In my case, the solution was to not override the original decrypted file and create an encrypted new file flagged with ".locked" suffix.

Because to avoid this common error java.io.IOException: No matching key found for the ciphertext in the stream. the encrypted file should not be corrupted with a copy or rename.