I’d like to disable encryption on my owncloud server. I’ve run occ encryption:decrypt-all from single-user mode with no errors, but when I run occ encryption:disable I get:
The system still has encrypted files. Please decrypt them all before disabling encryption.
I don’t see any extra steps in the docs, and I don’t believe any of my users have personal encryption keys enabled. Am I missing something?
This is a known scope mismatch — not something you’re doing wrong.
encryption:disable refuses if any row in the filecache table still has encrypted >= 1. But encryption:decrypt-all only walks files under
//files. So anything encrypted outside that path is never cleared and keeps blocking the disable — most commonly file versions and
trashbin, sometimes shared/external storage. That’s why decrypt-all says it succeeded yet disable still complains. (The per-user-key setting
is unrelated to this check, so that’s a dead end.)
First, see exactly what’s blocking you. Run against your DB (adjust the oc_ prefix to match your install):
SELECT fc.fileid, fc.path, fc.encrypted, s.id AS storage
FROM oc_filecache fc
JOIN oc_storages s ON fc.storage = s.numeric_id
WHERE fc.encrypted >= 1;
The path column will tell you the culprit — likely files_versions/… or files_trashbin/….
Then clear those and retry:
occ trashbin:cleanup --all-users
occ versions:cleanup
occ encryption:decrypt-all
occ encryption:disable
If the diagnostic shows leftover rows on shared or external storage, decrypt per-owner instead: occ encryption:decrypt-all .
As a last resort, after a full DB backup, if the remaining rows are confirmed junk (old versions/trash/corrupt .part files), you can UPDATE
oc_filecache SET encrypted = 0 WHERE encrypted >= 1; then occ files:scan --all — but only after you’ve confirmed via the query above that
there are no real encrypted files left.
I’ve filed this as a bug so the commands stop disagreeing and the disable error tells you which paths are blocking: owncloud/core#41623.