Occ encryption:decrypt-all fails for all users


#1

Steps to reproduce

  1. sudo -u www-data php /var/www/owncloud/occ maintenance:singleuser --on
  2. sudo -u www-data php /var/www/owncloud/occ encryption:decrypt-all

Expected behaviour

This should decrypt all files of all users

Actual behaviour

Files for following users couldn’t be decrypted,
maybe the user is not set up in a way that supports this operation:
all
of
my
user
names

Server configuration

Debian 9

Web server:
Apache 2.4.25

Database:
mariadb-server-10.1.26

PHP version:
v7.0.30-0+deb9u1

ownCloud version: (see ownCloud admin page)
10.0.9

Updated from an older ownCloud or fresh install:
some like 7 or 8

The content of config/config.php:
$CONFIG = array (
‘instanceid’ => ‘CUT’,
‘passwordsalt’ => ‘+CUT’,
‘secret’ => ‘CUT’,
‘trusted_domains’ =>
array (
0 => ‘CUT’,
1 => ‘CUT’,
2 => ‘CUT’,
),
‘datadirectory’ => ‘/storage/data’,
‘overwrite.cli.url’ => ‘CUT’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘10.0.9.5’,
‘logtimezone’ => ‘UTC’,
‘installed’ => true,
‘maintenance’ => false,
‘dbname’ => ‘owncloud’,
‘dbhost’ => ‘localhost’,
‘dbuser’ => ‘owncloud’,
‘dbpassword’ => ‘CUT’,
‘mail_smtpmode’ => ‘smtp’,
‘mail_from_address’ => ‘CUT’,
‘mail_domain’ => ‘CUT’,
‘mail_smtpauthtype’ => ‘PLAIN’,
‘mail_smtpauth’ => 1,
‘mail_smtphost’ => ‘CUT’,
‘mail_smtpport’ => ‘465’,
‘mail_smtpname’ => ‘CUT’,
‘mail_smtppassword’ => ‘CUT’,
‘memcache.local’ => ‘\OC\Memcache\Redis’,
‘redis’ =>
array (
‘host’ => ‘localhost’,
‘port’ => 6379,
),
‘memcache.locking’ => ‘\OC\Memcache\Redis’,
‘theme’ => ‘’,
‘loglevel’ => 2,
‘log_type’ => ‘owncloud’,
‘logfile’ => ‘/var/log/owncloud.log’,
‘mail_smtpsecure’ => ‘ssl’,
‘updatechecker’ => false,
‘versions_retention_obligation’ => ‘auto’,
‘filelocking.enabled’ => true,
‘singleuser’ => false,
);


#2

What type of encryption are you using?


#3

sudo -u www-data php /var/www/owncloud/occ encryption:status

  • enabled: true
  • defaultModule: OC_DEFAULT_MODULE

And: Encryption type: User Specific Key


#4

Have you enabled the recovery key?


#5

No, i don’t.

Ok, now i’ve set up a master recovery key - but i will try to encrypt files on friday evening.
Thx for your help - i hope this will work. I’m also considering tak to every user (i’ve got 15 users and 200GB of data) to backup files localy, delete them from owncloud - then i switch encryption off ant they will upload files again.


#6

Wait wait - how did you set up master recovery key? O_o


#7

I’ve logged as admin via www and then:
Setting->Administration->Encryption: Setup Master recovery Key: fields with Enter password for Key - something like that


#8

So you set up user key encryption.

encrypted all files of all users.

tried to decrypt the files.

failed.

now you have enabled the recovery key.

and now you plan to decrypt the files again, right?


#9

Yes, pretty much like you said. I turn on encyption. It’ s working good - right? But now i understand that i don’t need that encryption. I want to have incemental backup of all files from /storage partition.
Ok, if i can do decrypt-all - no problem, i will do backup of all users files localy on they computers - turn off decrypt and restore files.


#10

Yeah, encryption is an optional feature. You don’t really need that.

But once activated, it’s tricky to deactivate.

I think you need to activate the recovery key.

Then you need to tell your users to log in and opt-in to the recovery key.

when you need to play in this patch -> https://github.com/owncloud/core/pull/32027

Then you can decrypt all files of all users using the recovery key.


#11

Ok, i understand. Thank You vary much.


#12

Hey,

it seems this is included in the upcoming 10.0.10 version planned for tomorrow or am i wrong? Seems the changelog contains some additional “fixes” for encryption as well:


#13

Yeah, but I thought maybe he want’s to have his ownCloud working sooner or in case the release get’s delayed.