Can you disable per-user encryption keys?

TomL · August 24, 2018, 5:38pm

Hi folks,
I have what I hope is a quick question looking for some clarification on encryption. While reading up on encryption on the Nextcloud encryption blog post, it mentioned that there are two methods to encrypt your storage… you can either do it with a server-wide key, or with a per-user key.

I recently inherited our Nextcloud environment from one of our employees who left not too long ago. We are set up so that there is an LDAP connection syncing people’s usernames and passwords from Active Directory, and he turned on encryption for the storage. If I understand everything correctly, I believe that employee enabled per-user encryption keys… when a user changes their AD password, they then need to go into the cloud and enter new and old passwords to update their encryption keys.

The problem we’re running into is that some users don’t use or access the cloud very often. So when multiple passwords go by in between logins, those users often don’t remember their password from the last time they used the cloud. If they don’t have password recovery enabled (which we’re finding, many don’t), my research appears to indicate that they may just be up a creek at that point.

So, my questions are…

Is my assumption correct that per-user encryption keys are enabled on this server? Or is there a command to definitively tell for certain?
If my assumption is correct, how do I make the switch from per-user encryption keys to server-wide keys? I’ve looked through the instructions related to encryption a couple times, and it looks like the only instructions I could find will result in per-user keys being turned on. Are there instructions floating around to make the switch to just using a server-wide key, or (if I decrypt the storage) enabling JUST a server-wide key?
Is there any possibility of having the password recovery option enabled by default in the future, or any way to administratively enable it for all your users? If I’m sitting down one-on-one with a user to show them the cloud for the first time, the first thing I always do is make sure they turn that option on. But that doesn’t necessarily help me if I’m showing it to a whole department during a presentation or if some users find out about the cloud from another user.

Thanks for any info you’ll be able to provide!
Tom Londe

TomL · September 12, 2018, 4:36pm

Anyone have any thoughts on this? Is Server-wide encryption really a thing, and can are there instructions out there on how to make that switch? Or is per-user encryption keys the only option? Thanks!

firehawk · December 9, 2021, 2:40pm

Hello Tom,
I believe it is possible to switch from per-user to a master key system. I recently switched my instance from master to per-user with only (minor) problems. This advice is from the perspective of an ubuntu server, with a command line to call nextcloud’s occ tool. You may have to research how to use this (if you don’t already know).

To determine whether you are using per-user or master keys, the easiest method is to go to Settings → User → Privacy in the web interface. You will see a mention of whether your file are encrypted with “an individual user key” or “master key”. If the former, then your nextcloud is indeed using per-user keys. I will proceed under the assumption you are.

With direct access to the functional nextcloud instance, a wise first step would be to create a recovery key under Settings → Admin → Security in the web interface, where the controls for Default encyption module contain the option to enter a password as a recovery key.

Once complete, every user should go to Settings → User → Security, where they will now find a checkbox to enable the recovery key. This will allow complete decryption of all data, which is necessary to change the encryption method.

Head onto the server terminal, and locate the root for the nextcloud data (usually /var/www for Ubuntu). If you are using docker or snap, you will need to search how to execute occ commands from there.
Here is the command as I would execute it:
“sudo -u www-data ./occ encryption:decrypt-all”

This will request the recovery password we set up earlier, and it is very important that ALL users have this enabled. This will likely take hours to days depending on the size of your instance. Once complete, all files will be accessible in decrypted format. Creating a backup of the data in this state is something you should consider.

Next, we will enable the master-key mode (also through occ)
“sudo -u www-data ./occ encryption:enable-master-key”
Now, we will have master keys, enabled, and are ready to re-encrypt the data. This can be done with:
“sudo -u www-data ./occ encryption:encrypt-all”

Once complete, check back to the settings where nextcloud stated the instance was using individual user keys. It should now say it is using a master key.

Hope this helps!
Make sure to ask any questions if you are unsure of one of these steps, I am happy to help

firehawk · December 9, 2021, 2:46pm

As a quick side note, once you begin executing occ commands, you should ensure all users are logged out, and potientially shut down the web server (such as apache/nginx) until the process is complete.