Hi,
you have to distinguish between the master key and the recovery key. In general Nextcloud provides to possible setups:
-
Every user has it’s own private/public key and the Admin can additionally offer a recovery key which each user need to accept (opt-in). In order to decrypt the user files with occ you need either the users password and in this case the users private key + the file keys + the database to check the signature or the recovery key password (if the user enabled the recovery key). In case of the recovery key you need the private recovery key, the password of the recovery key, the file keys and the database. This was the default setup until Nextcloud 13, you could enable the master key with
occ encryption:enable-master-key, in this case setup 2 is used. -
A master key is used. This is the default if encryption was enabled for the first time with Nextcloud 13 or later or if it was enabled by the admin with the occ command
occ encryption:enable-master-key. In this case there is only one key used for all files of all users, the private key is encrypted with the instance password. In order to decrypt all files with the occ command you only need the private master key, the file key and the database.
For the database, it is important that the database is from the exact same time as the files in your data folder. Every time a encrypted file is updated we increase the “file version” in the database. Only if the “file version” stored in the database matches the version of the real file it is possible to decrypt it again. Otherwise you would have to disable the signature check.
If you don’t have the necessary keys (either from setup 1 or setup 2, depending what is your setup) and a system where your files and database are in sync, decrypting the files is not possible. Don’t run “encrypt-all” if your files are already encrypted. Yes, it will generate missing encryption keys, but this keys will be useless with the already encrypted files as they were encrypted with a different key.