Encryption issue

Steps to reproduce

  1. I have server encryption enabled, sind I do have an issue with one of my profiles I wanted to decrypt my files to download them completely without the owncloud interface, meaning from the files directory in the data folder. Yet when I do the decryption with ./occ encryption:decrypt_all it finishes with
    “… starting to decrypt files… finished” and continues with:
    [=]

Files for following users couldn’t be decrypted,
maybe the user is not set up in a way that supports this operation:

Ist there a manual way, without the occ script, to decrypt the files?

Expected behaviour

I need the files to be decrypted so I can make a copy, clean the profile an push them up via the standard client again.

Actual behaviour

Decryption doesn’t seem to work.

Server configuration

Operating system: Linux

Web server: Apache

Database: MySQL 5.5

PHP version: 7.0

ownCloud version: 10.0.10

Updated from an older ownCloud or fresh install: Updated

Where did you install ownCloud from: tar.gz file

Signing status (ownCloud 9.0 and above):

https://gist.github.com/fgn-git-hub/89a1c668c57656ca5a904c2ec013fc5d

{
“system”: {
“instanceid”: “ocpgii6gb1bd”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“datadirectory”: “/var/www/localhost/owncloud/data”,
“dbtype”: “mysql”,
“version”: “10.0.7.2”,
“dbname”: “cloud”,
“dbhost”: “127.0.0.1”,
“dbtableprefix”: “oc_”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“installed”: true,
“forcessl”: true,
“maintenance”: false,
“overwrite.cli.url”: “/owncloud”,
“ldapIgnoreNamingRules”: false,
“loglevel”: 0,
“theme”: “”,
“trusted_domains”: [
cloud.localdomain.net
],
“secret”: “REMOVED SENSITIVE VALUE”,
“share_folder”: “/Shared”,
“mail_from_address”: “REMOVED SENSITIVE VALUE”,
“mail_smtpmode”: “php”,
“mail_domain”: “REMOVED SENSITIVE VALUE”,
“trashbin_retention_obligation”: “auto”,
“singleuser”: true
}
}


**List of activated apps:**

Enabled:

  • activity: 2.3.6
  • audioplayer: 2.2.4
  • calendar: 1.5.7
  • comments: 0.3.0
  • configreport: 0.1.1
  • contacts: 1.5.4
  • dav: 0.3.2
  • encryption: 1.3.1
  • external: 1.2
  • federatedfilesharing: 0.3.1
  • federation: 0.1.0
  • files: 1.5.1
  • files_external: 0.7.1
  • files_pdfviewer: 0.8.2
  • files_sharing: 0.10.1
  • files_texteditor: 2.2.1
  • files_versions: 1.3.0
  • files_videoplayer: 0.9.8
  • firstrunwizard: 1.1
  • gallery: 16.0.2
  • market: 0.2.3
  • notifications: 0.3.2
  • provisioning_api: 0.5.0
  • systemtags: 0.3.0
  • templateeditor: 0.2
  • user_external: 0.4
  • user_ldap: 0.10.0
    Disabled:
  • files_trashbin
  • theme-example
  • updatenotification

**Are you using encryption:** yes

**Are you using an external user-backend, if yes which one:** ActiveDirectory

#### LDAP configuration (delete this part if not used)

±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s02 |
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | ldap-auth@ |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | OU=Company,DC=ad,DC=local |
| ldapBaseGroups | OU=Company,DC=ad,DC=local |
| ldapBaseUsers | OU=Company,DC=ad,DC=local |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | objectguid |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | member |
| ldapHost | tantalos. |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=user)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid)(displayName=%uid)))) |
| ldapLoginFilterAttributes | cn;displayName |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | 0 |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=user))) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | organizationalPerson;person;user |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s03 |
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | ldap-auth@ |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | OU=Company,DC=ad,DC=local |
| ldapBaseGroups | OU=Company,DC=ad,DC=local |
| ldapBaseUsers | OU=Company,DC=ad,DC=local |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | member |
| ldapHost | hades. |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=user)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid)(displayName=%uid)))) |
| ldapLoginFilterAttributes | cn;displayName |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | 0 |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=user))) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | organizationalPerson;person;user |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


### Client configuration
**Browser:**
Firefox/Chromium
**Operating system:**
Windows/Linux
### Logs

User key or Master key?

What were the steps you did / instructions you followed to enable encryption?

How are you trying to decrypt the files?

Are the files local or on an external storage?

User key, and Master Key.
I started the encryption with the encryption addon, starting with Owncloud 7 -> 8 -> 9 -> 10
For decrypt I used the ./occ encrytion:decrypt_all as mentioned in the topic.
The files are local.

Yeah, you can’t have both. That’s the problem.

It’s like Sugar and Salt, you won’t mix in Salt in a Cake you have already Sugar in, right?

In our docs, I am sure you read them before enabling something that serious as encryption, there a a lot of warnings and explanations.

https://doc.owncloud.com/server/10.0/admin_manual/configuration/files/encryption_configuration.html?highlight=encryption

1 Like

Dear Dmitry,
yes I did, and I’m still stuck with that. The most important part would be to get my files unencrypted. While it seams to work with every other account, it just does not work with my account.
Any idea what can be done there?

Do you have the files on an external drive or on your local storage?

If you don’t - I don’t see an option of taking your double encrypted files of your server. The documentation is there for a reason and encryption is not a something you can turn on and off easily.

It’s on the local storage.

Your local storage or the oC server’s local storage?

The OCs local storage

Then I don’t know how to help you. Maybe some one in the community has an idea

What would have been your option if it wouldn’t have been on the local storage. And how do I see if I have user and server side encryption enabled?

Well the encryption is limited on the oC server. That means if your files are on an external storage on a file server - you still can get them, because they are unencrypted.

You should read the documentation.

Ok, I finally decided to clean up my mess and deleted the whole profile.
Still when I upload all the files I do get issues that according to the cloud, despite the fact that encryption is disabled, I get the warning that the passprase doesn work and the encryiption key is not correct.
Any idea how I get rid of that?

What do you mean by profile?

I deleted my user, and created a new one. After that I disabled the encryption completely via CLI and uploaded my original files. Yet it works, but sharing doesn’t due to strange encryption issues, eventhough encryption is off, serverwide.

what has deleting a user to do with encryption?

Encryption is a server side mechanism. A user is just someone who has files.

Deleting a user to affect encryption is like changing tires on a car to fix the motor.

Please read our docs:

https://doc.owncloud.com/server/10.0/admin_manual/configuration/files/encryption_configuration_quick_guide.html

in what context this reply is to?

I do get this error.
And as you can see the encryption is disabled.
I have no app which enables encryptions as well.
What can I do, to fix it.

Those are the apps I have installed and enabled


So none encryption part either. Still something is messed up with the encryption.

Well, once files are encrypted - disabling encryption won’t solve the problem.

Files have to be decrypted and then encryption has to be disabled, then you have access to your files again.