Peronal encryption key reset

encryption
ldap
9.0.x

#1

Hello Guys,

I have issue with encryption user key password reset.
First of all whole server config:
1. LDAP connected to owncloud
2. encryption enabled for whole system and all files
3. create shared folders for all users where users can drop files
4. there is no central recovery encryption key

So now what happens
1. user change password for LDAP
2. same user do not work with owncloud long time, but he logs in using his LDAP password and he gets notification about changing his encryption key.
3. ok, now user has to provide old encryption key password that he don't remember

Now:
1. Recovery is not possible, so how to reset this encryption key password?

Resolution attempt:
I went through
https://doc.owncloud.org/server/9.0/admin_manual/configuration_files/encryption_configuration.html
but it's all about recovery encryption key

I can't find information where i can find user encryption key. But also i'm not sure what will be impact it I will delete it and if new key will be used to provide him back access to all information in shared folder.
But i was thinking that if i can reset whole user profile then i can get all his access to shared files back. We can accept losing all his personal information in his own folder as without any recovery key it's not possible to get it back, but that's a bit different case when you deal with shared folders.

so:
1. is it possible to reset user key password (e.g. by removing keys and geting new one) and get back access to information? if yes, then how?

  1. is it possible to reset user key password (e.g. by removing keys and geting new one) but actually accept fact that all information that he had access to so far will be no longer available? if yes, then how?

#2

Only recommended way would be to delete the user and create it newly. You would need to check if the user has shared folders with others where others wrote files into ...


#3

Thanks,

So i have blocked users to share anything so i don't affraid this.
What i want to figure is what i need to actually delete if i use LDAP for users auth. Is owncloud create local user anyway once user logs to owncloud in and in that folder owncloud keeps encryption keys?

In case of other user (Y) share folder with this user (X), by removing user profile (X) will user (X) be able to still read files in shared folder by other user (Y)? Of course user (X) logs in using LDAP same as other user (Y).


#4

If you like to keep shares you can delete the files in the user folder, run occ files:scan for the user and then login again.
If you want to delete everything occ user:delete should work.


#5

Ok, so
Owncloud creates user locally anyway, even wehre there is LDAP used, where it keeps all user settings right?
Then i delete this user and all his profile files. Which is fine as i if he forgot his password then he will not get his data back anyway.
Once i delete his profile i need to run: occ files:scan and user need to log in once again.
Once he logs in he needs to setup new password for new key. All shared folders that he had, he willl get them back and he will get access to them again with new key.

Just for clarification,
I have 1 service account that is allowed to share anything. So i want user to get his access back to these files and i don't care about his personal files.


#6

So i have tested profile removal. Now i get error while trying to open shared files:

multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error

How to get back access to shared files and re-generate shared key?


#7

Those need to be unshared and then shared again with the user. Thats why maybe the delete user would be the easier path.


#8

Well... i have deleted the user profile within owncloud filesystem (not from Owncloud gui). I cannot delete it from AD.
But you can remove it as a user within owncloud. But it will be re-added few moments later as it's from LDAP.

Problem that i have is that if you have 200 users and nested groups and folders it's not easy to unshare and re-create sharing structure. That's like 2hrs of work. Also users keeps forgetting their passwords so you need to do this sometimes few times a month. So this becomes problematic and looking some nice way to reset common key used by that user.