Decrypting encrypted files

Hi!

I accidentally deleted all of my files from /var/lib/docker on XFS. That means I lost all of the directory structure data and filenames. Currently I am recovering file blobs from fs, but they are encrypted by Nextcloud.

How can I distinguish NC-encrypted file? (magic number?)

How can I decrypt it?

Do you have the encryption keys?

Yes -> Restore from backup or modify the config.php so it uses the key.

No -> Brute force and hope your password was terrible or you will never recover the data.

I do have several clients logged in in the time of this accident, and my old config.php with secrets but IDK how to get keys out and to decrypt the files
:expressionless:

the keys are here files_encryption/keys/files/
somewhere. or?

I lost directory structure, so I need to find them in one of the blobs. Do they have a distinct header or something?

sorry. i don’t know the answer.

you may use my one of my playbooks https://github.com/ReinerNippes to setup a test environment to check if you can find the answer there. (filename, string “AES-128” as content, or something like this, …)