After upgrade to Nextcloud 25, unable to access some files; "could not decrypt key"

I am using Nextcloud on Docker, I upgraded using the recommended method of updating the docker-compose.yml and then performing “docker-compose pull, down, up”. First I upgraded to 24.0.9 and then 25.0.

After the upgrade, the admin page recommended I perform “occ db:add-missing-indices” and “occ db:convert-filecache-bigint”, which I did.

Next, I tried accessing files using the UI which failed for some files.

  • trying to open a text file using the GUI: “Failed to load file: Failed to create the document session”
  • trying to download using the GUI: “Internal Server Error”; log says: Sabre\Dav\Exception: Cloud not decrypt key
  • some files work fine

My Nextcloud instance is ancient from OwnCloud times, migrated and upgraded many times. I think the issue has to do with the now-deprecated server-side encryption - I was never able to fully get rid of it.

[webdav] Error: Sabre\DAV\Exception: Could not decrypt key at <<closure>>

0. /var/www/html/apps/dav/lib/Connector/Sabre/File.php line 492
   OCA\DAV\Connector\Sabre\File->convertToSabreException(OC\ServerNotAvailableException {})
1. /var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php line 85
   OCA\DAV\Connector\Sabre\File->get()
2. /var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
   Sabre\DAV\CorePlugin->httpGet(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
3. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 472
   Sabre\DAV\Server->emit("method:GET", [Sabre\HTTP\Requ ... }])
4. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 253
   Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
5. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 321
   Sabre\DAV\Server->start()
6. /var/www/html/apps/dav/appinfo/v1/webdav.php line 85
   Sabre\DAV\Server->exec()
7. /var/www/html/remote.php line 171
   require_once("/var/www/html/a ... p")

GET /oct/remote.php/webdav/test-textfile.txt?downloadStartSecret=m7tfk0vlmj
from 172.25.0.1 by rolandu at 2023-02-05T12:19:20+00:00

Config:

{
    "system": {
        "maintenance": false,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "overwritewebroot": "\/oct",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "25.0.3.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "trashbin_retention_obligation": "7, 30",
        "versions_retention_obligation": "7, auto",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "stable",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "loglevel": 2,
        "encryption.legacy_format_support": true,
        "app_install_overwrite": [
            "gpxmotion",
            "gpxedit"
        ],
        "default_phone_region": "AT",
        "theme": ""

I face the same issue, having Nextcloud installed as docker container. All my files are server-side encrypted, and now I cannot access them anymore. Is there a way to decrypt the files?

Any tips appreciated. I was dumb enough to not have a backup of my nextcloud drive.

same issue here