Attempting to view/edit a user password throws up a warning that is unjustified, illogical and without any reference or evidence to an absurd claim. Changing passwords is critical in maintaining security, the attitude of the NC developer community is simply outrageous.
Under no circumstances is data loss justifiable, certainly not transferring incompetence to another party such as that of a sysadmin. The statement its self is illogical as there is no further information which references the cause of such a statement.
Nextcloud version :13.0.1
Operating system and version : FreeBSD 11.1 p9
Apache or nginx version: nginx 1.14.x
PHP version 7.1
The issue you are facing:
Is this the first time you’ve seen this error? No
Steps to replicate it:
login as admin
select users
click password edit field
warning fails to indicate
Consequences of the policy towards passwords:
NC users and admins are afraid to regularly practice security procedures by such incomplete warnings.
This is due to the encryption design. Each file is encrypted with a key and these keys are protected by the user password. If you loose this password, you can recover the files (except you have put these recovery keys in place, which is not the case and that’s the reason you get this warning).
What happens during a password change? In case of the user itself, he can change the password and the encryption key’s password is changed as well (because he knows the old password). In case the admin changes the password, he does not (and in general must not) know the old password. He can change the login but not update the encrypted keys.
After the admin changes the password, the user can login with the new password, but then he must provide his old password to update the encryption keys.
In the beginning the design probably wanted that the user is also protected from a malicious admins as well. However, since the server-side encryption takes place on the server, the passwords are handled by the server, a server admin can obtain the password or the unencrypted files (unless the user uploaded them once encrypted and never connects to the server again). So lately, the official recommendation go back to say that it is rather for external storage where it was designed for originally (so you can use external storage you don’t trust so much). So it only makes sense in this case to run server-side encryption with recovery key which would allow easy change of passwords by admins. Perhaps there should be a clearer statement, by enforcing recovery keys and naming the whole solution external storage encryption.
To provide good protection of user data even against the admin, there is currently an effort to provide client-side encryption over all clients. The server support is already in place, some clients are already supporting it (android) with other to come later this year (desktop).
There is a recent status of all the available encryption on Nextcloud:
Please try to make your comments and ideas a bit more constructive. Warnings can be unclear and require improvement. Even the overall encryption process could have flaws. I’m not happy with all the wording and presentation, often people turn on this server-side encryption without real benefits and a large risk to loose their data.
I don’t use encryption at all and get the same error message. And I can’t change the password
To your point: There are always users that will forget their password and not all of them will use the checkbox to enable password recovery. I know that because I tell them to change their password but way to many don’t… So there needs to be an option to prevent data loss for people that are not experts in Nextcloud or cloud storage at all. In my opinion, the admin and/or the user should have an option to reset passwords without data loss by default. Password-loss resulting in data-loss should be a well-explained “opt-in” decision made by the user only.
How about the admin can click a button to change the password to a random one but only the user gets an email with the new user and the encryption key on the server changes accordingly?
EDIT:
ok, I changed it via: sudo -u www-data php occ user:resetpassword the_user_name
in the console but got an error message:
Private Key missing for user: please try to log-out and log-in again
Wow, log-out what? SSH? the user in nextcloud? the admin user? The user can’t even log in, so this is not a great help.
After I tried logging in with the new credentials, that worked, however a message kept popping up:
Falscher privater Schlüssel für die Verschlüsselungs-App. Bitte aktualisieren Sie Ihren privaten Schlüssel in Ihren persönlichen Einstellungen um wieder Zugriff auf die verschlüsselten Dateien zu erhalten
Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files
So I followed the advice of this guy, disabling the “Default encryption module” app, which finally worked.
