Decrypting encrypted files


I accidentally deleted all of my files from /var/lib/docker on XFS. That means I lost all of the directory structure data and filenames. Currently I am recovering file blobs from fs, but they are encrypted by Nextcloud.

How can I distinguish NC-encrypted file? (magic number?)

How can I decrypt it?

Do you have the encryption keys?

Yes -> Restore from backup or modify the config.php so it uses the key.

No -> Brute force and hope your password was terrible or you will never recover the data.

I do have several clients logged in in the time of this accident, and my old config.php with secrets but IDK how to get keys out and to decrypt the files

the keys are here files_encryption/keys/files/
somewhere. or?

I lost directory structure, so I need to find them in one of the blobs. Do they have a distinct header or something?

sorry. i don’t know the answer.

you may use my one of my playbooks to setup a test environment to check if you can find the answer there. (filename, string “AES-128” as content, or something like this, …)