After password reset - Data isn't downloadable (Invalid private key)

I have the problem, that one of my Users has forgotten his password, so the user reset the password. After logging in user gets the Message “Invalid private key for Encryption App. Please update your private key password in your personal settings to recover access to your encrypted files.” and the user can’t view any of the files. I found that the user can update the Private Key Password in the Personal Area, but they forgot the Old log in password, so how can user gain access to the files? Any Ideas?

Steps to reproduce

1.Create User (or use an existing one)
2. Reset his password
3. Try to log in to the user account and View or download any file.
4.Massage: “Invalid private key for Encryption App. Please update your private key password in your personal settings to recover access to your encrypted files.” appears.
Is there any way to fix the files for all users and disable the encryption?

Expected behaviour

Normally it should work fine to reset a users password and access all files after the login.

Actual behaviour

He can’t access the files because of an invalid private key

Server configuration

Operating system: ubuntu / Linux

Web server: apache2 2.4


**PHP version:**7.2

ownCloud version: 10.4

**Updated from an older ownCloud or fresh install:**fresh install

Where did you install ownCloud from: From official site

Signing status (ownCloud 9.0 and above):

**The content of config/config.php:**
    "system": {
        "updatechecker": false,
        "instanceid": "oclovptb5772",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
        "datadirectory": "\/home\/ubuntu\/owncloud\/data",
        "overwrite.cli.url": "http:\/\/",
        "dbtype": "mysql",
        "version": "",
        "dbname": "owncloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "apps_paths": [
                "path": "\/var\/www\/owncloud\/apps",
                "url": "\/apps",
                "writable": true
                "path": "\/var\/www\/owncloud\/apps-external",
                "url": "\/apps-external",
                "writable": true
        "installed": true,
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "php",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpsecure": "ssl",
        "maintenance": false,
        "singleuser": false

Log in to the web-UI with an administrator account and click on
‘admin’ -> ‘Generate Config Report’ -> ‘Download ownCloud config report’
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.


If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

ATTENTION: Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove all host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

**List of activated apps:**

  - comments: 0.3.0
  - configreport: 0.2.0
  - dav: 0.5.0
  - encryption: 1.4.0
  - external: 1.4.0
  - federatedfilesharing: 0.5.0
  - federation: 0.1.0
  - files: 1.5.2
  - files_external: 0.7.1
  - files_mediaviewer: 1.0.2
  - files_sharing: 0.12.0
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - firstrunwizard: 1.2.0
  - market: 0.5.0
  - notifications: 0.5.0
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - updatenotification: 0.2.1
  - user_external: 0.6.0

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

**Are you using external storage, if yes which one:** local/smb/sftp/... NO

**Are you using encryption:** yes

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM oc_appconfig WHERE appid = ‘user_ldap’;

Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

### Client configuration

**Operating system:**

### Logs
#### Web server error log

Insert your webserver log here

#### ownCloud log (data/owncloud.log)

Insert your ownCloud log here

#### Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) …

@pako81 Can you help this user?

This is the expected behavior. When using User-Key encryption, in case a user is resetting his login password, it is required for the user to access his personal settings page and provide the old as well as new login password in order to recover access to files.

Since in this case user forgot the old login password, the only possibility would be the Recovery Key option. This is a two steps process: means admin must have already enabled it and this user needs to have this option already activated on his personal settings. If this is the case, admin can reset the password for this user and so recover access. If not, access to files for this user is not possible anymore in the current state.

It is still possible to disable User-Key encryption by running the “decrypt-all” occ command and by providing the Recovery Key. This way all users files will be decrypted in bulk. But for this to work, every user must first enable the Recovery Key option in his personal settings.

Generally speaking User-Key encryption has several limitations so the recommendation is rather to use the Master Key one. Some information on this topic from our official doc:

1 Like