Decrypt encrypted datas.. Need your help!.. (Without database)

Hey dear nextcloud Support and other helpers!!

I’m in big trouble… I reinstall my Server and install nextcloud v11. I import my data folder, themes folder and the config folder, but now I have seen, I forgott to backup my database.

Now my question… How can I decrypt my files without database? Befor reinstall I was on nextcloud v10. I try since ~2 Days and I can’t fix my problem… Can anyone help me? (occ can’t decrypt it, everytime it says:

Files for following users couldn't be decrypted,
maybe the user is not set up in a way that supports this operation:

and the tool: ocdec (from github) is not working to… Have anyone an idea or are my files lost forever? I have all keys, all passwords and anything, but not the (stupid) database…

Small infos by the side: Yes, I have execute occ files:scan and if I want download an file, it’s process an 503 Error

I’ll hope so much, anyone can help me… I need the datas… And if anyone can help me… Thank you so much! :slight_smile:

Your XeroxDev

System Informations:
Nextcloud 11 | befor 10
PHP: 7.0 | befor 5.6
System: Debian 8 64bit
nextcloud logs:

Database information is used to sign the files. So it should be possible to decrypt if you turn off the signing. I tried this a bit but didn’t succeed:

Anyone other an idea?.. :confused:

few days later and nobody can give a answer? :frowning:

You don’t don’t basically. That is what file hashes are about, if you have deleted the database including the hashes, then that is it.

I have only delete the database, the key’s and files I have backuped.

12 days since last answer, no one any ideas?

Apols no as I haven’t set up encryption, hence why I thought the hashes where in the database.

openssl aes-256-cbc -d -a -in secrets.txt.enc -out

openssl enc -d -aes-256-cbc -in -out

I presume, but read up on openssl.

Sorry for my late answer, but I try it very long. I have a good IT Friend, who want to help me. I’ll hope he get it to work with your Answer.

@XeroxDev did you find a way to do this in the end? I have over 10.000 files that are not in sync with my database and can’t be decrypted.

@tflidd switching off the signature check should be an occ command line option in my opinion. It is astonishing that nothing was done in this regard considering the sheer number of bug reports and complaints about this.

I made such a feature request last year:

@tflidd in the mean time I could find this Bad Signature: Decrypting files and this Signature check during encryption / decryption. Unfortunately the way to deactivate the signature check is not enough as Nextcloud will complain about the file not having a signature at all. If I go a step further and deactivate the hasSignature check it doesn’t change the end-result.

@suntorytimed Nope, after so long time, no Idea, my friend still works on it, but without success…

We try it without tools, we develop our own decryptor and there we have only one and last problem… We can’t decrypt the keys. We have all, we have the password, we have all files, but the key can’t get decrypted… But we still keep trying…

But I still lost the hope…

Kind regards

@XeroxDev Thanks for the reply. I think you can only decrypt the key as long as you have the same instance ID. As you don’t have a backup of the database I assume that the instance ID of the new server differs and you can’t decrypt the private key (except brute forcing it).

The reason why turning off the signature check doesn’t work, is that the server reports a different filesize to the client and breaks off the download too early. The client therefore thinks that the connection was lost and reports an error. But the files is already downloaded successfully (f.e. in Chrome you just have to remove .crdownload at the end of the downloaded file). I have written a small Python 3 script that can download the files via WebDav. It is a dirty hack, but at least I can recover my files.

You can find the script including an explanation in my gitea repository:

(Sorry for repeating this post so often, but there are many forum entries and issues that people looking for a solution might find via Google :slight_smile:)
After checking the downloads I discovered that while the JPEGs open without any problem my RAW files didn’t. Looking closer at the JPEGs I could see that in the last pixel line there were some blocks missing. So the download wasn’t finished. Following up on the error message that gets displayed in Nextcloud in the hasSignature() call of splitMetaData() I discovered that the encrypted data field was empty and therefore there can’t be a signature in the file. To bypass this I have added following if clause into the function symmetricDecryptFileContent() in apps/encryption/lib/Crypto/Crypt.php:

            if ($keyFileContents == '') {
                    return '';

I have put this code as the first command in the symmetricDecryptFileContent(). Together with disabling the signature check (putting return true; in the checkSignature() function in the same file):

    private function checkSignature($data, $passPhrase, $expectedSignature) {
            $signature = $this->createSignature($data, $passPhrase);
            if (!hash_equals($expectedSignature, $signature)) {
                    return true;
                    throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature'));

I can now see the previews in the web interface and download all files decrypted and even download the folders as zip-files. My script is not necessary anymore :slight_smile:

Hello and thanks for your reply. But I must say, we have the instance-id, but it still not works.

Kind regards.

If all other means of recovering your files have failed: We’ve written a tool that allows you to decrypt individual files if you still have your Nextcloud data directory and configuration file. It supports master key encrypted files, user key encrypted files (you additionally need the user passwords) and recovery key encrypted files (you additionally need the recovery password): decrypt-file.php