Bug: defaultModel = 'yes' rather than "OC_DEFAULT_MODULE" for server-side file encryption on fresh install of 28.0.3 server; Files won't save at all

cpbl · March 1, 2024, 12:46am

I just installed the latest server on Ubuntu 22.04 manually, ie from the bzip file.
I then followed Instructions here:
https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html

which say I should turn on server-side encryption in the settings and THEN enable the encryption module.

But this is not possible, whereas the reverse order seems to be.

Worse, after I enabled both, as well as the “encrypt the home storage” checkbox option, and came back to the same page, the server-side encryption toggle showed it was off again! and was not responsive. Meanwhile, the “encrypt the home storage” checkbox was still checked, which seems an impossible state if encryption is off.

When I check on the command line using occ, everything looks good: server encryption is on, the default module is enabled.

#sudo -u www-data php occ app:enable encryption
encryption already enabled

# sudo -u www-data php occ encryption:status
  - enabled: true
  - defaultModule: yes

# sudo -u www-data php occ encryption:enable-master-key
Master key already enabled

# sudo -u www-data php occ encryption:show-key-storage-root
Current key storage root:  default storage location (data/)

# sudo -u www-data php occ encryption:list-modules         
  - OC_DEFAULT_MODULE: Default encryption module

But nothing works: I can create a file in the browser, but its contents never gets saved.

The nextcloud.log file gets errors looking like this:

{"file":"/my/nextcloud/path/apps/text/lib/Service/ApiService.php","line":268,"function":"autosave","class":"OCA\\Text\\Service\\DocumentService","type":"->"},
{"file":"/my/nextcloud/path/apps/text/lib/Controller/SessionController.php","line":100,"function":"save","class":"OCA\\Text\\Service\\ApiService","type":"->"},
{"file":"/my/nextcloud/path/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"save","class":"OCA\\Text\\Controller\\SessionController","type":"->"},
{"file":"/my/nextcloud/path/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},
{"file":"/my/nextcloud/path/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},
{"file":"/my/nextcloud/path/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},
{"file":"/my/nextcloud/path/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},
{"file":"/my/nextcloud/path/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],
"File":"/my/nextcloud/path/lib/private/Encryption/Manager.php",
"Line":199,"Hint":"Default encryption module not loaded",
"message":"Default encryption module not loaded",
"exception":{},"CustomMessage":"Default encryption module not loaded"}}

I want to get the basic installation working.

jtr · March 1, 2024, 11:00pm

The Encryption chapter in the Admin Manual needs some love[1] to bring it up-to-date with the current UI and make the setup process clearer (and less error prone).

Worse, after I enabled both, as well as the “encrypt the home storage” checkbox option, and came back to the same page, the server-side encryption toggle showed it was off again! and was not responsive. Meanwhile, the “encrypt the home storage” checkbox was still checked, which seems an impossible state if encryption is off.

Are you seeing the blacked out button? I agree that’s… an odd UI experience. I noticed it too during recent testing. It’s purely a UI matter best as I’ve been able to tell (and as you confirmed via occ). If you’re curious, there are a few other commands of possible interest to confirm the encryption state: occ config:list core and occ config:list encryption (the relevant values will be fairly obvious).

But nothing works: I can create a file in the browser, but its contents never gets saved.

Hmm.

I don’t have this problem in a clean installation (happen to have a v27 encryption test instance already running from recent work; I can’t remember if I’ve done any testing of Encryption setup from scratch in any v28 instances recently).

Did this occur after logging out and back in again to finish the key setup? (That’s an important step in case it got overlooked due to the state of that section of the Admin Manual).
What’s the specific Server version you’re testing with?

[1] Encryption chapter(s) revision(s) · Issue #11545 · nextcloud/documentation · GitHub

jtr · March 1, 2024, 11:29pm

I just noticed this in your output. That doesn’t look right. The defaultModule should say OC_DEFAULT_MODULE. Not even sure how it can say yes.

That command just pulls the string value here[1] which should be the same as the value for default_encryption_module from the occ config:list core command.

So maybe it really isn’t enabled in your environment, but then the question is how’d that happen?

The command line sequence to enable server-side encryption is:

# enables the `encryption` *app*
./occ app:enable encryption
# Actually enables Server-side Encryption
./occ encryption:enable
# Actually encrypts existing user files
./occ encryption:encrypt-all

Both master key mode and encrypt home storage default to on these days (wasn’t always the case).

[1] server/lib/private/Encryption/Manager.php at e0705f1015ca69b603ef43931367bf653fbc08c8 · nextcloud/server · GitHub

cpbl · March 1, 2024, 11:36pm

Yes, the thing with master key is also badly mis-documented. (((I held back above reporting on sooo much frustration and dashed hopes. I’m here because I’ve been using nextcloud for several years after an epic loss of time trying to install it last time, and giving up on many features. But after an OS upgrade, it stopped working and I’ve been unable to figure out how to upgrade it. I’m throwing everyone’s files away and starting from scratch. ))) I’d be happy to go through the process from scratch again to submit a PR with update of the documentation, if I can get this fixed.

And I’m very grateful for your response and help!! occ agrees with you that something is wrong, and it sure looks like a bug to me:

# sudo -u www-data php occ maintenance:mode
Maintenance mode is currently disabled
# sudo -u www-data php occ app:enable encryption
encryption already enabled
# sudo -u www-data php occ encryption:enable
Encryption is already enabled

The current default module does not exist: yes

I hadn’t felt the need to do encrypt-all but I guess it’s harmless. In any case, I don’t want to try the next step until the above is fixed.

cpbl · March 1, 2024, 11:38pm

# sudo -u www-data php occ -V
Nextcloud 28.0.3


# sudo -u www-data php occ encryption:status
  - enabled: true
  - defaultModule: yes

s874tget · March 13, 2024, 8:19pm

Any update to this one?

I got the same problem today after I updated to version 28.0.3, but when I run the commands mentioned above, it even says that encryption is enabled, and it is using the defaultModule: OC_DEFAULT_MODULE. Yet, the UI switch shows server-side encryption as disabled.

If I run occ encryption:encrypt-all the command exit with error “Default encryption module not loaded”.

The previous version I had installed was 28.0.1 where I had server-side encryption and encryption of home storage enabled and everything worked fine. Now I could not sync any files.

What could I do to load the encryption module?

Thanks!

cpbl · March 14, 2024, 12:34am

No, no further luck on my end.
Silence from the devs? And github says not to post a bug report if it’s already posted here, so … I haven’t.
I’m so baffled. (And crippled by loss of a major part of my workflow over the last four years).

cpbl · March 14, 2024, 7:55pm

I just tried with version 29.0 beta 2. I installed it fresh. I had better results.

I “enabled” the App (click on apps and then in the left panel choose to see the Disabled ones).
Then I went to Administration Settings → Security and the slider responded when turned on.

Now I get

sudo -u www-data php occ encryption:status
  - enabled: true
  - defaultModule: OC_DEFAULT_MODULE

and although I’ve received a string of errors along they way, it eventually made it through encrypting all the files that were in my folder or that I added.

I skipped adding the recommended Apps during install this time.

s874tget · March 18, 2024, 10:18am

Thanks for letting me know.
I’m not going to install any beta version, as I had too many bad experiences with upgrades. I was happy that the latest updates went well, when I discovered that the encryption module isn’t loading. Which in fact also ruins my workflows.
As it works in the beta version now, I assume it will be on the stable version very soon.

jtr · March 18, 2024, 1:50pm

@cpbl:

To change it from “yes” to the correct one you should be able to do this:

occ encryption:set-default-module OC_DEFAULT_MODULE

I still have no idea how that value got set to “yes” in your environment. I’ve yet to run across that or find a way to reproduce it (other than manually setting the value to that).

jtr · March 18, 2024, 1:56pm

@s874tget Your situation, described over in your post, appears to be different than what @cpbl is experiencing.

jtr · April 16, 2024, 3:00pm

Fixed in fix(encryption): Clicking default module in UI sets bogus value by joshtrichards · Pull Request #44604 · nextcloud/server · GitHub