Can't decrypt files

sad · October 8, 2019, 7:42am

Steps to reproduce

1.Files was uploaded from owncloud client 2.5.4 (ubuntu 18.04) (from user1)
2. After was sync with new pc (from user1)
2. We have trouble with “too many open files”
3. Change password for user1 from db
4. Change password for user1 from web admin -> users -> change password
5. After was sync with new pc by owncloud client 2.5.4 (from user1) multikeydecrypt with share key faild (no start line)

Expected behaviour

We must open files or sync without errors.

Actual behaviour

We can not open files and get the following errors:

0906D06C:PEM routines:PEM_read_bio:no start line
0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length
04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed
0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error

Server configuration

Operating system: CentOS7 3.10.0-957.12.2.el7.x86_64

Web server: Apache/2.4.6 (CentOS)

Database: 5.5.60-MariaDB MariaDB Server

PHP version: PHP 7.2.19

ownCloud version: 10.0.10 (stable)

Updated from an older ownCloud or fresh install:

Where did you install ownCloud from: official site

List of activated apps:

Default encryption module ( Bjoern Schiessle, Clark Tomlinson )

Are you using encryption: yes

Client configuration

Browser: Firefox 69.0.1

Operating system: Ubuntu 18.04

eneubauer · October 8, 2019, 7:49am

Hi,
When you open a topic in the server category, there is a template that needs to be filled out. This is to ensure that no information is missing and we can help you as fast as possible. Please fill out the template and post it here.

Also your error messages are not helpful without context, we need to know what steps you take to get these errors, so we can reproduce it and then tell you what is wrong. But all of this is part of the template, so please fill it out.

Thanks,

sad · October 14, 2019, 9:22am

I add information to my post

eneubauer · October 15, 2019, 12:32pm

Some additional questions:

Where do you see this error message?

Not sure what you mean with “db”? Do you mean LDAP?

Where exactly do you see these messages? WebUI, owncloud sync client, owncloud.log?

sad · October 16, 2019, 6:29am

We have trouble with “too many open files”

16T15:12:36+00:00",“remoteAddr”:"",“user”:"–",“app”:“PHP”,“method”:"–",“url”:"–",“message”:“fopen(/var/www/disk/data/user1/files/sometime_used/code/php/mm.web/config/AS/AS12476): failed to open stream: Too many open files at /var/www/disk/lib/private/Files/Storage/Local.php#298”}

We solve this problem with editing next config /etc/security/limits.conf

apache soft nofile 500000
apache hard nofile 500000
mysql soft nofile 500000
mysql hard nofile 500000

I mean that we open mariadb then change users password in table oc_users

Change password for user1 from db

I mean that we open mariadb then change users password in table oc_users. Not from WebUI

We can not open files and get the following errors:

WebUI

In owncloud sync client we see next multikeydecrypt with share key faild (no start line)

eneubauer · October 16, 2019, 10:24am

So I guess you’re trying to change the user password of a user who has user based encryption enabled.

If the user has lost the password and you don’t have recovery keys enabled you won’t be able to access the files on the server.

If the user still knows the password they can log into the ownCloud WebUI and change the master password of the encryption key, by entering the old AND the new password.

If you have recovery key enabled you can disable user based encryption with it and then re-enable it with a new key and the new password.

More information in the docs:
https://doc.owncloud.com/server/10.1/admin_manual/configuration/files/encryption/disabling-encryption.html
https://doc.owncloud.com/server/10.1/admin_manual/configuration/files/encryption/enabling-user-key-encryption.html

Please read the docs carefully.

sad · October 28, 2019, 11:26am

Can you tell me how manually
decrypt the file key using
recovery key?

eneubauer · October 29, 2019, 1:57pm

root@ubuntu1804:/var/www/owncloud# occ encryption:decrypt-all --help
Usage:
  encryption:decrypt-all [options] [--] [<user>]

Arguments:
  user                       User for whom you want to decrypt all files (optional). [default: ""]

Options:
  -m, --method[=METHOD]      Use recovery or password. If recovery method is chosen then the recovery password will be used to decrypt files. If password method is chosen then individual user passwords will be used to decrypt files.
[...]

You might have to run the occ command on your machine with sudo, php -f and the full path to the occ executable.

sad · November 4, 2019, 7:25am

When use occ, we were able to partially decrypt the files, but a large number of files could not be restored.

We are trying to decrypt the file key and the file itself using the source code of the ownCloud service and the openssl library functions for php.

We managed to get the user’s private key.
When trying to decrypt filekey via function openssl_open using sharedkey
0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
We also tried to use a bunch of functions

openssl_private_decrypt (to get the RC4 key)
openssl_decrypt (to decrypt filekey)

However, we were not able to get the RC4 key, by a similar error
0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error

For each file, we have recoverykey, but the method described above for obtaining filekey did not give us results, even when using master private key.

How to decrypt filekey using recovery key, openssl functions, class Crypt (from owncloud source files)?

sad · November 16, 2019, 2:31pm

Can you tell me what I need to add in order to get more information about my problem?

sad · November 22, 2019, 8:12am

Цитата

Can anybody help?

eneubauer · November 22, 2019, 12:36pm

Sorry, don’t know. Perhaps there is some openssl support forum/irc somewhere?

tushar_sharma · September 19, 2020, 6:05am

Hi, i am hitting the same error. Exactly the same. Would you care telling what happened in your case. My email id is tushar dot sharma dot 9 at gmail dot com

The owncloud community is not able to help in this case.

WHR · January 19, 2021, 10:57am

Hello,
the error-message
Can’t read file multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
appeared after I added a few new users. Another error-message while trying to open an pdf-file was
Unexpected server response (503) while retrieving PDF path-to-pdf-file
None of the new users was able to access any of the files in the group share, but any older users could.
And i didn’t found anything here in the forum to solve my problem.
Because I think, the real problem, that I didn’t found a solution isn’t, that there isn’t a solution, but that other who solved this/their problem, don’t came back to let others know how they did, here is how I solved it:
In https://doc.owncloud.org/server/10.6/admin_manual/configuration/files/encryption/sharing-encrypted-files.html I found this:
For individual shares, un-share and re-share the file. For group shares, share with any individuals who can’t access the share. This updates the encryption, and then the share owner can remove the individual shares..
So I added one of the new users as an individual to the shared folder. After it has been finished, I removed the single user, so the shared folder is again shared only by the group. But now all of the new users have access to the shared folder.
I hope this will help someone in the future.