Encryption issue


#1

Steps to reproduce

  1. I have server encryption enabled, sind I do have an issue with one of my profiles I wanted to decrypt my files to download them completely without the owncloud interface, meaning from the files directory in the data folder. Yet when I do the decryption with ./occ encryption:decrypt_all it finishes with
    “… starting to decrypt files… finished” and continues with:
    [=]

Files for following users couldn’t be decrypted,
maybe the user is not set up in a way that supports this operation:

Ist there a manual way, without the occ script, to decrypt the files?

Expected behaviour

I need the files to be decrypted so I can make a copy, clean the profile an push them up via the standard client again.

Actual behaviour

Decryption doesn’t seem to work.

Server configuration

Operating system: Linux

Web server: Apache

Database: MySQL 5.5

PHP version: 7.0

ownCloud version: 10.0.10

Updated from an older ownCloud or fresh install: Updated

Where did you install ownCloud from: tar.gz file

Signing status (ownCloud 9.0 and above):

https://gist.github.com/fgn-git-hub/89a1c668c57656ca5a904c2ec013fc5d

{
“system”: {
“instanceid”: “ocpgii6gb1bd”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“datadirectory”: “/var/www/localhost/owncloud/data”,
“dbtype”: “mysql”,
“version”: “10.0.7.2”,
“dbname”: “cloud”,
“dbhost”: “127.0.0.1”,
“dbtableprefix”: “oc_”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“installed”: true,
“forcessl”: true,
“maintenance”: false,
“overwrite.cli.url”: “/owncloud”,
“ldapIgnoreNamingRules”: false,
“loglevel”: 0,
“theme”: “”,
“trusted_domains”: [
cloud.localdomain.net
],
“secret”: “REMOVED SENSITIVE VALUE”,
“share_folder”: “/Shared”,
“mail_from_address”: “REMOVED SENSITIVE VALUE”,
“mail_smtpmode”: “php”,
“mail_domain”: “REMOVED SENSITIVE VALUE”,
“trashbin_retention_obligation”: “auto”,
“singleuser”: true
}
}


**List of activated apps:**

Enabled:

  • activity: 2.3.6
  • audioplayer: 2.2.4
  • calendar: 1.5.7
  • comments: 0.3.0
  • configreport: 0.1.1
  • contacts: 1.5.4
  • dav: 0.3.2
  • encryption: 1.3.1
  • external: 1.2
  • federatedfilesharing: 0.3.1
  • federation: 0.1.0
  • files: 1.5.1
  • files_external: 0.7.1
  • files_pdfviewer: 0.8.2
  • files_sharing: 0.10.1
  • files_texteditor: 2.2.1
  • files_versions: 1.3.0
  • files_videoplayer: 0.9.8
  • firstrunwizard: 1.1
  • gallery: 16.0.2
  • market: 0.2.3
  • notifications: 0.3.2
  • provisioning_api: 0.5.0
  • systemtags: 0.3.0
  • templateeditor: 0.2
  • user_external: 0.4
  • user_ldap: 0.10.0
    Disabled:
  • files_trashbin
  • theme-example
  • updatenotification

**Are you using encryption:** yes

**Are you using an external user-backend, if yes which one:** ActiveDirectory

#### LDAP configuration (delete this part if not used)

±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s02 |
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | ldap-auth@ |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | OU=Company,DC=ad,DC=local |
| ldapBaseGroups | OU=Company,DC=ad,DC=local |
| ldapBaseUsers | OU=Company,DC=ad,DC=local |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | objectguid |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | member |
| ldapHost | tantalos. |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=user)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid)(displayName=%uid)))) |
| ldapLoginFilterAttributes | cn;displayName |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | 0 |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=user))) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | organizationalPerson;person;user |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s03 |
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | ldap-auth@ |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | OU=Company,DC=ad,DC=local |
| ldapBaseGroups | OU=Company,DC=ad,DC=local |
| ldapBaseUsers | OU=Company,DC=ad,DC=local |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | member |
| ldapHost | hades. |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=user)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid)(displayName=%uid)))) |
| ldapLoginFilterAttributes | cn;displayName |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | 0 |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=user))) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | organizationalPerson;person;user |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


### Client configuration
**Browser:**
Firefox/Chromium
**Operating system:**
Windows/Linux
### Logs

#2

User key or Master key?

What were the steps you did / instructions you followed to enable encryption?

How are you trying to decrypt the files?

Are the files local or on an external storage?


#3

User key, and Master Key.
I started the encryption with the encryption addon, starting with Owncloud 7 -> 8 -> 9 -> 10
For decrypt I used the ./occ encrytion:decrypt_all as mentioned in the topic.
The files are local.


#4

Yeah, you can’t have both. That’s the problem.

It’s like Sugar and Salt, you won’t mix in Salt in a Cake you have already Sugar in, right?

In our docs, I am sure you read them before enabling something that serious as encryption, there a a lot of warnings and explanations.

https://doc.owncloud.com/server/10.0/admin_manual/configuration/files/encryption_configuration.html?highlight=encryption


#5

Dear Dmitry,
yes I did, and I’m still stuck with that. The most important part would be to get my files unencrypted. While it seams to work with every other account, it just does not work with my account.
Any idea what can be done there?


#6

Do you have the files on an external drive or on your local storage?

If you don’t - I don’t see an option of taking your double encrypted files of your server. The documentation is there for a reason and encryption is not a something you can turn on and off easily.


#7

It’s on the local storage.


#8

Your local storage or the oC server’s local storage?


#9

The OCs local storage


#10

Then I don’t know how to help you. Maybe some one in the community has an idea


#11

What would have been your option if it wouldn’t have been on the local storage. And how do I see if I have user and server side encryption enabled?


#12

Well the encryption is limited on the oC server. That means if your files are on an external storage on a file server - you still can get them, because they are unencrypted.

You should read the documentation.