Decryption failed without error

Server
1

Steps to reproduce

sudo -u apache php ./occ encryption:enable
sudo -u apache php ./occ encryption:decrypt-all

Expected behaviour

I’d expect all files to be decrypted

Actual behaviour

I’m sure this is old… the files seem to be base64 encoded rather than the newer binary which seems to have been decoded.
It seems the file is ignored and considered as being succesfully decrypted.

These did not get decoded
HBEGIN:cipher:AES-256-CFB:HEND

These got decoded:
HBEGIN:oc_encryption_module:OC_DEFAULT_MODULE:cipher:AES-256-CTR:signed:true:encoding:binary:HEND

Both have ----- padding 'till the 8192 mark.

$ file IMG_4180.JPG

IMG_4180.JPG: ASCII text, with very long lines (65536), with no line terminators

$ sha256sum IMG_4180.JPG

5ae05120363e8b5ab48b2993e4577495632f59d0f7fdaeaa7e027641e87e6abb  IMG_4180.JPG

$ sudo -u apache php ./occ encryption:enable

Encryption enabled

Default module: OC_DEFAULT_MODULE

$ sudo -u apache php ./occ encryption:decrypt-all

Disable server side encryption... done.


You are about to start to decrypt all files stored in your ownCloud.
It will depend on the encryption module and your setup if this is possible.
Depending on the number and size of your files this can take some time
Please make sure that no user accesses their files during this process!

Do you really want to continue? (y/n) y
prepare encryption modules...
 done.


 %message%
 [>---------------------------]
Prepare "Default encryption module"

Configuring encryption module for decryption with user based keys
 decrypt files for user dexter (1 of 1): /dexter/files/Photos/XXXREDACTEDXXX/IMG_4181.JPG
 [-------------->-------------]

 starting to decrypt files... finished
 [============================]


all files could be decrypted successfully!

$ sha256sum IMG_4180.JPG

5ae05120363e8b5ab48b2993e4577495632f59d0f7fdaeaa7e027641e87e6abb  IMG_4180.JPG

$ file IMG_4180.JPG

IMG_4180.JPG: ASCII text, with very long lines (65536), with no line terminators

$ dd if=IMG_4180.JPG bs=8192 count=1
HBEGIN:cipher:AES-256-CFB:HEND--------------.....

Server configuration

Operating system: Gentoo
Web server: Apache 2.4.52
Database: mariadb 10.5.13
PHP version: 7.4
ownCloud version: 10.9.1

Updated from an older ownCloud or fresh install: always updated since a loooong time ago

Where did you install ownCloud from: tar.gz

The content of config/config.php:

{
    "system": {
        "loglevel": 2,
        "instanceid": "oceb871cbff2",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "updatechecker": false,
        "knowledgebaseenabled": false,
        "trusted_domains": [
            "XXX"
        ],
        "appstoreenabled": true,
        "appstoreurl": "https:\/\/marketplace.owncloud.com\/",
        "datadirectory": "\/var\/www\/XXX\/htdocs\/owncloud\/data",
        "dbtype": "mysql",
        "version": "10.9.1.2",
        "dbname": "owncloud",
        "files_external_allow_create_new_local": "true",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "forcessl": true,
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "theme": "",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "180, auto",
        "overwrite.cli.url": "\/owncloud",
        "maintenance": false,
        "cache_path": "",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "\/var\/run\/redis\/redis.sock",
            "port": 0,
            "timeout": 0,
            "dbindex": 0
        },
        "apps_paths": [
            {
                "path": "\/var\/www\/XXX\/htdocs\/owncloud\/apps",
                "url": "\/apps",
                "writable": true
            }
        ],
        "htaccess.RewriteBase": "\/owncloud",
        "mail_smtpport": "587",
        "mail_smtpsecure": "tls",
        "singleuser": false,
        "allow_user_to_change_mail_address": ""
    }
}

List of activated apps:

Enabled:
  - dav:
    - Version: 0.7.0
    - Path: /var/www/XXX/htdocs/owncloud/apps/dav
  - encryption:
    - Version: 1.5.1
    - Path: /var/www/XXX/htdocs/owncloud/apps/encryption
  - federatedfilesharing:
    - Version: 0.5.0
    - Path: /var/www/XXX/htdocs/owncloud/apps/federatedfilesharing
  - federation:
    - Version: 0.1.0
    - Path: /var/www/XXX/htdocs/owncloud/apps/federation
  - files:
    - Version: 1.5.2
    - Path: /var/www/XXX/htdocs/owncloud/apps/files
  - files_external:
    - Version: 0.8.0
    - Path: /var/www/XXX/htdocs/owncloud/apps/files_external
  - files_mediaviewer:
    - Version: 1.0.5
    - Path: /var/www/XXX/htdocs/owncloud/apps/files_mediaviewer
  - files_pdfviewer:
    - Version: 1.0.1
    - Path: /var/www/XXX/htdocs/owncloud/apps/files_pdfviewer
  - files_sharing:
    - Version: 0.14.0
    - Path: /var/www/XXX/htdocs/owncloud/apps/files_sharing
  - files_versions:
    - Version: 1.3.0
    - Path: /var/www/XXX/htdocs/owncloud/apps/files_versions
  - gallery:
    - Version: 16.1.2
    - Path: /var/www/XXX/htdocs/owncloud/apps/gallery
  - market:
    - Version: 0.6.2
    - Path: /var/www/XXX/htdocs/owncloud/apps/market
  - notifications:
    - Version: 0.5.4
    - Path: /var/www/XXX/htdocs/owncloud/apps/notifications
  - provisioning_api:
    - Version: 0.5.0
    - Path: /var/www/XXX/htdocs/owncloud/apps/provisioning_api
  - systemtags:
    - Version: 0.3.0
    - Path: /var/www/XXX/htdocs/owncloud/apps/systemtags
  - updatenotification:
    - Version: 0.2.1
    - Path: /var/www/XXX/htdocs/owncloud/apps/updatenotification
Disabled:
  - calendar:
    - Path: /var/www/XXX/htdocs/owncloud/apps/calendar
  - comments:
    - Path: /var/www/XXX/htdocs/owncloud/apps/comments
  - configreport:
    - Path: /var/www/XXX/htdocs/owncloud/apps/configreport
  - contacts:
    - Path: /var/www/XXX/htdocs/owncloud/apps/contacts
  - external:
    - Path: /var/www/XXX/htdocs/owncloud/apps/external
  - files_texteditor:
    - Path: /var/www/XXX/htdocs/owncloud/apps/files_texteditor
  - files_trashbin:
    - Path: /var/www/XXX/htdocs/owncloud/apps/files_trashbin
  - firstrunwizard:
    - Path: /var/www/XXX/htdocs/owncloud/apps/firstrunwizard
  - user_external:
    - Path: /var/www/XXX/htdocs/owncloud/apps/user_external

Are you using external storage, if yes which one: NO

Are you using encryption: yes

Are you using an external user-backend, if yes which one: NO

Client configuration

Browser:
Any

Operating system:
Any

Logs

Nothing

2

That seems a broken header, so most likely ownCloud thinks the file isn’t encrypted and sends it without any change.

Is it possible to know when the file got uploaded?. Either the file was modified in the storages (which seems weird) or the file got uploaded with a very old ownCloud version and ownCloud broke compatibility at some point.
For the second case, the original ownCloud version is important in order to try to reproduce the problem.

You can also check the oc_filecache table to verify the target file is marked as encrypted there (“encrypted” column should be greater or equal to 1 if it’s encrypted)

If you have the original unencrypted file somewhere, the easiest solution would be to delete that file and reupload it

3

Makes sense…
I don’t have the original anymore…
The photo was taken on 12.12.2014 so… the initial owncloud version should be around then. Unfortunately, I don’t know when the compatibility broke. I just noticed now when trying to create a backup…
Looks like encrypted for it is 0.

4

you might want try to to set that “encrypted” value to 1 (only for the target file), but it’s a blind shot and it might break the file further.

5

First thing I did yesterday after you mentioned it.

/IMG_4180.JPG - Cannot multikey decrypt empty plain content
6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.