Failed to decrypt server side encryption

Steps to reproduce

  1. Login to server backend,and go to /var/www/owncloud folder
  2. execute command “sudo -u www-data php occ maintenance:singleuser --on”
  3. execute command “sudo -u www-data php occ encryption:decrypt-all --continue=yes --method=recovery ” and “sudo -u www-data php occ encryption:decrypt-all --continue=yes --method=password”

Expected behaviour

Tell us what should happen
I want to decrypt my owncloud server-side decryption so that all our user’s data are not encrypted

Actual behaviour

Tell us what happens instead
Failed to decrypt when I use decrypt command:

Comand 1: sudo -u www-data php occ encryption:decrypt-all --continue=yes --method=recovery
In DecryptAll.php line 208:

Invalid credentials provided

sudo -u www-data php occ encryption:decrypt-all --continue=yes --method=password
Disable server side encryption… done.
Error 2:
You are about to start to decrypt all files stored in your ownCloud.
It will depend on the encryption module and your setup if this is possible.
Depending on the number and size of your files this can take some time
Please make sure that no user access his files during this process!

prepare encryption modules…

starting to decrypt files…
Prepare “Default encryption module”

Password method can not be used for decrypting all users.
Aborting the decryption process
Module “Default encryption module” does not support the functionality to decrypt all files again or the initialization of the module failed!

starting to decrypt files… finished

all files could be decrypted successfully!

Server configuration

Operating system:
Web server:
Apache/2.4.7 (Ubuntu)

mysql Ver 14.14 Distrib 5.5.61, for debian-linux-gnu (x86_64) using readline 6.3
PHP version:
PHP 7.0.33-1+ubuntu14.04.1
ownCloud version: (see ownCloud admin page)
10.0.10 (stable)
Updated from an older ownCloud or fresh install:
Update from an older owncloud
Where did you install ownCloud from:

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
paste the results into and puth the link here.

no errors have been found

The content of config/config.php:

‘instanceid’ => ‘ocf1afexample7781’,
‘passwordsalt’ => ‘b62657fe2examplef92ea9f6938beb8b’,
‘secret’ => ‘cbd0eaad117579cexample334e6b6ecfa0f1c4e2d1d6ac15039e6cc746d3afaf1a5375caf2d914e1dcab5745d3559527432’,
‘trusted_domains’ =>
array (
0 => ‘example’,
1 => ‘example’,
‘datadirectory’ => ‘/datadriveF/data’,
‘overwrite.cli.url’ => ‘https://example’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘’,
‘dbname’ => ‘ownlcloud’,
‘dbhost’ => ‘localhost’,
‘dbtableprefix’ => ‘oc_’,
‘dbuser’ => ‘oc_admin’,
‘dbpassword’ => ‘d5e3508cexample76629dda8f53e1fe4’,
‘installed’ => true,
‘mail_smtpmode’ => ‘smtp’,
‘mail_domain’ => ‘example’,
‘mail_smtpsecure’ => ‘tls’,
‘mail_smtphost’ => ‘example’,
‘mail_smtpport’ => ‘587’,
‘mail_from_address’ => ‘admin’,
‘mail_smtpauthtype’ => ‘LOGIN’,
‘loglevel’ => 3,
‘logtimezone’ => ‘Asia/Shanghai’,
‘forcessl’ => true,
‘theme’ => ‘’,
‘maintenance’ => false,
‘memcache.local’ => ‘\OC\Memcache\Redis’,
‘filelocking.enabled’ => ‘true’,
‘memcache.distributed’ => ‘\OC\Memcache\Redis’,
‘memcache.locking’ => ‘\OC\Memcache\Redis’,
‘redis’ =>
array (
‘host’ => ‘localhost’,
‘port’ => 6379,
‘timeout’ => 0,
‘dbindex’ => 0,
‘forceSSLforSubdomains’ => true,
‘singleuser’ => false,

Log in to the web-UI with an administrator account and click on
‘admin’ -> ‘Generate Config Report’ -> ‘Download ownCloud config report’
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.


If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

“system”: {
“instanceid”: “ocf1aff97781”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
“datadirectory”: “/datadriveF/data”,
“overwrite.cli.url”: “https://example”,
“dbtype”: “mysql”,
“version”: “”,
“dbname”: “ownlcloud”,
“dbhost”: “localhost”,
“dbtableprefix”: “oc_”,
“installed”: true,
“mail_smtpmode”: “smtp”,
“mail_smtpsecure”: “tls”,
“mail_smtphost”: “REMOVED SENSITIVE VALUE”,
“mail_smtpport”: “587”,
“mail_from_address”: “REMOVED SENSITIVE VALUE”,
“mail_smtpauthtype”: “LOGIN”,
“loglevel”: 3,
“logtimezone”: “Asia/Shanghai”,
“forcessl”: true,
“theme”: “”,
“maintenance”: false,
“memcache.local”: “\OC\Memcache\Redis”,
“filelocking.enabled”: “true”,
“memcache.distributed”: “\OC\Memcache\Redis”,
“memcache.locking”: “\OC\Memcache\Redis”,
“redis”: {
“host”: “localhost”,
“port”: 6379,
“timeout”: 0,
“dbindex”: 0
“forceSSLforSubdomains”: true,
“singleuser”: false,
“versions_retention_obligation”: “65,66”,
“trashbin_retention_obligation”: “auto,65”,
“htaccess.RewriteBase”: “/”,
“mail_smtpauth”: 1,
“mail_smtpname”: “REMOVED SENSITIVE VALUE”,
“mail_smtppassword”: “REMOVED SENSITIVE VALUE

ATTENTION: Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove all host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

**List of activated apps:**

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

  - activity: 2.4.1
  - comments: 0.3.0
  - configreport: 0.1.1
  - dav: 0.4.0
  - encryption: 1.3.1
  - external: 1.2
  - federatedfilesharing: 0.3.1
  - federation: 0.1.0
  - files: 1.5.1
  - files_external: 0.7.1
  - files_pdfviewer: 0.10.0
  - files_sharing: 0.11.0
  - files_texteditor: 2.3.0
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 16.1.1
  - market: 0.3.0
  - notifications: 0.3.5
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - templateeditor: 0.4.0
  - updatenotification: 0.2.1
  - user_external
**Are you using external storage, if yes which one:** local/smb/sftp/...
**Are you using encryption:** yes/no
**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...
#### LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM oc_appconfig WHERE appid = ‘user_ldap’;

Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Please, try to upgrade the server to 10.5 (or wait some weeks for 10.6) and retry. 10.0.10 is old, and there has been some changes around encryption in the last versions.


I encounter the exact same behavior on 10.7.

I solved my problem:

  • upgrade from owncloud 10.4 to 10.5, as owncloud 10.5 can then be migrated to nextcloud 20.0.10
  • migrate to nextcloud 20.0.10
  • decrypt-all works as expected with the master key (it even prompts you for it, much nicer user experience than the decrypt-all from owncloud 10.7), on a user key based encryption
  • I will stick to nextcloud :grinning: