		cmdFlagNameAlgorithm:  "totp.algorithm",
-		"issuer":      "totp.issuer",
+		cmdFlagNameIssuer:     "totp.issuer",
-		"secret-size": "totp.secret_size",
+		cmdFlagNameSecretSize: "totp.secret_size",
 	}
 	sources = append(sources, configuration.NewEnvironmentSource(configuration.DefaultEnvPrefix, configuration.DefaultEnvDelimiter))
@ -128,6 +130,7 @@ func storageSchemaEncryptionCheckRunE(cmd *cobra.Command, args []string) (err er
 	var (
 		provider storage.Provider
 		verbose  bool
 		result   storage.EncryptionValidationResult
 		ctx = context.Background()
 	)
@ -138,21 +141,43 @@ func storageSchemaEncryptionCheckRunE(cmd *cobra.Command, args []string) (err er
 		_ = provider.Close()
 	}()
-	if verbose, err = cmd.Flags().GetBool("verbose"); err != nil {
+	if verbose, err = cmd.Flags().GetBool(cmdFlagNameVerbose); err != nil {
 		return err
 	}
-	if err = provider.SchemaEncryptionCheckKey(ctx, verbose); err != nil {
+	if result, err = provider.SchemaEncryptionCheckKey(ctx, verbose); err != nil {
 		switch {
 		case errors.Is(err, storage.ErrSchemaEncryptionVersionUnsupported):
-			fmt.Printf("Could not check encryption key for validity. The schema version doesn't support encryption.\n")
+			fmt.Printf("Storage Encryption Key Validation: FAILURE\n\n\tCause: The schema version doesn't support encryption.\n")
 		case errors.Is(err, storage.ErrSchemaEncryptionInvalidKey):
 			fmt.Printf("Encryption key validation: failed.\n\nError: %v.\n", err)
 		default:
-			fmt.Printf("Could not check encryption key for validity.\n\nError: %v.\n", err)
+			fmt.Printf("Storage Encryption Key Validation: UNKNOWN\n\n\tCause: %v.\n", err)
 		}
 	} else {
-		fmt.Println("Encryption key validation: success.")
+		if result.Success() {
 			fmt.Println("Storage Encryption Key Validation: SUCCESS")
 		} else {
 			fmt.Printf("Storage Encryption Key Validation: FAILURE\n\n\tCause: %v.\n", storage.ErrSchemaEncryptionInvalidKey)
 		}
 		if verbose {
 			fmt.Printf("\nTables:")
 			tables := make([]string, 0, len(result.Tables))
 			for name := range result.Tables {
 				tables = append(tables, name)
 			}
 			sort.Strings(tables)
 			for _, name := range tables {
 				table := result.Tables[name]
 				fmt.Printf("\n\n\tTable (%s): %s\n\t\tInvalid Rows: %d\n\t\tTotal Rows: %d", name, table.ResultDescriptor(), table.Invalid, table.Total)
 			}
 			fmt.Printf("\n")
 		}
 	}
 	return nil
@ -185,13 +210,22 @@ func storageSchemaEncryptionChangeKeyRunE(cmd *cobra.Command, args []string) (er
 		return errors.New("schema version must be at least version 1 to change the encryption key")
 	}
-	key, err = cmd.Flags().GetString("new-encryption-key")
+	useFlag := cmd.Flags().Changed(cmdFlagNameNewEncryptionKey)
 	if useFlag {
 		if key, err = cmd.Flags().GetString(cmdFlagNameNewEncryptionKey); err != nil {
 			return err
 		}
 	}
 	if !useFlag || key == "" {
 		if key, err = termReadPasswordStrWithPrompt("Enter New Storage Encryption Key: ", cmdFlagNameNewEncryptionKey); err != nil {
 			return err
 		}
 	}
 	switch {
 	case err != nil:
 		return err
 	case key == "":
-		return errors.New("you must set the --new-encryption-key flag")
+		return errors.New("the new encryption key must not be blank")
 	case len(key) < 20:
 		return errors.New("the new encryption key must be at least 20 characters")
 	}
@ -341,24 +375,24 @@ func storageWebAuthnDeleteGetAndValidateConfig(cmd *cobra.Command, args []string
 	flags := 0
-	if cmd.Flags().Changed("all") {
+	if cmd.Flags().Changed(cmdFlagNameAll) {
-		if all, err = cmd.Flags().GetBool("all"); err != nil {
+		if all, err = cmd.Flags().GetBool(cmdFlagNameAll); err != nil {
 			return
 		}
 		flags++
 	}
-	if cmd.Flags().Changed("description") {
+	if cmd.Flags().Changed(cmdFlagNameDescription) {
-		if description, err = cmd.Flags().GetString("description"); err != nil {
+		if description, err = cmd.Flags().GetString(cmdFlagNameDescription); err != nil {
 			return
 		}
 		flags++
 	}
-	if byKID = cmd.Flags().Changed("kid"); byKID {
+	if byKID = cmd.Flags().Changed(cmdFlagNameKeyID); byKID {
-		if kid, err = cmd.Flags().GetString("kid"); err != nil {
+		if kid, err = cmd.Flags().GetString(cmdFlagNameKeyID); err != nil {
 			return
 		}
@ -574,7 +608,7 @@ func storageTOTPExportRunE(cmd *cobra.Command, args []string) (err error) {
 }
 func storageTOTPExportGetConfigFromFlags(cmd *cobra.Command) (format, dir string, err error) {
-	if format, err = cmd.Flags().GetString("format"); err != nil {
+	if format, err = cmd.Flags().GetString(cmdFlagNameFormat); err != nil {
 		return "", "", err
 	}
@ -694,7 +728,6 @@ func newStorageMigrationRunE(up bool) func(cmd *cobra.Command, args []string) (e
 		var (
 			provider storage.Provider
 			target   int
 			pre1     bool
 			ctx = context.Background()
 		)
@ -705,37 +738,28 @@ func newStorageMigrationRunE(up bool) func(cmd *cobra.Command, args []string) (e
 			_ = provider.Close()
 		}()
-		if target, err = cmd.Flags().GetInt("target"); err != nil {
+		if target, err = cmd.Flags().GetInt(cmdFlagNameTarget); err != nil {
 			return err
 		}
 		switch {
 		case up:
-			switch cmd.Flags().Changed("target") {
+			switch cmd.Flags().Changed(cmdFlagNameTarget) {
 			case true:
 				return provider.SchemaMigrate(ctx, true, target)
 			default:
 				return provider.SchemaMigrate(ctx, true, storage.SchemaLatest)
 			}
 		default:
-			if pre1, err = cmd.Flags().GetBool("pre1"); err != nil {
+			if !cmd.Flags().Changed(cmdFlagNameTarget) {
-				return err
+				return errors.New("you must set a target version")
 			}
 			if !cmd.Flags().Changed("target") && !pre1 {
 				return errors.New("must set target")
 			}
 			if err = storageMigrateDownConfirmDestroy(cmd); err != nil {
 				return err
 			}
-			switch {
+			return provider.SchemaMigrate(ctx, false, target)
 			case pre1:
 				return provider.SchemaMigrate(ctx, false, -1)
 			default:
 				return provider.SchemaMigrate(ctx, false, target)
 			}
 		}
 	}
 }
@ -743,7 +767,7 @@ func newStorageMigrationRunE(up bool) func(cmd *cobra.Command, args []string) (e
 func storageMigrateDownConfirmDestroy(cmd *cobra.Command) (err error) {
 	var destroy bool
-	if destroy, err = cmd.Flags().GetBool("destroy-data"); err != nil {
+	if destroy, err = cmd.Flags().GetBool(cmdFlagNameDestroyData); err != nil {
 		return err
 	}
@ -803,15 +827,21 @@ func storageSchemaInfoRunE(_ *cobra.Command, _ []string) (err error) {
 		upgradeStr = "no"
 	}
-	var encryption string
+	var (
 		encryption string
 		result     storage.EncryptionValidationResult
 	)
-	if err = provider.SchemaEncryptionCheckKey(ctx, false); err != nil {
+	switch result, err = provider.SchemaEncryptionCheckKey(ctx, false); {
 	case err != nil:
 		if errors.Is(err, storage.ErrSchemaEncryptionVersionUnsupported) {
 			encryption = "unsupported (schema version)"
 		} else {
-			encryption = "invalid"
+			encryption = invalid
 		}
-	} else {
+	case !result.Success():
 		encryption = invalid
 	default:
 		encryption = "valid"
 	}
@ -847,7 +877,7 @@ func storageUserIdentifiersExport(cmd *cobra.Command, _ []string) (err error) {
 		file string
 	)
-	if file, err = cmd.Flags().GetString("file"); err != nil {
+	if file, err = cmd.Flags().GetString(cmdFlagNameFile); err != nil {
 		return err
 	}
@ -899,7 +929,7 @@ func storageUserIdentifiersImport(cmd *cobra.Command, _ []string) (err error) {
 		stat os.FileInfo
 	)
-	if file, err = cmd.Flags().GetString("file"); err != nil {
+	if file, err = cmd.Flags().GetString(cmdFlagNameFile); err != nil {
 		return err
 	}
@ -967,15 +997,15 @@ func storageUserIdentifiersGenerate(cmd *cobra.Command, _ []string) (err error)
 		return fmt.Errorf("can't load the existing identifiers: %w", err)
 	}
-	if users, err = cmd.Flags().GetStringSlice("users"); err != nil {
+	if users, err = cmd.Flags().GetStringSlice(cmdFlagNameUsers); err != nil {
 		return err
 	}
-	if services, err = cmd.Flags().GetStringSlice("services"); err != nil {
+	if services, err = cmd.Flags().GetStringSlice(cmdFlagNameServices); err != nil {
 		return err
 	}
-	if sectors, err = cmd.Flags().GetStringSlice("sectors"); err != nil {
+	if sectors, err = cmd.Flags().GetStringSlice(cmdFlagNameSectors); err != nil {
 		return err
 	}
@ -1036,7 +1066,7 @@ func storageUserIdentifiersAdd(cmd *cobra.Command, args []string) (err error) {
 		service, sector string
 	)
-	if service, err = cmd.Flags().GetString("service"); err != nil {
+	if service, err = cmd.Flags().GetString(cmdFlagNameService); err != nil {
 		return err
 	}
@ -1046,7 +1076,7 @@ func storageUserIdentifiersAdd(cmd *cobra.Command, args []string) (err error) {
 		return fmt.Errorf("the service name '%s' is invalid, the valid values are: '%s'", service, strings.Join(validIdentifierServices, "', '"))
 	}
-	if sector, err = cmd.Flags().GetString("sector"); err != nil {
+	if sector, err = cmd.Flags().GetString(cmdFlagNameSector); err != nil {
 		return err
 	}
@ -1056,10 +1086,10 @@ func storageUserIdentifiersAdd(cmd *cobra.Command, args []string) (err error) {
 		SectorID: sector,
 	}
-	if cmd.Flags().Changed("identifier") {
+	if cmd.Flags().Changed(cmdFlagNameIdentifier) {
 		var identifierStr string
-		if identifierStr, err = cmd.Flags().GetString("identifier"); err != nil {
+		if identifierStr, err = cmd.Flags().GetString(cmdFlagNameIdentifier); err != nil {
 			return err
 		}
--- a/internal/commands/util.go
+++ b/internal/commands/util.go
@ -3,8 +3,10 @@ package commands
 import (
 	"fmt"
 	"os"
 	"syscall"
 	"github.com/spf13/pflag"
 	"golang.org/x/term"
 	"github.com/authelia/authelia/v4/internal/utils"
 )
@ -99,3 +101,38 @@ func flagsGetRandomCharacters(flags *pflag.FlagSet, flagNameLength, flagNameChar
 	return utils.RandomString(n, charset, true), nil
 }
 func termReadPasswordStrWithPrompt(prompt, flag string) (data string, err error) {
 	var d []byte
 	if d, err = termReadPasswordWithPrompt(prompt, flag); err != nil {
 		return "", err
 	}
 	return string(d), nil
 }
 func termReadPasswordWithPrompt(prompt, flag string) (data []byte, err error) {
 	fd := int(syscall.Stdin) //nolint:unconvert,nolintlint
 	if isTerm := term.IsTerminal(fd); !isTerm {
 		switch len(flag) {
 		case 0:
 			return nil, ErrStdinIsNotTerminal
 		case 1:
 			return nil, fmt.Errorf("you must either use an interactive terminal or use the -%s flag", flag)
 		default:
 			return nil, fmt.Errorf("you must either use an interactive terminal or use the --%s flag", flag)
 		}
 	}
 	fmt.Print(prompt)
 	if data, err = term.ReadPassword(fd); err != nil {
 		return nil, fmt.Errorf("failed to read the input from the terminal: %w", err)
 	}
 	fmt.Println("")
 	return data, nil
 }
--- a/internal/configuration/config.template.yml
+++ b/internal/configuration/config.template.yml
@ -863,7 +863,8 @@ regulation:
 ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
 # storage:
  ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
-  ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
+  ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use
  ## the CLI to change this in the database if you want to change it from a previously configured value.
  # encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
  ##
--- a/internal/mocks/storage.go
+++ b/internal/mocks/storage.go
@ -675,11 +675,12 @@ func (mr *MockStorageMockRecorder) SchemaEncryptionChangeKey(arg0, arg1 interfac
 }
 // SchemaEncryptionCheckKey mocks base method.
-func (m *MockStorage) SchemaEncryptionCheckKey(arg0 context.Context, arg1 bool) error {
+func (m *MockStorage) SchemaEncryptionCheckKey(arg0 context.Context, arg1 bool) (storage.EncryptionValidationResult, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SchemaEncryptionCheckKey", arg0, arg1)
-	ret0, _ := ret[0].(error)
+	ret0, _ := ret[0].(storage.EncryptionValidationResult)
-	return ret0
+	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 // SchemaEncryptionCheckKey indicates an expected call of SchemaEncryptionCheckKey.
--- a/internal/storage/const.go
+++ b/internal/storage/const.go
@ -15,17 +15,16 @@ const (
 	tableOAuth2ConsentSession          = "oauth2_consent_session"
 	tableOAuth2ConsentPreConfiguration = "oauth2_consent_preconfiguration"
-	tableOAuth2AuthorizeCodeSession    = "oauth2_authorization_code_session"
+
-	tableOAuth2AccessTokenSession      = "oauth2_access_token_session"  //nolint:gosec // This is not a hardcoded credential.
+	tableOAuth2AuthorizeCodeSession = "oauth2_authorization_code_session"
-	tableOAuth2RefreshTokenSession     = "oauth2_refresh_token_session" //nolint:gosec // This is not a hardcoded credential.
+	tableOAuth2AccessTokenSession   = "oauth2_access_token_session"  //nolint:gosec // This is not a hardcoded credential.
-	tableOAuth2PKCERequestSession      = "oauth2_pkce_request_session"
+	tableOAuth2RefreshTokenSession  = "oauth2_refresh_token_session" //nolint:gosec // This is not a hardcoded credential.
-	tableOAuth2OpenIDConnectSession    = "oauth2_openid_connect_session"
+	tableOAuth2PKCERequestSession   = "oauth2_pkce_request_session"
-	tableOAuth2BlacklistedJTI          = "oauth2_blacklisted_jti"
+	tableOAuth2OpenIDConnectSession = "oauth2_openid_connect_session"
 	tableOAuth2BlacklistedJTI       = "oauth2_blacklisted_jti"
 	tableMigrations = "migrations"
 	tableEncryption = "encryption"
 	tablePrefixBackup = "_bkp_"
 )
 // OAuth2SessionType represents the potential OAuth 2.0 session types.
@ -58,6 +57,24 @@ func (s OAuth2SessionType) String() string {
 	}
 }
 // Table returns the table name for this session type.
 func (s OAuth2SessionType) Table() string {
 	switch s {
 	case OAuth2SessionTypeAuthorizeCode:
 		return tableOAuth2AuthorizeCodeSession
 	case OAuth2SessionTypeAccessToken:
 		return tableOAuth2AccessTokenSession
 	case OAuth2SessionTypeRefreshToken:
 		return tableOAuth2RefreshTokenSession
 	case OAuth2SessionTypePKCEChallenge:
 		return tableOAuth2PKCERequestSession
 	case OAuth2SessionTypeOpenIDConnect:
 		return tableOAuth2OpenIDConnectSession
 	default:
 		return ""
 	}
 }
 const (
 	sqlNetworkTypeTCP        = "tcp"
 	sqlNetworkTypeUnixSocket = "unix"
@ -72,16 +89,6 @@ const (
 	tablePre1TOTPSecrets                = "totp_secrets"
 	tablePre1IdentityVerificationTokens = "identity_verification_tokens"
 	tablePre1U2FDevices                 = "u2f_devices"
 	tablePre1Config = "config"
 	tableAlphaAuthenticationLogs         = "AuthenticationLogs"
 	tableAlphaIdentityVerificationTokens = "IdentityVerificationTokens"
 	tableAlphaPreferences                = "Preferences"
 	tableAlphaPreferencesTableName       = "PreferencesTableName"
 	tableAlphaSecondFactorPreferences    = "SecondFactorPreferences"
 	tableAlphaTOTPSecrets                = "TOTPSecrets"
 	tableAlphaU2FDeviceHandles           = "U2FDeviceHandles"
 )
 var tablesPre1 = []string{
@ -114,3 +121,8 @@ const (
 var (
 	reMigration = regexp.MustCompile(`^V(\d{4})\.([^.]+)\.(all|sqlite|postgres|mysql)\.(up|down)\.sql$`)
 )
 const (
 	na      = "N/A"
 	invalid = "invalid"
 )
--- a/internal/storage/errors.go
+++ b/internal/storage/errors.go
@ -35,7 +35,7 @@ var (
 	// ErrSchemaEncryptionInvalidKey is returned when the schema is checked if the encryption key is valid for
 	// the database but the key doesn't appear to be valid.
-	ErrSchemaEncryptionInvalidKey = errors.New("the encryption key is not valid against the schema check value")
+	ErrSchemaEncryptionInvalidKey = errors.New("the configured encryption key does not appear to be valid for this database which may occur if the encryption key was changed in the configuration without using the cli to change it in the database")
 )
 // Error formats for the storage provider.
@ -49,7 +49,6 @@ const (
 const (
 	errFmtFailedMigration                     = "schema migration %d (%s) failed: %w"
 	errFmtFailedMigrationPre1                 = "schema migration pre1 failed: %w"
 	errFmtSchemaCurrentGreaterThanLatestKnown = "current schema version is greater than the latest known schema " +
 		"version, you must downgrade to schema version %d before you can use this version of Authelia"
 )
@ -59,3 +58,8 @@ const (
 	logFmtMigrationComplete = "Storage schema migration from %s to %s is complete"
 	logFmtErrClosingConn    = "Error occurred closing SQL connection: %v"
 )
 const (
 	errFmtMigrationPre1                 = "schema migration %s pre1 is no longer supported: you must use an older version of authelia to perform this migration: %s"
 	errFmtMigrationPre1SuggestedVersion = "the suggested authelia version is 4.37.2"
 )
--- a/internal/storage/migrations.go
+++ b/internal/storage/migrations.go
@ -46,42 +46,6 @@ func latestMigrationVersion(providerName string) (version int, err error) {
 	return version, nil
 }
 func loadMigration(providerName string, version int, up bool) (migration *model.SchemaMigration, err error) {
 	entries, err := migrationsFS.ReadDir("migrations")
 	if err != nil {
 		return nil, err
 	}
 	for _, entry := range entries {
 		if entry.IsDir() {
 			continue
 		}
 		m, err := scanMigration(entry.Name())
 		if err != nil {
 			return nil, err
 		}
 		migration = &m
 		if up != migration.Up {
 			continue
 		}
 		if migration.Provider != providerAll && migration.Provider != providerName {
 			continue
 		}
 		if version != migration.Version {
 			continue
 		}
 		return migration, nil
 	}
 	return nil, errors.New("migration not found")
 }
 // loadMigrations scans the migrations fs and loads the appropriate migrations for a given providerName, prior and
 // target versions. If the target version is -1 this indicates the latest version. If the target version is 0
 // this indicates the database zero state.
--- a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql
+++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql
@ -1,7 +1,5 @@
 PRAGMA foreign_keys=off;
 BEGIN TRANSACTION;
 DELETE FROM oauth2_consent_session
       WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'));
@ -261,6 +259,4 @@ ORDER BY id;
 DROP TABLE IF EXISTS _bkp_DOWN_V0005_oauth2_openid_connect_session;
 COMMIT;
 PRAGMA foreign_keys=on;
--- a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql
+++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql
@ -1,7 +1,5 @@
 PRAGMA foreign_keys=off;
 BEGIN TRANSACTION;
 DELETE FROM oauth2_consent_session
       WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'));
@ -255,6 +253,4 @@ ORDER BY id;
 DROP TABLE IF EXISTS _bkp_UP_V0005_oauth2_openid_connect_session;
 COMMIT;
 PRAGMA foreign_keys=on;
--- a/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql
+++ b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql
@ -1,7 +1,5 @@
 PRAGMA foreign_keys=off;
 BEGIN TRANSACTION;
 ALTER TABLE webauthn_devices
    RENAME TO _bkp_DOWN_V0007_webauthn_devices;
@ -612,6 +610,4 @@ ORDER BY id;
 DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_openid_connect_session;
 COMMIT;
 PRAGMA foreign_keys=on;
--- a/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql
+++ b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql
@ -1,7 +1,5 @@
 PRAGMA foreign_keys=off;
 BEGIN TRANSACTION;
 DROP TABLE IF EXISTS _bkp_UP_V0002_totp_configurations;
 DROP TABLE IF EXISTS _bkp_UP_V0002_u2f_devices;
 DROP TABLE IF EXISTS totp_secrets;
@ -662,6 +660,4 @@ ORDER BY id;
 DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_openid_connect_session;
 COMMIT;
 PRAGMA foreign_keys=on;
--- a/internal/storage/provider.go
+++ b/internal/storage/provider.go
@ -77,8 +77,8 @@ type Provider interface {
 	SchemaMigrationsUp(ctx context.Context, version int) (migrations []model.SchemaMigration, err error)
 	SchemaMigrationsDown(ctx context.Context, version int) (migrations []model.SchemaMigration, err error)
-	SchemaEncryptionChangeKey(ctx context.Context, encryptionKey string) (err error)
+	SchemaEncryptionChangeKey(ctx context.Context, key string) (err error)
-	SchemaEncryptionCheckKey(ctx context.Context, verbose bool) (err error)
+	SchemaEncryptionCheckKey(ctx context.Context, verbose bool) (result EncryptionValidationResult, err error)
 	Close() (err error)
 }
--- a/internal/storage/sql_provider.go
+++ b/internal/storage/sql_provider.go
@ -43,8 +43,6 @@ func NewSQLProvider(config *schema.Configuration, name, driverName, dataSourceNa
 		sqlSelectTOTPConfig:  fmt.Sprintf(queryFmtSelectTOTPConfiguration, tableTOTPConfigurations),
 		sqlSelectTOTPConfigs: fmt.Sprintf(queryFmtSelectTOTPConfigurations, tableTOTPConfigurations),
 		sqlUpdateTOTPConfigSecret:                 fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecret, tableTOTPConfigurations),
 		sqlUpdateTOTPConfigSecretByUsername:       fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecretByUsername, tableTOTPConfigurations),
 		sqlUpdateTOTPConfigRecordSignIn:           fmt.Sprintf(queryFmtUpdateTOTPConfigRecordSignIn, tableTOTPConfigurations),
 		sqlUpdateTOTPConfigRecordSignInByUsername: fmt.Sprintf(queryFmtUpdateTOTPConfigRecordSignInByUsername, tableTOTPConfigurations),
@ -52,8 +50,6 @@ func NewSQLProvider(config *schema.Configuration, name, driverName, dataSourceNa
 		sqlSelectWebauthnDevices:           fmt.Sprintf(queryFmtSelectWebauthnDevices, tableWebauthnDevices),
 		sqlSelectWebauthnDevicesByUsername: fmt.Sprintf(queryFmtSelectWebauthnDevicesByUsername, tableWebauthnDevices),
 		sqlUpdateWebauthnDevicePublicKey:              fmt.Sprintf(queryFmtUpdateWebauthnDevicePublicKey, tableWebauthnDevices),
 		sqlUpdateWebauthnDevicePublicKeyByUsername:    fmt.Sprintf(queryFmtUpdateUpdateWebauthnDevicePublicKeyByUsername, tableWebauthnDevices),
 		sqlUpdateWebauthnDeviceRecordSignIn:           fmt.Sprintf(queryFmtUpdateWebauthnDeviceRecordSignIn, tableWebauthnDevices),
 		sqlUpdateWebauthnDeviceRecordSignInByUsername: fmt.Sprintf(queryFmtUpdateWebauthnDeviceRecordSignInByUsername, tableWebauthnDevices),
@ -161,8 +157,6 @@ type SQLProvider struct {
 	sqlSelectTOTPConfig  string
 	sqlSelectTOTPConfigs string
 	sqlUpdateTOTPConfigSecret                 string
 	sqlUpdateTOTPConfigSecretByUsername       string
 	sqlUpdateTOTPConfigRecordSignIn           string
 	sqlUpdateTOTPConfigRecordSignInByUsername string
@ -171,8 +165,6 @@ type SQLProvider struct {
 	sqlSelectWebauthnDevices           string
 	sqlSelectWebauthnDevicesByUsername string
 	sqlUpdateWebauthnDevicePublicKey              string
 	sqlUpdateWebauthnDevicePublicKeyByUsername    string
 	sqlUpdateWebauthnDeviceRecordSignIn           string
 	sqlUpdateWebauthnDeviceRecordSignInByUsername string
@ -292,13 +284,17 @@ func (p *SQLProvider) StartupCheck() (err error) {
 	ctx := context.Background()
-	if err = p.SchemaEncryptionCheckKey(ctx, false); err != nil && !errors.Is(err, ErrSchemaEncryptionVersionUnsupported) {
+	var result EncryptionValidationResult
 	if result, err = p.SchemaEncryptionCheckKey(ctx, false); err != nil && !errors.Is(err, ErrSchemaEncryptionVersionUnsupported) {
 		return err
 	}
-	err = p.SchemaMigrate(ctx, true, SchemaLatest)
+	if !result.Success() {
 		return ErrSchemaEncryptionInvalidKey
 	}
-	switch err {
+	switch err = p.SchemaMigrate(ctx, true, SchemaLatest); err {
 	case ErrSchemaAlreadyUpToDate:
 		p.log.Infof("Storage schema is already up to date")
 		return nil
@ -837,21 +833,6 @@ func (p *SQLProvider) LoadTOTPConfigurations(ctx context.Context, limit, page in
 	return configs, nil
 }
 func (p *SQLProvider) updateTOTPConfigurationSecret(ctx context.Context, config model.TOTPConfiguration) (err error) {
 	switch config.ID {
 	case 0:
 		_, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigSecretByUsername, config.Secret, config.Username)
 	default:
 		_, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigSecret, config.Secret, config.ID)
 	}
 	if err != nil {
 		return fmt.Errorf("error updating TOTP configuration secret for user '%s': %w", config.Username, err)
 	}
 	return nil
 }
 // SaveWebauthnDevice saves a registered Webauthn device.
 func (p *SQLProvider) SaveWebauthnDevice(ctx context.Context, device model.WebauthnDevice) (err error) {
 	if device.PublicKey, err = p.encrypt(device.PublicKey); err != nil {
@ -947,21 +928,6 @@ func (p *SQLProvider) LoadWebauthnDevicesByUsername(ctx context.Context, usernam
 	return devices, nil
 }
 func (p *SQLProvider) updateWebauthnDevicePublicKey(ctx context.Context, device model.WebauthnDevice) (err error) {
 	switch device.ID {
 	case 0:
 		_, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDevicePublicKeyByUsername, device.PublicKey, device.Username, device.KID)
 	default:
 		_, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDevicePublicKey, device.PublicKey, device.ID)
 	}
 	if err != nil {
 		return fmt.Errorf("error updating Webauthn public key for user '%s' kid '%x': %w", device.Username, device.KID, err)
 	}
 	return nil
 }
 // SavePreferredDuoDevice saves a Duo device.
 func (p *SQLProvider) SavePreferredDuoDevice(ctx context.Context, device model.DuoDevice) (err error) {
 	if _, err = p.db.ExecContext(ctx, p.sqlUpsertDuoDevice, device.Username, device.Device, device.Method); err != nil {
--- a/internal/storage/sql_provider_backend_postgres.go
+++ b/internal/storage/sql_provider_backend_postgres.go
@ -58,13 +58,9 @@ func NewPostgreSQLProvider(config *schema.Configuration, caCertPool *x509.CertPo
 	provider.sqlUpdateTOTPConfigRecordSignInByUsername = provider.db.Rebind(provider.sqlUpdateTOTPConfigRecordSignInByUsername)
 	provider.sqlDeleteTOTPConfig = provider.db.Rebind(provider.sqlDeleteTOTPConfig)
 	provider.sqlSelectTOTPConfigs = provider.db.Rebind(provider.sqlSelectTOTPConfigs)
 	provider.sqlUpdateTOTPConfigSecret = provider.db.Rebind(provider.sqlUpdateTOTPConfigSecret)
 	provider.sqlUpdateTOTPConfigSecretByUsername = provider.db.Rebind(provider.sqlUpdateTOTPConfigSecretByUsername)
 	provider.sqlSelectWebauthnDevices = provider.db.Rebind(provider.sqlSelectWebauthnDevices)
 	provider.sqlSelectWebauthnDevicesByUsername = provider.db.Rebind(provider.sqlSelectWebauthnDevicesByUsername)
 	provider.sqlUpdateWebauthnDevicePublicKey = provider.db.Rebind(provider.sqlUpdateWebauthnDevicePublicKey)
 	provider.sqlUpdateWebauthnDevicePublicKeyByUsername = provider.db.Rebind(provider.sqlUpdateWebauthnDevicePublicKeyByUsername)
 	provider.sqlUpdateWebauthnDeviceRecordSignIn = provider.db.Rebind(provider.sqlUpdateWebauthnDeviceRecordSignIn)
 	provider.sqlUpdateWebauthnDeviceRecordSignInByUsername = provider.db.Rebind(provider.sqlUpdateWebauthnDeviceRecordSignInByUsername)
 	provider.sqlDeleteWebauthnDevice = provider.db.Rebind(provider.sqlDeleteWebauthnDevice)
--- a/internal/storage/sql_provider_encryption.go
+++ b/internal/storage/sql_provider_encryption.go
@ -1,38 +1,65 @@
 package storage
 import (
 	"bytes"
 	"context"
 	"crypto/sha256"
 	"database/sql"
 	"errors"
 	"fmt"
 	"github.com/google/uuid"
 	"github.com/jmoiron/sqlx"
 	"github.com/authelia/authelia/v4/internal/model"
 	"github.com/authelia/authelia/v4/internal/utils"
 )
 // SchemaEncryptionChangeKey uses the currently configured key to decrypt values in the database and the key provided
 // by this command to encrypt the values again and update them using a transaction.
-func (p *SQLProvider) SchemaEncryptionChangeKey(ctx context.Context, encryptionKey string) (err error) {
+func (p *SQLProvider) SchemaEncryptionChangeKey(ctx context.Context, key string) (err error) {
 	skey := sha256.Sum256([]byte(key))
 	if bytes.Equal(skey[:], p.key[:]) {
 		return fmt.Errorf("error changing the storage encryption key: the old key and the new key are the same")
 	}
 	if _, err = p.SchemaEncryptionCheckKey(ctx, false); err != nil {
 		return fmt.Errorf("error changing the storage encryption key: %w", err)
 	}
 	tx, err := p.db.Beginx()
 	if err != nil {
 		return fmt.Errorf("error beginning transaction to change encryption key: %w", err)
 	}
-	key := sha256.Sum256([]byte(encryptionKey))
+	encChangeFuncs := []EncryptionChangeKeyFunc{
-
+		schemaEncryptionChangeKeyTOTP,
-	if err = p.schemaEncryptionChangeKeyTOTP(ctx, tx, key); err != nil {
+		schemaEncryptionChangeKeyWebauthn,
 		return err
 	}
-	if err = p.schemaEncryptionChangeKeyWebauthn(ctx, tx, key); err != nil {
+	for i := 0; true; i++ {
-		return err
+		typeOAuth2Session := OAuth2SessionType(i)
 		if typeOAuth2Session.Table() == "" {
 			break
 		}
 		encChangeFuncs = append(encChangeFuncs, schemaEncryptionChangeKeyOpenIDConnect(typeOAuth2Session))
 	}
-	if err = p.setNewEncryptionCheckValue(ctx, &key, tx); err != nil {
+	for _, encChangeFunc := range encChangeFuncs {
-		if rollbackErr := tx.Rollback(); rollbackErr != nil {
+		if err = encChangeFunc(ctx, p, tx, skey); err != nil {
-			return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err)
+			if rerr := tx.Rollback(); rerr != nil {
 				return fmt.Errorf("rollback error %v: rollback due to error: %w", rerr, err)
 			}
 			return fmt.Errorf("rollback due to error: %w", err)
 		}
 	}
 	if err = p.setNewEncryptionCheckValue(ctx, tx, &skey); err != nil {
 		if rerr := tx.Rollback(); rerr != nil {
 			return fmt.Errorf("rollback error %v: rollback due to error: %w", rerr, err)
 		}
 		return fmt.Errorf("rollback due to error: %w", err)
@ -41,222 +68,262 @@ func (p *SQLProvider) SchemaEncryptionChangeKey(ctx context.Context, encryptionK
 	return tx.Commit()
 }
 func (p *SQLProvider) schemaEncryptionChangeKeyTOTP(ctx context.Context, tx *sqlx.Tx, key [32]byte) (err error) {
 	var configs []model.TOTPConfiguration
 	for page := 0; true; page++ {
 		if configs, err = p.LoadTOTPConfigurations(ctx, 10, page); err != nil {
 			if rollbackErr := tx.Rollback(); rollbackErr != nil {
 				return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err)
 			}
 			return fmt.Errorf("rollback due to error: %w", err)
 		}
 		for _, config := range configs {
 			if config.Secret, err = utils.Encrypt(config.Secret, &key); err != nil {
 				if rollbackErr := tx.Rollback(); rollbackErr != nil {
 					return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err)
 				}
 				return fmt.Errorf("rollback due to error: %w", err)
 			}
 			if err = p.updateTOTPConfigurationSecret(ctx, config); err != nil {
 				if rollbackErr := tx.Rollback(); rollbackErr != nil {
 					return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err)
 				}
 				return fmt.Errorf("rollback due to error: %w", err)
 			}
 		}
 		if len(configs) != 10 {
 			break
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaEncryptionChangeKeyWebauthn(ctx context.Context, tx *sqlx.Tx, key [32]byte) (err error) {
 	var devices []model.WebauthnDevice
 	for page := 0; true; page++ {
 		if devices, err = p.LoadWebauthnDevices(ctx, 10, page); err != nil {
 			if rollbackErr := tx.Rollback(); rollbackErr != nil {
 				return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err)
 			}
 			return fmt.Errorf("rollback due to error: %w", err)
 		}
 		for _, device := range devices {
 			if device.PublicKey, err = utils.Encrypt(device.PublicKey, &key); err != nil {
 				if rollbackErr := tx.Rollback(); rollbackErr != nil {
 					return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err)
 				}
 				return fmt.Errorf("rollback due to error: %w", err)
 			}
 			if err = p.updateWebauthnDevicePublicKey(ctx, device); err != nil {
 				if rollbackErr := tx.Rollback(); rollbackErr != nil {
 					return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err)
 				}
 				return fmt.Errorf("rollback due to error: %w", err)
 			}
 		}
 		if len(devices) != 10 {
 			break
 		}
 	}
 	return nil
 }
 // SchemaEncryptionCheckKey checks the encryption key configured is valid for the database.
-func (p *SQLProvider) SchemaEncryptionCheckKey(ctx context.Context, verbose bool) (err error) {
+func (p *SQLProvider) SchemaEncryptionCheckKey(ctx context.Context, verbose bool) (result EncryptionValidationResult, err error) {
 	version, err := p.SchemaVersion(ctx)
 	if err != nil {
-		return err
+		return result, err
 	}
 	if version < 1 {
-		return ErrSchemaEncryptionVersionUnsupported
+		return result, ErrSchemaEncryptionVersionUnsupported
 	}
-	var errs []error
+	result = EncryptionValidationResult{
 		Tables: map[string]EncryptionValidationTableResult{},
 	}
 	if _, err = p.getEncryptionValue(ctx, encryptionNameCheck); err != nil {
-		errs = append(errs, ErrSchemaEncryptionInvalidKey)
+		result.InvalidCheckValue = true
 	}
 	if verbose {
-		if err = p.schemaEncryptionCheckTOTP(ctx); err != nil {
+		encCheckFuncs := []EncryptionCheckKeyFunc{
-			errs = append(errs, err)
+			schemaEncryptionCheckKeyTOTP,
 			schemaEncryptionCheckKeyWebauthn,
 		}
-		if err = p.schemaEncryptionCheckWebauthn(ctx); err != nil {
+		for i := 0; true; i++ {
-			errs = append(errs, err)
+			typeOAuth2Session := OAuth2SessionType(i)
 			if typeOAuth2Session.Table() == "" {
 				break
 			}
 			encCheckFuncs = append(encCheckFuncs, schemaEncryptionCheckKeyOpenIDConnect(typeOAuth2Session))
 		}
 		for _, encCheckFunc := range encCheckFuncs {
 			table, tableResult := encCheckFunc(ctx, p)
 			result.Tables[table] = tableResult
 		}
 	}
-	if len(errs) != 0 {
+	return result, nil
-		for i, e := range errs {
+}
 			if i == 0 {
 				err = e
-				continue
+func schemaEncryptionChangeKeyTOTP(ctx context.Context, provider *SQLProvider, tx *sqlx.Tx, key [32]byte) (err error) {
-			}
+	var count int
 			err = fmt.Errorf("%w, %v", err, e)
 		}
 	if err = tx.GetContext(ctx, &count, fmt.Sprintf(queryFmtSelectRowCount, tableTOTPConfigurations)); err != nil {
 		return err
 	}
-	return nil
+	if count == 0 {
-}
+		return nil
 func (p *SQLProvider) schemaEncryptionCheckTOTP(ctx context.Context) (err error) {
 	var (
 		config  model.TOTPConfiguration
 		row     int
 		invalid int
 		total   int
 	)
 	pageSize := 10
 	var rows *sqlx.Rows
 	for page := 0; true; page++ {
 		if rows, err = p.db.QueryxContext(ctx, p.sqlSelectTOTPConfigs, pageSize, pageSize*page); err != nil {
 			_ = rows.Close()
 			return fmt.Errorf("error selecting TOTP configurations: %w", err)
 		}
 		row = 0
 		for rows.Next() {
 			total++
 			row++
 			if err = rows.StructScan(&config); err != nil {
 				_ = rows.Close()
 				return fmt.Errorf("error scanning TOTP configuration to struct: %w", err)
 			}
 			if _, err = p.decrypt(config.Secret); err != nil {
 				invalid++
 			}
 		}
 		_ = rows.Close()
 		if row < pageSize {
 			break
 		}
 	}
-	if invalid != 0 {
+	configs := make([]encTOTPConfiguration, 0, count)
-		return fmt.Errorf("%d of %d total TOTP secrets were invalid", invalid, total)
+
 	if err = tx.SelectContext(ctx, &configs, fmt.Sprintf(queryFmtSelectTOTPConfigurationsEncryptedData, tableTOTPConfigurations)); err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil
 		}
 		return fmt.Errorf("error selecting TOTP configurations: %w", err)
 	}
 	query := provider.db.Rebind(fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecret, tableTOTPConfigurations))
 	for _, c := range configs {
 		if c.Secret, err = provider.decrypt(c.Secret); err != nil {
 			return fmt.Errorf("error decrypting TOTP configuration secret with id '%d': %w", c.ID, err)
 		}
 		if c.Secret, err = utils.Encrypt(c.Secret, &key); err != nil {
 			return fmt.Errorf("error encrypting TOTP configuration secret with id '%d': %w", c.ID, err)
 		}
 		if _, err = tx.ExecContext(ctx, query, c.Secret, c.ID); err != nil {
 			return fmt.Errorf("error updating TOTP configuration secret with id '%d': %w", c.ID, err)
 		}
 	}
 	return nil
 }
-func (p *SQLProvider) schemaEncryptionCheckWebauthn(ctx context.Context) (err error) {
+func schemaEncryptionChangeKeyWebauthn(ctx context.Context, provider *SQLProvider, tx *sqlx.Tx, key [32]byte) (err error) {
-	var (
+	var count int
 		device  model.WebauthnDevice
 		row     int
 		invalid int
 		total   int
 	)
-	pageSize := 10
+	if err = tx.GetContext(ctx, &count, fmt.Sprintf(queryFmtSelectRowCount, tableWebauthnDevices)); err != nil {
 		return err
 	}
-	var rows *sqlx.Rows
+	if count == 0 {
 		return nil
 	}
-	for page := 0; true; page++ {
+	devices := make([]encWebauthnDevice, 0, count)
 		if rows, err = p.db.QueryxContext(ctx, p.sqlSelectWebauthnDevices, pageSize, pageSize*page); err != nil {
 			_ = rows.Close()
-			return fmt.Errorf("error selecting Webauthn devices: %w", err)
+	if err = tx.SelectContext(ctx, &devices, fmt.Sprintf(queryFmtSelectWebauthnDevicesEncryptedData, tableWebauthnDevices)); err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil
 		}
-		row = 0
+		return fmt.Errorf("error selecting Webauthn devices: %w", err)
 	}
-		for rows.Next() {
+	query := provider.db.Rebind(fmt.Sprintf(queryFmtUpdateWebauthnDevicePublicKey, tableWebauthnDevices))
 			total++
 			row++
-			if err = rows.StructScan(&device); err != nil {
+	for _, d := range devices {
-				_ = rows.Close()
+		if d.PublicKey, err = provider.decrypt(d.PublicKey); err != nil {
-				return fmt.Errorf("error scanning Webauthn device to struct: %w", err)
+			return fmt.Errorf("error decrypting Webauthn device public key with id '%d': %w", d.ID, err)
 		}
 		if d.PublicKey, err = utils.Encrypt(d.PublicKey, &key); err != nil {
 			return fmt.Errorf("error encrypting Webauthn device public key with id '%d': %w", d.ID, err)
 		}
 		if _, err = tx.ExecContext(ctx, query, d.PublicKey, d.ID); err != nil {
 			return fmt.Errorf("error updating Webauthn device public key with id '%d': %w", d.ID, err)
 		}
 	}
 	return nil
 }
 func schemaEncryptionChangeKeyOpenIDConnect(typeOAuth2Session OAuth2SessionType) EncryptionChangeKeyFunc {
 	return func(ctx context.Context, provider *SQLProvider, tx *sqlx.Tx, key [32]byte) (err error) {
 		var count int
 		if err = tx.GetContext(ctx, &count, fmt.Sprintf(queryFmtSelectRowCount, typeOAuth2Session.Table())); err != nil {
 			return err
 		}
 		if count == 0 {
 			return nil
 		}
 		sessions := make([]encOAuth2Session, 0, count)
 		if err = tx.SelectContext(ctx, &sessions, fmt.Sprintf(queryFmtSelectOAuth2SessionEncryptedData, typeOAuth2Session.Table())); err != nil {
 			return fmt.Errorf("error selecting oauth2 %s sessions: %w", typeOAuth2Session.String(), err)
 		}
 		query := provider.db.Rebind(fmt.Sprintf(queryFmtUpdateOAuth2ConsentSessionSessionData, typeOAuth2Session.Table()))
 		for _, s := range sessions {
 			if s.Session, err = provider.decrypt(s.Session); err != nil {
 				return fmt.Errorf("error decrypting oauth2 %s session data with id '%d': %w", typeOAuth2Session.String(), s.ID, err)
 			}
-			if _, err = p.decrypt(device.PublicKey); err != nil {
+			if s.Session, err = utils.Encrypt(s.Session, &key); err != nil {
-				invalid++
+				return fmt.Errorf("error encrypting oauth2 %s session data with id '%d': %w", typeOAuth2Session.String(), s.ID, err)
 			}
 			if _, err = tx.ExecContext(ctx, query, s.Session, s.ID); err != nil {
 				return fmt.Errorf("error updating oauth2 %s session data with id '%d': %w", typeOAuth2Session.String(), s.ID, err)
 			}
 		}
 		return nil
 	}
 }
 func schemaEncryptionCheckKeyTOTP(ctx context.Context, provider *SQLProvider) (table string, result EncryptionValidationTableResult) {
 	var (
 		rows *sqlx.Rows
 		err  error
 	)
 	if rows, err = provider.db.QueryxContext(ctx, fmt.Sprintf(queryFmtSelectTOTPConfigurationsEncryptedData, tableTOTPConfigurations)); err != nil {
 		return tableTOTPConfigurations, EncryptionValidationTableResult{Error: fmt.Errorf("error selecting TOTP configurations: %w", err)}
 	}
 	var config encTOTPConfiguration
 	for rows.Next() {
 		result.Total++
 		if err = rows.StructScan(&config); err != nil {
 			_ = rows.Close()
 			return tableTOTPConfigurations, EncryptionValidationTableResult{Error: fmt.Errorf("error scanning TOTP configuration to struct: %w", err)}
 		}
 		if _, err = provider.decrypt(config.Secret); err != nil {
 			result.Invalid++
 		}
 	}
 	_ = rows.Close()
 	return tableTOTPConfigurations, result
 }
 func schemaEncryptionCheckKeyWebauthn(ctx context.Context, provider *SQLProvider) (table string, result EncryptionValidationTableResult) {
 	var (
 		rows *sqlx.Rows
 		err  error
 	)
 	if rows, err = provider.db.QueryxContext(ctx, fmt.Sprintf(queryFmtSelectWebauthnDevicesEncryptedData, tableWebauthnDevices)); err != nil {
 		return tableWebauthnDevices, EncryptionValidationTableResult{Error: fmt.Errorf("error selecting Webauthn devices: %w", err)}
 	}
 	var device encWebauthnDevice
 	for rows.Next() {
 		result.Total++
 		if err = rows.StructScan(&device); err != nil {
 			_ = rows.Close()
 			return tableWebauthnDevices, EncryptionValidationTableResult{Error: fmt.Errorf("error scanning Webauthn device to struct: %w", err)}
 		}
 		if _, err = provider.decrypt(device.PublicKey); err != nil {
 			result.Invalid++
 		}
 	}
 	_ = rows.Close()
 	return tableWebauthnDevices, result
 }
 func schemaEncryptionCheckKeyOpenIDConnect(typeOAuth2Session OAuth2SessionType) EncryptionCheckKeyFunc {
 	return func(ctx context.Context, provider *SQLProvider) (table string, result EncryptionValidationTableResult) {
 		var (
 			rows *sqlx.Rows
 			err  error
 		)
 		if rows, err = provider.db.QueryxContext(ctx, fmt.Sprintf(queryFmtSelectOAuth2SessionEncryptedData, typeOAuth2Session.Table())); err != nil {
 			return typeOAuth2Session.Table(), EncryptionValidationTableResult{Error: fmt.Errorf("error selecting oauth2 %s sessions: %w", typeOAuth2Session.String(), err)}
 		}
 		var session encOAuth2Session
 		for rows.Next() {
 			result.Total++
 			if err = rows.StructScan(&session); err != nil {
 				_ = rows.Close()
 				return typeOAuth2Session.Table(), EncryptionValidationTableResult{Error: fmt.Errorf("error scanning oauth2 %s session to struct: %w", typeOAuth2Session.String(), err)}
 			}
 			if _, err = provider.decrypt(session.Session); err != nil {
 				result.Invalid++
 			}
 		}
 		_ = rows.Close()
-		if row < pageSize {
+		return typeOAuth2Session.Table(), result
 			break
 		}
 	}
 	if invalid != 0 {
 		return fmt.Errorf("%d of %d total Webauthn devices were invalid", invalid, total)
 	}
 	return nil
 }
 func (p *SQLProvider) encrypt(clearText []byte) (cipherText []byte, err error) {
@ -278,7 +345,7 @@ func (p *SQLProvider) getEncryptionValue(ctx context.Context, name string) (valu
 	return p.decrypt(encryptedValue)
 }
-func (p *SQLProvider) setNewEncryptionCheckValue(ctx context.Context, key *[32]byte, e sqlx.ExecerContext) (err error) {
+func (p *SQLProvider) setNewEncryptionCheckValue(ctx context.Context, conn SQLXConnection, key *[32]byte) (err error) {
 	valueClearText, err := uuid.NewRandom()
 	if err != nil {
 		return err
@ -289,11 +356,7 @@ func (p *SQLProvider) setNewEncryptionCheckValue(ctx context.Context, key *[32]b
 		return err
 	}
-	if e != nil {
+	_, err = conn.ExecContext(ctx, p.sqlUpsertEncryptionValue, encryptionNameCheck, value)
 		_, err = e.ExecContext(ctx, p.sqlUpsertEncryptionValue, encryptionNameCheck, value)
 	} else {
 		_, err = p.db.ExecContext(ctx, p.sqlUpsertEncryptionValue, encryptionNameCheck, value)
 	}
 	return err
 }
--- a/internal/storage/sql_provider_queries.go
+++ b/internal/storage/sql_provider_queries.go
@ -83,18 +83,16 @@ const (
 		LIMIT ?
 		OFFSET ?;`
 	queryFmtSelectTOTPConfigurationsEncryptedData = `
 		SELECT id, secret
 		FROM %s;`
 	//nolint:gosec // These are not hardcoded credentials it's a query to obtain credentials.
 	queryFmtUpdateTOTPConfigurationSecret = `
 		UPDATE %s
 		SET secret = ?
 		WHERE id = ?;`
 	//nolint:gosec // These are not hardcoded credentials it's a query to obtain credentials.
 	queryFmtUpdateTOTPConfigurationSecretByUsername = `
 		UPDATE %s
 		SET secret = ?
 		WHERE username = ?;`
 	queryFmtUpsertTOTPConfiguration = `
 		REPLACE INTO %s (created_at, last_used_at, username, issuer, algorithm, digits, period, secret)
 		VALUES (?, ?, ?, ?, ?, ?, ?, ?);`
@ -127,6 +125,10 @@ const (
 		LIMIT ?
 		OFFSET ?;`
 	queryFmtSelectWebauthnDevicesEncryptedData = `
 		SELECT id, public_key
 		FROM %s;`
 	queryFmtSelectWebauthnDevicesByUsername = `
 		SELECT id, created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning
 		FROM %s
@ -137,11 +139,6 @@ const (
 		SET public_key = ?
 		WHERE id = ?;`
 	queryFmtUpdateUpdateWebauthnDevicePublicKeyByUsername = `
 		UPDATE %s
 		SET public_key = ?
 		WHERE username = ? AND kid = ?;`
 	queryFmtUpdateWebauthnDeviceRecordSignIn = `
 		UPDATE %s
 		SET
@ -265,6 +262,11 @@ const (
 		SET subject = ?
 		WHERE id = ?;`
 	queryFmtUpdateOAuth2ConsentSessionSessionData = `
 		UPDATE %s
 		SET session_data = ?
 		WHERE id = ?;`
 	queryFmtUpdateOAuth2ConsentSessionResponse = `
 		UPDATE %s
 		SET authorized = ?, responded_at = CURRENT_TIMESTAMP, granted_scopes = ?, granted_audience = ?, preconfiguration = ?
@ -282,6 +284,10 @@ const (
 		FROM %s
 		WHERE signature = ? AND revoked = FALSE;`
 	queryFmtSelectOAuth2SessionEncryptedData = `
 		SELECT id, session_data
 		FROM %s;`
 	queryFmtInsertOAuth2Session = `
 		INSERT INTO %s (challenge_id, request_id, client_id, signature, subject, requested_at,
 		requested_scopes, granted_scopes, requested_audience, granted_audience,
--- a/internal/storage/sql_provider_queries_special.go
+++ b/internal/storage/sql_provider_queries_special.go
@ -1,8 +1,6 @@
 package storage
 const (
 	queryFmtDropTableIfExists = `DROP TABLE IF EXISTS %s;`
 	queryFmtRenameTable = `
 		ALTER TABLE %s
 		RENAME TO %s;`
@ -10,104 +8,10 @@ const (
 	queryFmtMySQLRenameTable = `
 		ALTER TABLE %s
 		RENAME %s;`
-)
+
-
+	queryFmtPostgreSQLLockTable = `LOCK TABLE %s IN %s MODE;`
-// Pre1 migration constants.
+
-const (
+	queryFmtSelectRowCount = `
-	queryFmtPre1To1SelectAuthenticationLogs = `
+		SELECT COUNT(id)
-		SELECT username, successful, time
+		FROM %s;`
 		FROM %s
 		ORDER BY time ASC
 		LIMIT 100 OFFSET ?;`
 	queryFmtPre1To1InsertAuthenticationLogs = `
 		INSERT INTO %s (username, successful, time, request_uri)
 		VALUES (?, ?, ?, '');`
 	queryFmtPre1InsertUserPreferencesFromSelect = `
 		INSERT INTO %s (username, second_factor_method)
 		SELECT username, second_factor_method
 		FROM %s
 		ORDER BY username ASC;`
 	queryFmtPre1SelectTOTPConfigurations = `
 		SELECT username, secret
 		FROM %s
 		ORDER BY username ASC;`
 	queryFmtPre1To1InsertTOTPConfiguration = `
 		INSERT INTO %s (username, issuer, period, secret)
 		VALUES (?, ?, ?, ?);`
 	queryFmt1ToPre1InsertTOTPConfiguration = `
 		INSERT INTO %s (username, secret)
 		VALUES (?, ?);`
 	queryFmtPre1To1SelectU2FDevices = `
 		SELECT username, keyHandle, publicKey
 		FROM %s
 		ORDER BY username ASC;`
 	queryFmtPre1To1InsertU2FDevice = `
 		INSERT INTO %s (username, key_handle, public_key)
 		VALUES (?, ?, ?);`
 	queryFmt1ToPre1InsertAuthenticationLogs = `
 		INSERT INTO %s (username, successful, time)
 		VALUES (?, ?, ?);`
 	queryFmt1ToPre1SelectAuthenticationLogs = `
 		SELECT username, successful, time
 		FROM %s
 		ORDER BY id ASC
 		LIMIT 100 OFFSET ?;`
 	queryFmt1ToPre1SelectU2FDevices = `
 		SELECT username, key_handle, public_key
 		FROM %s
 		ORDER BY username ASC;`
 	queryFmt1ToPre1InsertU2FDevice = `
 		INSERT INTO %s (username, keyHandle, publicKey)
 		VALUES (?, ?, ?);`
 	queryCreatePre1 = `
 		CREATE TABLE user_preferences (
 			username VARCHAR(100),
 			second_factor_method VARCHAR(11),
 			PRIMARY KEY (username)
 		);
 		CREATE TABLE identity_verification_tokens (
 			token VARCHAR(512)
 		);
 		CREATE TABLE totp_secrets (
 			username VARCHAR(100),
 			secret VARCHAR(64),
 			PRIMARY KEY (username)
 		);
 		CREATE TABLE u2f_devices (
 			username VARCHAR(100),
 			keyHandle TEXT,
 			publicKey TEXT,
 			PRIMARY KEY (username)
 		);
 		CREATE TABLE authentication_logs (
 			username VARCHAR(100),
 			successful BOOL,
 			time INTEGER
 		);
 		CREATE TABLE config (
 			category VARCHAR(32) NOT NULL,
 			key_name VARCHAR(32) NOT NULL,
 			value    TEXT,
 			PRIMARY KEY (category, key_name)
 		);
 		INSERT INTO config (category, key_name, value)
 		VALUES ('schema', 'version', '1');`
 )
--- a/internal/storage/sql_provider_schema.go
+++ b/internal/storage/sql_provider_schema.go
@ -81,184 +81,9 @@ func (p *SQLProvider) SchemaVersion(ctx context.Context) (version int, err error
 	return 0, nil
 }
-func (p *SQLProvider) schemaLatestMigration(ctx context.Context) (migration *model.Migration, err error) {
+// SchemaLatestVersion returns the latest version available for migration.
-	migration = &model.Migration{}
+func (p *SQLProvider) SchemaLatestVersion() (version int, err error) {
-
+	return latestMigrationVersion(p.name)
 	err = p.db.QueryRowxContext(ctx, p.sqlSelectLatestMigration).StructScan(migration)
 	if err != nil {
 		return nil, err
 	}
 	return migration, nil
 }
 // SchemaMigrationHistory returns migration history rows.
 func (p *SQLProvider) SchemaMigrationHistory(ctx context.Context) (migrations []model.Migration, err error) {
 	rows, err := p.db.QueryxContext(ctx, p.sqlSelectMigrations)
 	if err != nil {
 		return nil, err
 	}
 	defer func() {
 		if err := rows.Close(); err != nil {
 			p.log.Errorf(logFmtErrClosingConn, err)
 		}
 	}()
 	var migration model.Migration
 	for rows.Next() {
 		err = rows.StructScan(&migration)
 		if err != nil {
 			return nil, err
 		}
 		migrations = append(migrations, migration)
 	}
 	return migrations, nil
 }
 // SchemaMigrate migrates from the current version to the provided version.
 func (p *SQLProvider) SchemaMigrate(ctx context.Context, up bool, version int) (err error) {
 	currentVersion, err := p.SchemaVersion(ctx)
 	if err != nil {
 		return err
 	}
 	if err = schemaMigrateChecks(p.name, up, version, currentVersion); err != nil {
 		return err
 	}
 	return p.schemaMigrate(ctx, currentVersion, version)
 }
 //nolint:gocyclo // TODO: Consider refactoring time permitting.
 func (p *SQLProvider) schemaMigrate(ctx context.Context, prior, target int) (err error) {
 	migrations, err := loadMigrations(p.name, prior, target)
 	if err != nil {
 		return err
 	}
 	if len(migrations) == 0 && (prior != 1 || target != -1) {
 		return ErrNoMigrationsFound
 	}
 	switch {
 	case prior == -1:
 		p.log.Infof(logFmtMigrationFromTo, "pre1", strconv.Itoa(migrations[len(migrations)-1].After()))
 		err = p.schemaMigratePre1To1(ctx)
 		if err != nil {
 			if errRollback := p.schemaMigratePre1To1Rollback(ctx, true); errRollback != nil {
 				return fmt.Errorf(errFmtFailedMigrationPre1, err)
 			}
 			return fmt.Errorf(errFmtFailedMigrationPre1, err)
 		}
 	case target == -1:
 		p.log.Infof(logFmtMigrationFromTo, strconv.Itoa(prior), "pre1")
 	default:
 		p.log.Infof(logFmtMigrationFromTo, strconv.Itoa(prior), strconv.Itoa(migrations[len(migrations)-1].After()))
 	}
 	for _, migration := range migrations {
 		if prior == -1 && migration.Version == 1 {
 			// Skip migration version 1 when upgrading from pre1 as it's applied as part of the pre1 upgrade.
 			continue
 		}
 		err = p.schemaMigrateApply(ctx, migration)
 		if err != nil {
 			return p.schemaMigrateRollback(ctx, prior, migration.After(), err)
 		}
 	}
 	switch {
 	case prior == -1:
 		p.log.Infof(logFmtMigrationComplete, "pre1", strconv.Itoa(migrations[len(migrations)-1].After()))
 	case target == -1:
 		err = p.schemaMigrate1ToPre1(ctx)
 		if err != nil {
 			if errRollback := p.schemaMigratePre1To1Rollback(ctx, false); errRollback != nil {
 				return fmt.Errorf(errFmtFailedMigrationPre1, err)
 			}
 			return fmt.Errorf(errFmtFailedMigrationPre1, err)
 		}
 		p.log.Infof(logFmtMigrationComplete, strconv.Itoa(prior), "pre1")
 	default:
 		p.log.Infof(logFmtMigrationComplete, strconv.Itoa(prior), strconv.Itoa(migrations[len(migrations)-1].After()))
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigrateRollback(ctx context.Context, prior, after int, migrateErr error) (err error) {
 	migrations, err := loadMigrations(p.name, after, prior)
 	if err != nil {
 		return fmt.Errorf("error loading migrations from version %d to version %d for rollback: %+v. rollback caused by: %+v", prior, after, err, migrateErr)
 	}
 	for _, migration := range migrations {
 		if prior == -1 && !migration.Up && migration.Version == 1 {
 			continue
 		}
 		err = p.schemaMigrateApply(ctx, migration)
 		if err != nil {
 			return fmt.Errorf("error applying migration version %d to version %d for rollback: %+v. rollback caused by: %+v", migration.Before(), migration.After(), err, migrateErr)
 		}
 	}
 	if prior == -1 {
 		if err = p.schemaMigrate1ToPre1(ctx); err != nil {
 			return fmt.Errorf("error applying migration version 1 to version pre1 for rollback: %+v. rollback caused by: %+v", err, migrateErr)
 		}
 	}
 	return fmt.Errorf("migration rollback complete. rollback caused by: %+v", migrateErr)
 }
 func (p *SQLProvider) schemaMigrateApply(ctx context.Context, migration model.SchemaMigration) (err error) {
 	_, err = p.db.ExecContext(ctx, migration.Query)
 	if err != nil {
 		return fmt.Errorf(errFmtFailedMigration, migration.Version, migration.Name, err)
 	}
 	if migration.Version == 1 {
 		// Skip the migration history insertion in a migration to v0.
 		if !migration.Up {
 			return nil
 		}
 		// Add the schema encryption value if upgrading to v1.
 		if err = p.setNewEncryptionCheckValue(ctx, &p.key, nil); err != nil {
 			return err
 		}
 	}
 	if migration.Version == 1 && !migration.Up {
 		return nil
 	}
 	return p.schemaMigrateFinalize(ctx, migration)
 }
 func (p *SQLProvider) schemaMigrateFinalize(ctx context.Context, migration model.SchemaMigration) (err error) {
 	return p.schemaMigrateFinalizeAdvanced(ctx, migration.Before(), migration.After())
 }
 func (p *SQLProvider) schemaMigrateFinalizeAdvanced(ctx context.Context, before, after int) (err error) {
 	_, err = p.db.ExecContext(ctx, p.sqlInsertMigration, time.Now(), before, after, utils.Version())
 	if err != nil {
 		return err
 	}
 	p.log.Debugf("Storage schema migrated from version %d to %d", before, after)
 	return nil
 }
 // SchemaMigrationsUp returns a list of migrations up available between the current version and the provided version.
@ -293,12 +118,214 @@ func (p *SQLProvider) SchemaMigrationsDown(ctx context.Context, version int) (mi
 	return loadMigrations(p.name, current, version)
 }
-// SchemaLatestVersion returns the latest version available for migration.
+// SchemaMigrationHistory returns migration history rows.
-func (p *SQLProvider) SchemaLatestVersion() (version int, err error) {
+func (p *SQLProvider) SchemaMigrationHistory(ctx context.Context) (migrations []model.Migration, err error) {
-	return latestMigrationVersion(p.name)
+	rows, err := p.db.QueryxContext(ctx, p.sqlSelectMigrations)
 	if err != nil {
 		return nil, err
 	}
 	defer func() {
 		if err := rows.Close(); err != nil {
 			p.log.Errorf(logFmtErrClosingConn, err)
 		}
 	}()
 	var migration model.Migration
 	for rows.Next() {
 		err = rows.StructScan(&migration)
 		if err != nil {
 			return nil, err
 		}
 		migrations = append(migrations, migration)
 	}
 	return migrations, nil
 }
 // SchemaMigrate migrates from the current version to the provided version.
 func (p *SQLProvider) SchemaMigrate(ctx context.Context, up bool, version int) (err error) {
 	var (
 		tx   *sqlx.Tx
 		conn SQLXConnection
 	)
 	if p.name != providerMySQL {
 		if tx, err = p.db.BeginTxx(ctx, nil); err != nil {
 			return fmt.Errorf("failed to begin transaction: %w", err)
 		}
 		conn = tx
 	} else {
 		conn = p.db
 	}
 	currentVersion, err := p.SchemaVersion(ctx)
 	if err != nil {
 		return err
 	}
 	if currentVersion != 0 {
 		if err = p.schemaMigrateLock(ctx, conn); err != nil {
 			return err
 		}
 	}
 	if err = schemaMigrateChecks(p.name, up, version, currentVersion); err != nil {
 		if tx != nil {
 			_ = tx.Rollback()
 		}
 		return err
 	}
 	if err = p.schemaMigrate(ctx, conn, currentVersion, version); err != nil {
 		if tx != nil && err == ErrNoMigrationsFound {
 			_ = tx.Rollback()
 		}
 		return err
 	}
 	if tx != nil {
 		if err = tx.Commit(); err != nil {
 			if rerr := tx.Rollback(); rerr != nil {
 				return fmt.Errorf("failed to commit the transaction with: commit error: %w, rollback error: %+v", err, rerr)
 			}
 			return fmt.Errorf("failed to commit the transaction but it has been rolled back: commit error: %w", err)
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigrate(ctx context.Context, conn SQLXConnection, prior, target int) (err error) {
 	migrations, err := loadMigrations(p.name, prior, target)
 	if err != nil {
 		return err
 	}
 	if len(migrations) == 0 {
 		return ErrNoMigrationsFound
 	}
 	p.log.Infof(logFmtMigrationFromTo, strconv.Itoa(prior), strconv.Itoa(migrations[len(migrations)-1].After()))
 	for i, migration := range migrations {
 		if migration.Up && prior == 0 && i == 1 {
 			if err = p.schemaMigrateLock(ctx, conn); err != nil {
 				return err
 			}
 		}
 		if err = p.schemaMigrateApply(ctx, conn, migration); err != nil {
 			return p.schemaMigrateRollback(ctx, conn, prior, migration.After(), err)
 		}
 	}
 	p.log.Infof(logFmtMigrationComplete, strconv.Itoa(prior), strconv.Itoa(migrations[len(migrations)-1].After()))
 	return nil
 }
 func (p *SQLProvider) schemaMigrateLock(ctx context.Context, conn SQLXConnection) (err error) {
 	if p.name != providerPostgres {
 		return nil
 	}
 	if _, err = conn.ExecContext(ctx, fmt.Sprintf(queryFmtPostgreSQLLockTable, tableMigrations, "ACCESS EXCLUSIVE")); err != nil {
 		return fmt.Errorf("failed to lock tables: %w", err)
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigrateApply(ctx context.Context, conn SQLXConnection, migration model.SchemaMigration) (err error) {
 	if _, err = conn.ExecContext(ctx, migration.Query); err != nil {
 		return fmt.Errorf(errFmtFailedMigration, migration.Version, migration.Name, err)
 	}
 	if migration.Version == 1 && migration.Up {
 		// Add the schema encryption value if upgrading to v1.
 		if err = p.setNewEncryptionCheckValue(ctx, conn, &p.key); err != nil {
 			return err
 		}
 	}
 	if err = p.schemaMigrateFinalize(ctx, conn, migration); err != nil {
 		return err
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigrateFinalize(ctx context.Context, conn SQLXConnection, migration model.SchemaMigration) (err error) {
 	if migration.Version == 1 && !migration.Up {
 		return nil
 	}
 	if _, err = conn.ExecContext(ctx, p.sqlInsertMigration, time.Now(), migration.Before(), migration.After(), utils.Version()); err != nil {
 		return fmt.Errorf("failed inserting migration record: %w", err)
 	}
 	p.log.Debugf("Storage schema migrated from version %d to %d", migration.Before(), migration.After())
 	return nil
 }
 func (p *SQLProvider) schemaMigrateRollback(ctx context.Context, conn SQLXConnection, prior, after int, merr error) (err error) {
 	switch tx := conn.(type) {
 	case *sqlx.Tx:
 		return p.schemaMigrateRollbackWithTx(ctx, tx, merr)
 	default:
 		return p.schemaMigrateRollbackWithoutTx(ctx, prior, after, merr)
 	}
 }
 func (p *SQLProvider) schemaMigrateRollbackWithTx(_ context.Context, tx *sqlx.Tx, merr error) (err error) {
 	if err = tx.Rollback(); err != nil {
 		return fmt.Errorf("error applying rollback %+v. rollback caused by: %w", err, merr)
 	}
 	return fmt.Errorf("migration rollback complete. rollback caused by: %w", merr)
 }
 func (p *SQLProvider) schemaMigrateRollbackWithoutTx(ctx context.Context, prior, after int, merr error) (err error) {
 	migrations, err := loadMigrations(p.name, after, prior)
 	if err != nil {
 		return fmt.Errorf("error loading migrations from version %d to version %d for rollback: %+v. rollback caused by: %w", prior, after, err, merr)
 	}
 	for _, migration := range migrations {
 		if err = p.schemaMigrateApply(ctx, p.db, migration); err != nil {
 			return fmt.Errorf("error applying migration version %d to version %d for rollback: %+v. rollback caused by: %w", migration.Before(), migration.After(), err, merr)
 		}
 	}
 	return fmt.Errorf("migration rollback complete. rollback caused by: %w", merr)
 }
 func (p *SQLProvider) schemaLatestMigration(ctx context.Context) (migration *model.Migration, err error) {
 	migration = &model.Migration{}
 	if err = p.db.QueryRowxContext(ctx, p.sqlSelectLatestMigration).StructScan(migration); err != nil {
 		return nil, err
 	}
 	return migration, nil
 }
 func schemaMigrateChecks(providerName string, up bool, targetVersion, currentVersion int) (err error) {
 	switch {
 	case currentVersion == -1:
 		return fmt.Errorf(errFmtMigrationPre1, "up from", errFmtMigrationPre1SuggestedVersion)
 	case targetVersion == -1:
 		return fmt.Errorf(errFmtMigrationPre1, "down to", fmt.Sprintf("you should downgrade to schema version 1 using the current authelia version then use the suggested authelia version to downgrade to pre1: %s", errFmtMigrationPre1SuggestedVersion))
 	}
 	if targetVersion == currentVersion {
 		return fmt.Errorf(ErrFmtMigrateAlreadyOnTargetVersion, targetVersion, currentVersion)
 	}
@ -325,7 +352,7 @@ func schemaMigrateChecks(providerName string, up bool, targetVersion, currentVer
 			return fmt.Errorf(ErrFmtMigrateUpTargetGreaterThanLatest, targetVersion, latest)
 		}
 	} else {
-		if targetVersion < -1 {
+		if targetVersion < 0 {
 			return fmt.Errorf(ErrFmtMigrateDownTargetLessThanMinimum, targetVersion)
 		}
@ -345,7 +372,7 @@ func SchemaVersionToString(version int) (versionStr string) {
 	case -1:
 		return "pre1"
 	case 0:
-		return "N/A"
+		return na
 	default:
 		return strconv.Itoa(version)
 	}
--- a/internal/storage/sql_provider_schema_pre1.go
+++ b/internal/storage/sql_provider_schema_pre1.go
@ -1,470 +0,0 @@
 package storage
 import (
 	"context"
 	"database/sql"
 	"encoding/base64"
 	"fmt"
 	"strings"
 	"time"
 	"github.com/authelia/authelia/v4/internal/model"
 	"github.com/authelia/authelia/v4/internal/utils"
 )
 // schemaMigratePre1To1 takes the v1 migration and migrates to this version.
 func (p *SQLProvider) schemaMigratePre1To1(ctx context.Context) (err error) {
 	migration, err := loadMigration(p.name, 1, true)
 	if err != nil {
 		return err
 	}
 	// Get Tables list.
 	tables, err := p.SchemaTables(ctx)
 	if err != nil {
 		return err
 	}
 	tablesRename := []string{
 		tablePre1Config,
 		tablePre1TOTPSecrets,
 		tablePre1IdentityVerificationTokens,
 		tablePre1U2FDevices,
 		tableUserPreferences,
 		tableAuthenticationLogs,
 		tableAlphaPreferences,
 		tableAlphaIdentityVerificationTokens,
 		tableAlphaAuthenticationLogs,
 		tableAlphaPreferencesTableName,
 		tableAlphaSecondFactorPreferences,
 		tableAlphaTOTPSecrets,
 		tableAlphaU2FDeviceHandles,
 	}
 	if err = p.schemaMigratePre1Rename(ctx, tables, tablesRename); err != nil {
 		return err
 	}
 	if _, err = p.db.ExecContext(ctx, migration.Query); err != nil {
 		return fmt.Errorf(errFmtFailedMigration, migration.Version, migration.Name, err)
 	}
 	if err = p.setNewEncryptionCheckValue(ctx, &p.key, nil); err != nil {
 		return err
 	}
 	if _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1InsertUserPreferencesFromSelect),
 		tableUserPreferences, tablePrefixBackup+tableUserPreferences)); err != nil {
 		return err
 	}
 	if err = p.schemaMigratePre1To1AuthenticationLogs(ctx); err != nil {
 		return err
 	}
 	if err = p.schemaMigratePre1To1U2F(ctx); err != nil {
 		return err
 	}
 	if err = p.schemaMigratePre1To1TOTP(ctx); err != nil {
 		return err
 	}
 	for _, table := range tablesRename {
 		if _, err = p.db.Exec(fmt.Sprintf(p.db.Rebind(queryFmtDropTableIfExists), tablePrefixBackup+table)); err != nil {
 			return err
 		}
 	}
 	return p.schemaMigrateFinalizeAdvanced(ctx, -1, 1)
 }
 func (p *SQLProvider) schemaMigratePre1Rename(ctx context.Context, tables, tablesRename []string) (err error) {
 	// Rename Tables and Indexes.
 	for _, table := range tables {
 		if !utils.IsStringInSlice(table, tablesRename) {
 			continue
 		}
 		tableNew := tablePrefixBackup + table
 		if _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.sqlFmtRenameTable, table, tableNew)); err != nil {
 			return err
 		}
 		if p.name == providerPostgres {
 			if table == tablePre1U2FDevices || table == tableUserPreferences {
 				if _, err = p.db.ExecContext(ctx, fmt.Sprintf(`ALTER TABLE %s RENAME CONSTRAINT %s_pkey TO %s_pkey;`,
 					tableNew, table, tableNew)); err != nil {
 					continue
 				}
 			}
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigratePre1To1Rollback(ctx context.Context, up bool) (err error) {
 	if up {
 		migration, err := loadMigration(p.name, 1, false)
 		if err != nil {
 			return err
 		}
 		if _, err = p.db.ExecContext(ctx, migration.Query); err != nil {
 			return fmt.Errorf(errFmtFailedMigration, migration.Version, migration.Name, err)
 		}
 	}
 	tables, err := p.SchemaTables(ctx)
 	if err != nil {
 		return err
 	}
 	for _, table := range tables {
 		if !strings.HasPrefix(table, tablePrefixBackup) {
 			continue
 		}
 		tableNew := strings.Replace(table, tablePrefixBackup, "", 1)
 		if _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.sqlFmtRenameTable, table, tableNew)); err != nil {
 			return err
 		}
 		if p.name == providerPostgres && (tableNew == tablePre1U2FDevices || tableNew == tableUserPreferences) {
 			if _, err = p.db.ExecContext(ctx, fmt.Sprintf(`ALTER TABLE %s RENAME CONSTRAINT %s_pkey TO %s_pkey;`,
 				tableNew, table, tableNew)); err != nil {
 				continue
 			}
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigratePre1To1AuthenticationLogs(ctx context.Context) (err error) {
 	for page := 0; true; page++ {
 		attempts, err := p.schemaMigratePre1To1AuthenticationLogsGetRows(ctx, page)
 		if err != nil {
 			if err == sql.ErrNoRows {
 				break
 			}
 			return err
 		}
 		for _, attempt := range attempts {
 			_, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1To1InsertAuthenticationLogs), tableAuthenticationLogs), attempt.Username, attempt.Successful, attempt.Time)
 			if err != nil {
 				return err
 			}
 		}
 		if len(attempts) != 100 {
 			break
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigratePre1To1AuthenticationLogsGetRows(ctx context.Context, page int) (attempts []model.AuthenticationAttempt, err error) {
 	rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1To1SelectAuthenticationLogs), tablePrefixBackup+tableAuthenticationLogs), page*100)
 	if err != nil {
 		return nil, err
 	}
 	attempts = make([]model.AuthenticationAttempt, 0, 100)
 	for rows.Next() {
 		var (
 			username   string
 			successful bool
 			timestamp  int64
 		)
 		err = rows.Scan(&username, &successful, &timestamp)
 		if err != nil {
 			return nil, err
 		}
 		attempts = append(attempts, model.AuthenticationAttempt{Username: username, Successful: successful, Time: time.Unix(timestamp, 0)})
 	}
 	return attempts, nil
 }
 func (p *SQLProvider) schemaMigratePre1To1TOTP(ctx context.Context) (err error) {
 	rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1SelectTOTPConfigurations), tablePrefixBackup+tablePre1TOTPSecrets))
 	if err != nil {
 		return err
 	}
 	var totpConfigs []model.TOTPConfiguration
 	defer func() {
 		if err := rows.Close(); err != nil {
 			p.log.Errorf(logFmtErrClosingConn, err)
 		}
 	}()
 	for rows.Next() {
 		var username, secret string
 		err = rows.Scan(&username, &secret)
 		if err != nil {
 			return err
 		}
 		encryptedSecret, err := p.encrypt([]byte(secret))
 		if err != nil {
 			return err
 		}
 		totpConfigs = append(totpConfigs, model.TOTPConfiguration{Username: username, Secret: encryptedSecret})
 	}
 	for _, config := range totpConfigs {
 		_, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1To1InsertTOTPConfiguration), tableTOTPConfigurations), config.Username, p.config.TOTP.Issuer, p.config.TOTP.Period, config.Secret)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigratePre1To1U2F(ctx context.Context) (err error) {
 	rows, err := p.db.Queryx(fmt.Sprintf(p.db.Rebind(queryFmtPre1To1SelectU2FDevices), tablePrefixBackup+tablePre1U2FDevices))
 	if err != nil {
 		return err
 	}
 	defer func() {
 		if err := rows.Close(); err != nil {
 			p.log.Errorf(logFmtErrClosingConn, err)
 		}
 	}()
 	var devices []model.U2FDevice
 	for rows.Next() {
 		var username, keyHandleBase64, publicKeyBase64 string
 		err = rows.Scan(&username, &keyHandleBase64, &publicKeyBase64)
 		if err != nil {
 			return err
 		}
 		keyHandle, err := base64.StdEncoding.DecodeString(keyHandleBase64)
 		if err != nil {
 			return err
 		}
 		publicKey, err := base64.StdEncoding.DecodeString(publicKeyBase64)
 		if err != nil {
 			return err
 		}
 		encryptedPublicKey, err := p.encrypt(publicKey)
 		if err != nil {
 			return err
 		}
 		devices = append(devices, model.U2FDevice{Username: username, KeyHandle: keyHandle, PublicKey: encryptedPublicKey})
 	}
 	for _, device := range devices {
 		_, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1To1InsertU2FDevice), tablePre1U2FDevices), device.Username, device.KeyHandle, device.PublicKey)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigrate1ToPre1(ctx context.Context) (err error) {
 	tables, err := p.SchemaTables(ctx)
 	if err != nil {
 		return err
 	}
 	tablesRename := []string{
 		tableMigrations,
 		tableTOTPConfigurations,
 		tableIdentityVerification,
 		tablePre1U2FDevices,
 		tableDuoDevices,
 		tableUserPreferences,
 		tableAuthenticationLogs,
 		tableEncryption,
 	}
 	if err = p.schemaMigratePre1Rename(ctx, tables, tablesRename); err != nil {
 		return err
 	}
 	if _, err := p.db.ExecContext(ctx, queryCreatePre1); err != nil {
 		return err
 	}
 	if _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1InsertUserPreferencesFromSelect),
 		tableUserPreferences, tablePrefixBackup+tableUserPreferences)); err != nil {
 		return err
 	}
 	if err = p.schemaMigrate1ToPre1AuthenticationLogs(ctx); err != nil {
 		return err
 	}
 	if err = p.schemaMigrate1ToPre1U2F(ctx); err != nil {
 		return err
 	}
 	if err = p.schemaMigrate1ToPre1TOTP(ctx); err != nil {
 		return err
 	}
 	queryFmtDropTableRebound := p.db.Rebind(queryFmtDropTableIfExists)
 	for _, table := range tablesRename {
 		if _, err = p.db.Exec(fmt.Sprintf(queryFmtDropTableRebound, tablePrefixBackup+table)); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigrate1ToPre1AuthenticationLogs(ctx context.Context) (err error) {
 	for page := 0; true; page++ {
 		attempts, err := p.schemaMigrate1ToPre1AuthenticationLogsGetRows(ctx, page)
 		if err != nil {
 			if err == sql.ErrNoRows {
 				break
 			}
 			return err
 		}
 		for _, attempt := range attempts {
 			_, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1InsertAuthenticationLogs), tableAuthenticationLogs), attempt.Username, attempt.Successful, attempt.Time.Unix())
 			if err != nil {
 				return err
 			}
 		}
 		if len(attempts) != 100 {
 			break
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigrate1ToPre1AuthenticationLogsGetRows(ctx context.Context, page int) (attempts []model.AuthenticationAttempt, err error) {
 	rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1SelectAuthenticationLogs), tablePrefixBackup+tableAuthenticationLogs), page*100)
 	if err != nil {
 		return nil, err
 	}
 	attempts = make([]model.AuthenticationAttempt, 0, 100)
 	var attempt model.AuthenticationAttempt
 	for rows.Next() {
 		err = rows.StructScan(&attempt)
 		if err != nil {
 			return nil, err
 		}
 		attempts = append(attempts, attempt)
 	}
 	return attempts, nil
 }
 func (p *SQLProvider) schemaMigrate1ToPre1TOTP(ctx context.Context) (err error) {
 	rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1SelectTOTPConfigurations), tablePrefixBackup+tableTOTPConfigurations))
 	if err != nil {
 		return err
 	}
 	var totpConfigs []model.TOTPConfiguration
 	defer func() {
 		if err := rows.Close(); err != nil {
 			p.log.Errorf(logFmtErrClosingConn, err)
 		}
 	}()
 	for rows.Next() {
 		var (
 			username         string
 			secretCipherText []byte
 		)
 		err = rows.Scan(&username, &secretCipherText)
 		if err != nil {
 			return err
 		}
 		secretClearText, err := p.decrypt(secretCipherText)
 		if err != nil {
 			return err
 		}
 		totpConfigs = append(totpConfigs, model.TOTPConfiguration{Username: username, Secret: secretClearText})
 	}
 	for _, config := range totpConfigs {
 		_, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1InsertTOTPConfiguration), tablePre1TOTPSecrets), config.Username, config.Secret)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (p *SQLProvider) schemaMigrate1ToPre1U2F(ctx context.Context) (err error) {
 	rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1SelectU2FDevices), tablePrefixBackup+tablePre1U2FDevices))
 	if err != nil {
 		return err
 	}
 	defer func() {
 		if err := rows.Close(); err != nil {
 			p.log.Errorf(logFmtErrClosingConn, err)
 		}
 	}()
 	var (
 		devices []model.U2FDevice
 		device  model.U2FDevice
 	)
 	for rows.Next() {
 		err = rows.StructScan(&device)
 		if err != nil {
 			return err
 		}
 		device.PublicKey, err = p.decrypt(device.PublicKey)
 		if err != nil {
 			return err
 		}
 		devices = append(devices, device)
 	}
 	for _, device := range devices {
 		_, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1InsertU2FDevice), tablePre1U2FDevices), device.Username, base64.StdEncoding.EncodeToString(device.KeyHandle), base64.StdEncoding.EncodeToString(device.PublicKey))
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/internal/storage/sql_provider_schema_test.go
+++ b/internal/storage/sql_provider_schema_test.go
@ -29,7 +29,7 @@ func TestShouldReturnErrOnTargetSameAsCurrent(t *testing.T) {
 		fmt.Sprintf(ErrFmtMigrateAlreadyOnTargetVersion, 1, 1))
 }
-func TestShouldReturnErrOnUpMigrationTargetVersionLessTHanCurrent(t *testing.T) {
+func TestShouldReturnErrOnUpMigrationTargetVersionLessThanCurrent(t *testing.T) {
 	assert.EqualError(t,
 		schemaMigrateChecks(providerPostgres, true, 0, LatestVersion),
 		fmt.Sprintf(ErrFmtMigrateUpTargetLessThanCurrent, 0, LatestVersion))
@ -80,7 +80,7 @@ func TestShouldReturnErrOnVersionDoesntExits(t *testing.T) {
 		fmt.Sprintf(ErrFmtMigrateUpTargetGreaterThanLatest, SchemaLatest-1, LatestVersion))
 }
-func TestMigrationDownShouldReturnErrOnTargetLessThanPre1(t *testing.T) {
+func TestMigrationDownShouldReturnErrOnTargetLessThan1(t *testing.T) {
 	assert.EqualError(t,
 		schemaMigrateChecks(providerSQLite, false, -4, LatestVersion),
 		fmt.Sprintf(ErrFmtMigrateDownTargetLessThanMinimum, -4))
@ -93,8 +93,15 @@ func TestMigrationDownShouldReturnErrOnTargetLessThanPre1(t *testing.T) {
 		schemaMigrateChecks(providerPostgres, false, -2, LatestVersion),
 		fmt.Sprintf(ErrFmtMigrateDownTargetLessThanMinimum, -2))
-	assert.NoError(t,
+	assert.EqualError(t,
-		schemaMigrateChecks(providerPostgres, false, -1, LatestVersion))
+		schemaMigrateChecks(providerPostgres, false, -1, LatestVersion),
 		"schema migration down to pre1 is no longer supported: you must use an older version of authelia to perform this migration: you should downgrade to schema version 1 using the current authelia version then use the suggested authelia version to downgrade to pre1: the suggested authelia version is 4.37.2")
 }
 func TestMigrationDownShouldReturnErrOnCurrentLessThan0(t *testing.T) {
 	assert.EqualError(t,
 		schemaMigrateChecks(providerPostgres, true, LatestVersion, -1),
 		"schema migration up from pre1 is no longer supported: you must use an older version of authelia to perform this migration: the suggested authelia version is 4.37.2")
 }
 func TestMigrationDownShouldReturnErrOnTargetVersionGreaterThanCurrent(t *testing.T) {
--- a/internal/storage/types.go
+++ b/internal/storage/types.go
@ -0,0 +1,95 @@
 package storage
 import (
 	"context"
 	"github.com/jmoiron/sqlx"
 )
 // SQLXConnection is a *sqlx.DB or *sqlx.Tx.
 type SQLXConnection interface {
 	sqlx.Execer
 	sqlx.ExecerContext
 	sqlx.Preparer
 	sqlx.PreparerContext
 	sqlx.Queryer
 	sqlx.QueryerContext
 	sqlx.Ext
 	sqlx.ExtContext
 }
 // EncryptionChangeKeyFunc handles encryption key changes for a specific table or tables.
 type EncryptionChangeKeyFunc func(ctx context.Context, provider *SQLProvider, tx *sqlx.Tx, key [32]byte) (err error)
 // EncryptionCheckKeyFunc handles encryption key checking for a specific table or tables.
 type EncryptionCheckKeyFunc func(ctx context.Context, provider *SQLProvider) (table string, result EncryptionValidationTableResult)
 type encOAuth2Session struct {
 	ID      int    `db:"id"`
 	Session []byte `db:"session_data"`
 }
 type encWebauthnDevice struct {
 	ID        int    `db:"id"`
 	PublicKey []byte `db:"public_key"`
 }
 type encTOTPConfiguration struct {
 	ID     int    `db:"id" json:"-"`
 	Secret []byte `db:"secret" json:"-"`
 }
 // EncryptionValidationResult contains information about the success of a schema encryption validation.
 type EncryptionValidationResult struct {
 	InvalidCheckValue bool
 	Tables            map[string]EncryptionValidationTableResult
 }
 // Success returns true if no validation errors occurred.
 func (r EncryptionValidationResult) Success() bool {
 	if r.InvalidCheckValue {
 		return false
 	}
 	for _, table := range r.Tables {
 		if table.Invalid != 0 || table.Error != nil {
 			return false
 		}
 	}
 	return true
 }
 // Checked returns true the validation completed all phases even if there were errors.
 func (r EncryptionValidationResult) Checked() bool {
 	for _, table := range r.Tables {
 		if table.Error != nil {
 			return false
 		}
 	}
 	return true
 }
 // EncryptionValidationTableResult contains information about the success of a table schema encryption validation.
 type EncryptionValidationTableResult struct {
 	Error   error
 	Total   int
 	Invalid int
 }
 // ResultDescriptor returns a string representing the result.
 func (r EncryptionValidationTableResult) ResultDescriptor() string {
 	if r.Total == 0 {
 		return na
 	}
 	if r.Error != nil || r.Invalid != 0 {
 		return "FAILURE"
 	}
 	return "SUCCESS"
 }
--- a/internal/suites/suite_cli_test.go
+++ b/internal/suites/suite_cli_test.go
@ -816,7 +816,7 @@ func (s *CLISuite) TestStorage00ShouldShowCorrectPreInitInformation() {
 	output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--config=/config/configuration.storage.yml"})
 	s.Assert().NoError(err)
-	s.Assert().Contains(output, "Could not check encryption key for validity. The schema version doesn't support encryption.")
+	s.Assert().Contains(output, "Storage Encryption Key Validation: FAILURE\n\n\tCause: The schema version doesn't support encryption.\n")
 	output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "down", "--target=0", "--destroy-data", "--config=/config/configuration.storage.yml"})
 	s.Assert().EqualError(err, "exit status 1")
@ -1136,27 +1136,27 @@ func (s *CLISuite) TestStorage05ShouldChangeEncryptionKey() {
 	output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--config=/config/configuration.storage.yml"})
 	s.Assert().NoError(err)
-	s.Assert().Contains(output, "Encryption key validation: failed.\n\nError: the encryption key is not valid against the schema check value.\n")
+	s.Assert().Contains(output, "Storage Encryption Key Validation: FAILURE\n\n\tCause: the configured encryption key does not appear to be valid for this database which may occur if the encryption key was changed in the configuration without using the cli to change it in the database.\n")
 	output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--verbose", "--config=/config/configuration.storage.yml"})
 	s.Assert().NoError(err)
-	s.Assert().Contains(output, "Encryption key validation: failed.\n\nError: the encryption key is not valid against the schema check value, 4 of 4 total TOTP secrets were invalid.\n")
+	s.Assert().Contains(output, "Storage Encryption Key Validation: FAILURE\n\n\tCause: the configured encryption key does not appear to be valid for this database which may occur if the encryption key was changed in the configuration without using the cli to change it in the database.\n\nTables:\n\n\tTable (oauth2_access_token_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_authorization_code_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_openid_connect_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_pkce_request_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_refresh_token_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (totp_configurations): FAILURE\n\t\tInvalid Rows: 4\n\t\tTotal Rows: 4\n\n\tTable (webauthn_devices): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n")
 	output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"})
 	s.Assert().NoError(err)
-	s.Assert().Contains(output, "Encryption key validation: success.\n")
+	s.Assert().Contains(output, "Storage Encryption Key Validation: SUCCESS\n")
 	output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--verbose", "--encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"})
 	s.Assert().NoError(err)
-	s.Assert().Contains(output, "Encryption key validation: success.\n")
+	s.Assert().Contains(output, "Storage Encryption Key Validation: SUCCESS\n\nTables:\n\n\tTable (oauth2_access_token_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_authorization_code_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_openid_connect_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_pkce_request_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_refresh_token_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (totp_configurations): SUCCESS\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 4\n\n\tTable (webauthn_devices): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n")
 	output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "change-key", "--encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"})
 	s.Assert().EqualError(err, "exit status 1")
-	s.Assert().Contains(output, "Error: you must set the --new-encryption-key flag\n")
+	s.Assert().Contains(output, "Error: you must either use an interactive terminal or use the --new-encryption-key flag\n")
 	output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "change-key", "--encryption-key=apple-apple-apple-apple", "--new-encryption-key=abc", "--config=/config/configuration.storage.yml"})
 	s.Assert().EqualError(err, "exit status 1")