Decrypt-all left many files still encrypted

Nextcloud version: 19.0.5
Operating system and version: Ubuntu 20.04
Apache or nginx version:nginx/1.18.0 (Ubuntu)
PHP version: 7.4

I don’t want to use server side encryption anymore (due to easy backup recovery), so I disabled it and called sudo -u www-data php /var/www/html/owncloud/occ decryption:decrypt-all. After running some hours it seems to have finished, after about 25k (of 120k total) files are still encrypted. I ran the command several times, but the files are still encrypted.

I made a find to figure out the not decrypted files find /mnt/clouddata/data/ -type f -path "*/files/*" -not -path "*/keys/*" -exec sh -c 'head -c27 "$1" |grep HBEGIN:oc_encryption_ 1>/dev/null && echo "$1"' sh {} \; and found 25529 files. I queried the database and got nearly the same result: select count(*) from oc_filecache where encrypted = 1; => 25551 (but I’m not sure if that’s the right place to investigate).

I thought I would prevent users from accessing files due to enabling maintainence mode, but I’m not sure if that is sufficient. However, I’m quite sure that not 1/4 of all files are currently accessed because I ran the commands at night.

Could some one give me a hint how to (complety) decrypt my NC?
Thank you very much.

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

  1. sudo -u www-data php /var/www/html/owncloud/occ decryption:decrypt-all
  2. (Files are still encrypted)

The output of your Nextcloud log in Admin > Logging: Nothing regarding the decryption.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => 'XXX',
  'passwordsalt' => 'YYY',
  'trusted_domains' =>
  array (
    0 => 'XXX1',
    1 => 'XXX2',
    2 => 'XXX3',
    3 => 'XXX4',
    4 => 'XXX5',
    5 => 'XXX6,
  'datadirectory' => '/var/www/html/owncloud/data',
  'dbtype' => 'mysql',
  'version' => '',
  'installed' => true,
  'ldapIgnoreNamingRules' => false,
  'mail_smtpmode' => 'smtp',
  'mail_from_address' => 'XXX',
  'mail_domain' => '',
  'mail_smtphost' => '',
  'mail_smtpport' => '587',
  'maintenance' => false,
  'dbname' => 'ocl',
  'dbhost' => 'XXX,
  'dbuser' => 'ocl',
  'dbpassword' => 'XXX',
  'theme' => '',
  'secret' => 'XXX',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  'defaultapp' => 'calendar',
  'overwriteprotocol' => 'https',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'logtype' => 'owncloud',
  'loglevel' => 0,
  'cron_log' => true,
  'log_rotate_size' => 10000000,
  'trashbin_retention_obligation' => 'auto',
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'share_folder' => '/Mit mir geteilt',
  'log_type' => 'file',
  'logfile' => 'data/nextcloud.log',
  'mysql.utf8mb4' => true,
  'trusted_proxies' =>
  array (
    0 => 'XXX',
    1 => 'YYY',
  '' => 'stable',
  'overwrite.cli.url' => 'XXX',
  'app_install_overwrite' =>
  array (
    0 => 'calendar',
  'encryption_skip_signature_check' => 'true',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_smtpauth' => 1,
  'updater.secret' => '',

The output of your Apache/nginx/system log in /var/log/____: Nothing special.

I investigated a bit deeper. There are encrypted files on the disk (I examined the first characters of the file), but the check in source file DecryptAll.php, about line 226 if ($file->isEncrypted() === false) { is evaluated to true, so the file is not going to be decrypted. In the database table oc_filecache the attribute encrypted is 0. I did a sudo -u www-data /usr/bin/php /var/www/html/owncloud/occ files:scan --all but the database entry was not updated.
What am I doing wrong? Any hint?

In case that you also still have access to the config/config.php configuration file you can try to use decrypt-all-files.php of the third-party Nextcloud-Tools to rescue your files. Afterwards, you can add the rescued files to your new Nextcloud installation.