Admin-given encrypted external storage for a group leads to DecryptionFailedException

Nextcloud version (eg, 20.0.5): 22.1.1
Operating system and version (eg, Ubuntu 20.04): CentOS -> docker
Apache or nginx version (eg, Apache 2.4.25): nginx (docker)
PHP version (eg, 7.4): 8.0.10

Summary of my nextcloud environment
For several years, I’m running own nextcloud instances locally. Now, I moved to a paid dedicated server (at strato) and I’m using external storage (wasabi s3). Only the external storage is encrypted (via nextcloud). Encryption has been set up before any data has been added.

The issue you are facing:
The problem appears to be limited to “external storage configured via admin panel and assigned to a group”. In detail: I configured 3 external storage buckets, one for user A, one for user B and one for group of A+B. The third is the problematic. User B uploads a bunch of files and it’s working fine for him. For user A 90% of the files are not decryptable. Neither while client download, nor through web interface. Same files are, most of them not.

My fault?
Is it wrong to add an encrypted external storage to a group via admin panel? Should I assign it to two users instead of to a group? Or is “sharing” an admin-added given storage not possible?

What does not help:

  • occ files:scan --all,
  • deleting and re-uploading,
  • reinstall nextcloud client.
  • Associating an external share to two users instead of a group of A+B
  • config.php → ‘encryption_skip_signature_check’ => false, (or true)

What helps
→ Admin-given external storage for a specific user and users then shares it with another user.

Steps to replicate it:

  1. Add user A and user B into one group (e.g. “WasabiGroup”)
  2. Setup encryption (no home dirs, just external storage)
  3. Add external storage (in my case wasabi s3) via admin panel and assoc group “WasabiGroup”
  4. Let user B upload many files → must be okay.
  5. Let user A download/sync the files → DecryptionError

The output of your Nextcloud log in Admin > Logging:

Fatal	webdav	OC\Encryption\Exceptions\DecryptionFailedException: Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.
Error	no app in context	Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.

Seems to me like a bug. Maybe someone of you has some additional information or even a solution. But due to share a storage at user-level is working, I found a way to go. Nevertheless, if we can enter a group for an external encrypted storage in the admin panel, it should be working.

Thanks in advance

Can anybody help (or confirm, decline) the issue?