Decrypt My Files

Engineer-of-Stuff · April 15, 2018, 2:19am

I decrypted (and disabled encryption on) my install (using occ encryption:decrypt-all) and then downloaded my files, but the files were still encrypted. I have the keys that the server used and the recovery password.

Am I able to decrypt and recover my files?

Update: I have the database dump.

tflidd · April 16, 2018, 11:08am

You also need the database because the files were signed with database information. In theory, you should be able to recover files without the signature check but this would need a modification of the code.

Regarding decryption, there are already a couple of bug reports:

Engineer-of-Stuff · April 16, 2018, 2:59pm

I found a dump of my database. I realized that I don’t have my user keys, but I do have the account password. What do you suggest I do next?

tflidd · April 16, 2018, 9:43pm

You need the user keys and the user password (or master key), with the database you should be able to restore the setup and get the data:
https://docs.nextcloud.com/server/13/admin_manual/maintenance/restore.html

Engineer-of-Stuff · April 17, 2018, 3:58pm

So to confirm, I can recover files without the user’s personal keys (anything in data/[my username]/files_encryption) but with the master keys in data/files_encryption/OC_DEFAULT_MODULE?

Also, what are recovery keys used for? I have the master recovery keys and I’m wondering if I could just use those to decrypt anything.

So far, I’ve:

Set up a new Nextcloud install.
Replaced the database with the dump I recovered.
Update the config file with the one from my old install. Replaced the instanceid, passwordsalt, and secret fields.
Import the keys from my old install to data/files_encryption/OC_DEFAULT_MODULE.
Upload an encrypted text file and run the command to scan for new files.
Try to open the file, it gives the error “Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.” I assume that this is because there is no corresponding key in data/[my username]/files_encryption/keys/files.

I then ran the command occ encryption:encrypt-all in hopes that it would generate a key for the file, but it just said that the file was already encrypted.

Engineer-of-Stuff · April 19, 2018, 3:04pm

Anyone got any ideas?

tflidd · April 20, 2018, 7:38am

You have a key for each user, and then a key for each file. You’ll probably need the key for each file; not sure about the user key if you need it on top of the master key. @bjoern could be answer it for sure…

Unfortunately documentation and tools are very poor when you can’t restore a complete system with server-side encryption. Considering all the open topics, it’s a good idea to test a full backup and recovery procedure…

bjoern · April 20, 2018, 8:29am

Hi,

you have to distinguish between the master key and the recovery key. In general Nextcloud provides to possible setups:

Every user has it’s own private/public key and the Admin can additionally offer a recovery key which each user need to accept (opt-in). In order to decrypt the user files with occ you need either the users password and in this case the users private key + the file keys + the database to check the signature or the recovery key password (if the user enabled the recovery key). In case of the recovery key you need the private recovery key, the password of the recovery key, the file keys and the database. This was the default setup until Nextcloud 13, you could enable the master key with occ encryption:enable-master-key, in this case setup 2 is used.
A master key is used. This is the default if encryption was enabled for the first time with Nextcloud 13 or later or if it was enabled by the admin with the occ command occ encryption:enable-master-key. In this case there is only one key used for all files of all users, the private key is encrypted with the instance password. In order to decrypt all files with the occ command you only need the private master key, the file key and the database.

For the database, it is important that the database is from the exact same time as the files in your data folder. Every time a encrypted file is updated we increase the “file version” in the database. Only if the “file version” stored in the database matches the version of the real file it is possible to decrypt it again. Otherwise you would have to disable the signature check.

If you don’t have the necessary keys (either from setup 1 or setup 2, depending what is your setup) and a system where your files and database are in sync, decrypting the files is not possible. Don’t run “encrypt-all” if your files are already encrypted. Yes, it will generate missing encryption keys, but this keys will be useless with the already encrypted files as they were encrypted with a different key.

janar · April 23, 2018, 7:02am

Hey, its possible to decrypt nextcloud files, if i only have nextcloud data ?
cache
files
files_encryption

hannes.edinger · April 27, 2018, 10:14pm

Same situation as @janar here: I’ve got all files from the NC data directory, where some newer files are encrypted (setup 1 as described by @bjoern), but the database backup is out of sync with the file system. Is there any way to decrypt the files - maybe manually without occ?

tflidd · April 28, 2018, 1:52pm

In theory yes. You can somehow disable the signing process or disable the verification of it. I tried it a bit but didn’t get it working (I’m not a programmer, so don’t be discouraged):

github.com/nextcloud/server

Nextcloud update cause encryption files not opened anymore or being encrypted.

opened 11:39PM - 19 Nov 16 UTC

closed 12:49PM - 10 Aug 18 UTC

mihailllaftiu

bug feature: encryption (server-side)

### Steps to reproduce 1.Login as user 2.User can navigate through his uploaded files 3.User is capable of open or download his files ### Expected behaviour Tell us what should happen Files should open or download without any problem ### Actual behaviour Tell us what happens instead Files can't download or open because are encrypted, so when the user is trying to download the, the browser is acting like you are trying to download via local. ![encrypted-user-files](https://cloud.githubusercontent.com/assets/23584872/20459201/ecfc1288-aec1-11e6-8e3f-9479e0504097.jpg) In other hand when user tries to open the files, browser redirect with error message "File not found" and url doesn't seems like normaly "[domainname]/apps/files/?dir=/[DirectoryName]/[FileName]&fileid=26" but something like this "[domainname]/remote.php/webdav/[FileName]" instead. ### Server configuration **Operating system**: CentOS 6.8 **Web server:** VPS **Database:** MySQL 5.5.52 **PHP version:** Ver. 7 (FastCGI) **Nextcloud version:** (see Nextcloud admin page) $OC_Version = array(9,1,1,5); $OC_VersionString = '10.0.1'; $OC_Edition = ''; $OC_Channel = 'stable'; $OC_VersionCanBeUpgradedFrom = array(9,0); $OC_Build = '2016-09-28T13:31:28+00:00 12ec1d1e3e5d90140e2afaca8afc3727dadeca1a'; $vendor = 'nextcloud'; **Updated from an older Nextcloud/ownCloud or fresh install:** $OC_Version = array(9,1,1,5); $OC_VersionString = '10.0.1'; $OC_Edition = ''; $OC_Channel = 'stable'; $OC_VersionCanBeUpgradedFrom = array(9,0); $OC_Build = '2016-09-28T13:31:28+00:00 12ec1d1e3e5d90140e2afaca8afc3727dadeca1a'; $vendor = 'nextcloud'; **Where did you install Nextcloud from:** The previous version was downloaded from the official website of nextcloud. The update, i 'm not sure! **Signing status:** <details> Login as admin user into your Nextcloud and access http://example.com/index.php/settings/integrity/failed paste the results here. No errors have been found. </details> **List of activated apps:** <details> If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder: Enabled: - activity: 2.3.2 - comments: 1.0.0 - dav: 1.0.0 - encryption: 1.3.1 - federatedfilesharing: 1.0.1 - federation: 1.0.1 - files: 1.5.2 - files_pdfviewer: 0.8.1 - files_reader: 0.7.2 - files_sharing: 1.0.0 - files_texteditor: 2.1 - files_trashbin: 1.0.0 - files_versions: 1.3.0 - files_videoplayer: 0.9.8 - firstrunwizard: 1.1 - gallery: 15.0.0 - notifications: 0.3.0 - password_policy: 1.0.0 - provisioning_api: 1.0.0 - serverinfo: 1.1.1 - survey_client: 0.1.5 - systemtags: 1.0.2 - templateeditor: 0.1 - theming: 1.0.1 - updatenotification: 1.0.1 - workflowengine: 1.0.1 Disabled: - admin_audit - audioplayer - calendar - contacts - external - files_accesscontrol - files_automatedtagging - files_external - files_retention - music - quicknotes - registration - tasks - user_external - user_ldap - user_saml </details> **The content of config/config.php:** <details> If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your Nextcloud installation folder: { "system": { "instanceid": "ocieaexjlsza", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "cloud.paragonmm.gr", "www.cloud.paragonmm.gr" ], "datadirectory": "\/var\/www\/vhosts\/paragonmm.gr\/cloud.paragonmm.gr\/data", "overwrite.cli.url": "https:\/\/cloud.paragonmm.gr", "dbtype": "mysql", "version": "9.1.0.16", "dbname": "paragonm_cloud", "dbhost": "localhost:3306", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "logtimezone": "UTC", "installed": true, "singleuser": false } } </details> **Are you using external storage, if yes which one:** local/smb/sftp/... NO **Are you using encryption:** yes/no YES **Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/... NO </details> ### Client configuration **Browser:** Mozilla / Chrome **Operating system:** Windows 10 ### Logs #### Web server error log <details> <summary>Web server error log</summary> 2016-11-20 01:21:49 Error 37.6.0.230 500 GET /remote.php/webdav/%CE%91%CE%9D%CE%91%CE%9A%CE%9F%CE%99%CE%9D%CE%A9%CE%A3%CE%97.doc HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 9.44 K Apache access </details>

bjoern · May 4, 2018, 10:22am

Yes, you could disable the signature check by editing the code.But this is really not recommended. Only see this a action of last resort if there is no other way to decrypt your files again!

If you edit this file https://github.com/nextcloud/server/blob/master/apps/encryption/lib/Crypto/Crypt.php#L481 and add between L480 and L481 “return true;” This way the signature check will always return true, but as said, that’s not a solution but only something you can do if nothing else helps.

Tilo · July 19, 2018, 4:36am

I reopend the topic for disabling the signature check here:

suntorytimed · August 21, 2018, 7:48am

The reason why turning off the signature check isn’t enough, is that the server reports a different filesize to the client and breaks off the download too early. The client therefore thinks that the connection was lost and reports an error. But the file is already downloaded successfully (f.e. in Chrome you just have to remove .crdownload at the end of the downloaded file). I have written a small Python 3 script that can download the files via WebDav. It is a dirty hack, but at least I can recover my files.

You can find the script including an explanation in my gitea repository:
https://gitea.hibiki.eu/suntorytimed/nc-downloader

suntorytimed · August 21, 2018, 11:18am

After checking the downloads I discovered that while the JPEGs open without any problem my RAW files didn’t. Looking closer at the JPEGs I could see that in the last pixel line there were some blocks missing. So the download wasn’t finished. Following up on the error message that gets displayed in Nextcloud in the hasSignature() call of splitMetaData() I discovered that the encrypted data field was empty and therefore there can’t be a signature in the file. To bypass this I have added following if clause into the function symmetricDecryptFileContent() in apps/encryption/lib/Crypto/Crypt.php:

            if ($keyFileContents == '') {
                    return '';
            }

I have put this code as the first command in the symmetricDecryptFileContent(). Together with disabling the signature check (putting return true; in the checkSignature() function in the same file):

    private function checkSignature($data, $passPhrase, $expectedSignature) {
            $signature = $this->createSignature($data, $passPhrase);
            if (!hash_equals($expectedSignature, $signature)) {
                    return true;
                    throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature'));
            }
    }

I can now see the previews in the web interface and download all files decrypted and even download the folders as zip-files. My script is not necessary anymore

tflidd · August 21, 2018, 12:22pm

@suntorytimed: Would you accept to take your solution as an answer to this question? For problems, we could refer to your repository and there is still an issue on the bug tracker in case there should be an official tool one day.

suntorytimed · August 21, 2018, 12:55pm

@tflidd I assume that my second post is a solution for this problem. At least as long as the user does have a Nextcloud instance with the database, files and keys in place. As long as the decryption only fails because of the wrong signature this answer would help recover the encrypted files.

If the user doesn’t have a database dump, the keys or an old instance that was used with the encryption the user can’t recover the files using this method.

The script is not really necessary anymore as the web interface can handle the download now as well.

I have submitted the empty string check as a fix to the upstream project. Even though this might not happen so often it is still better than having an exception (but I let the maintainers decide this). If this is merged the user only has to deactivate the checkSignature() by adding a return true;. I would still prefer an option call in occ though.

You can find the request here: https://github.com/nextcloud/server/pull/10778

yahesh · August 7, 2019, 5:43am

Hi, have you been able to recover your files? If not: We’ve written a tool that allows you to decrypt individual files if you still have your Nextcloud data directory and configuration file. It supports master key encrypted files, user key encrypted files (you additionally need the user passwords) and recovery key encrypted files (you additionally need the recovery password): decrypt-file.php

u1612361 · December 8, 2020, 4:48am

Hello yahesh - any chance you can re-post that decrypt-file.php? I have a wonky NC and have files I need

Thanks!

JABAHOSTING · January 11, 2021, 6:35pm

Try this file!