Cannot decrypt files - "Private Key missing for user"

When trying to decrypt user files in Nextcloud using "php occ encryption:decrypt-all " I am asked to continue, then asked for the user password, then told "Private Key missing for user: "

I’m running Nextcloud 9.0.53, that had been installed over ownCloud 9.0. Server VM is CentOS 7.4 64-bit. Encryption is enabled with the default encryption module. Users are a mix of almost all LDAP (active directory) with about a dozen external entities using database accounts.

Am I missing something here? under my data directory /mnt/ocdata/stjohnson/files_encryption/OC_DEFAULT_MODULE I do see a .privateKey file as well as a .publicKey file. All users have these files in their respective directories. I have tried disabling SELinux with “setenforce 0” to see if that was the culprit, but it wasn’t. Nothing is logged to the owncloud.log file when I attempt the decryption.

Any help would be greatly appreciated. We enabled encryption when we migrated to Nextcloud and users are having issues with remembering their previous passwords, and it’s turned out to be more hassle than it’s worth. I want to decrypt all users files and disable encryption going forward. I thought I had enabled a master recovery key, but the password I wrote down doesn’t work, so we have to rely on user passwords.

Let me know if you need any additional information, logs or screenshots. Thanks!

And there is a key for that user as well? The encryption code has changed over the last version, normally the key was created on the user’s first login. The option user:lastseen of the occ-command shows the last login of a user.

Yes, there is a key. The user I’m testing this on is my own user, and I use it daily. The key has to exist for users because when their network password changes, they are able to migrate their encryption key in Nextcloud by changing their password.

Nevermind, this can be closed. I’ve spun up a brand new server, migrated the database and have been having users log into the old server and move their files over. PITA but it seemed like the only way forward.