Decrypting users files

Nextcloud version (eg, 12.0.2): 16.0.4
Operating system and version (eg, Ubuntu 17.04): CentOS 7.7
Apache or nginx version (eg, Apache 2.4.25): nginx-1.17.3
PHP version (eg, 7.1): 7.3

Hey folks,

I am having a rough time. Running current NextCloud on CentOS 7 with PHP 7.3 with nginx. Everything runs smoothly for years, or so we thought. Some years ago we had encryption turned on, but it had to gain and forbid us to use things like preview generation etc. So I didabled the module. This resulted in new files being written unencrypted while old files were transparently decrypted (It just worked).

Now, encrypted files have nearly phased out, except for one user: This guys has tons over tons of encrypted files. Now he can’t access his old files anymore (private key not found)-- but: Each encrypted file has its unique keyfiles in files_encryption as well as the users master key.

What this user did what no one else did: He changed his passwords three times after the decyption-turn-off event. Luckily, we have all the passwords from first to last one.

I would wager that some files are encoded with password 1, then the following files with password 2 and so fort (guessed). Now given the fact that we have all the required keys and passwords, what would be a nice/brute force/hackingly way to decode this?

I already created a seperate VM with a running nextcloud instance and his data to trial and test even the bloodiest of hacks.

Anything is welcome.