Deleting Files don't work with encryption Nextcloud 20

Expected behaviour

Actual behaviour

Deleting files fail when we turn on encryption on server

Server configuration

Server configuration detail

Operating system: Linux 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64

Webserver: Apache/2.4.29 (Ubuntu) (apache2handler)

Database: mysql 5.7.33

PHP version: 7.2.24-0ubuntu0.18.04.7

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, sodium, session, standard, apache2handler, mysqlnd, PDO, xml, apcu, bcmath, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, intl, json, exif, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 20.0.8 - 20.0.8.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array ( )

List of activated apps

Enabled:

• accessibility: 1.6.0
• activity: 2.13.4
• admin_audit: 1.10.0
• collaborative_tags: 1.10.0
• cloud_federation_api: 1.3.0
• comments: 1.10.0
• contactsinteraction: 1.1.0
• dashboard: 7.0.0
• encryption: 2.8.1
• deleted_files: 1.10.1
• external_storage_support: 1.11.1
• federation: 1.10.1
• file_sharing: 1.12.2
• first_run_wizard: 2.9.0
• log_reader: 2.5.0
• monitoring: 1.10.0
• nextcloud_announcements: 1.9.0
• notifications: 2.8.0
• password_policy: 1.10.1
• pdf_viewer: 2.0.1
• photos: 1.2.3
• privacy: 1.4.0
• recommandations: 0.8.0
• right_click: 0.17.0
• share_by_mail: 1.10.0
• support: 1.2.0
• text: 3.1.0
• theming: 1.11.0
• update_notification: 1.10.0
• usage_survey: 1.8.0
• user_status: 1.0.1
• versions: 1.13.0
• video_player: 1.9.0
• weather_status: 1.0.0

Configuration (config/config.php)

{
“instanceid”: “REMOVED SENSITIVE VALUE”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
“preprod20.conmibox.com”
],
“datadirectory”: “REMOVED SENSITIVE VALUE”,
“dbtype”: “mysql”,
“version”: “20.0.8.1”,
“overwrite.cli.url”: “https://preprod20.conmibox.com”,
“dbname”: “REMOVED SENSITIVE VALUE”,
“dbhost”: “REMOVED SENSITIVE VALUE”,
“dbport”: “”,
“dbtableprefix”: “oc_”,
“mysql.utf8mb4”: true,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“installed”: true,
“updater.secret”: “REMOVED SENSITIVE VALUE”,
“maintenance”: false,
“theme”: “”,
“loglevel”: 2
}

External storages: yes

External storage configuration

No mounts configured

Encryption: yes

User-backends:

OC\User\Database

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36

Client configuration

Browser:

Operating system:

Logs

Nextcloud log (data/owncloud.log)

a) 
- adumortier/files_trashbin/files/1634A700.d1593705620 does not have a proper header
- /adumortier/files_trashbin/files/Bâtiment 2019 09 25.pptx.d1576225879 does not have a proper header
- /adumortier/files_trashbin/files/Bâtiment 2019 09 25.pptx.d1576225879 does not have a proper header
b)
Error | PHP | Error: hex2bin(): Input string must be hexadecimal string at /var/www/nextcloudurby/lib/private/Security/Crypto.php#125

c) 

Error | PHP | Error: hash_equals(): Expected user_string to be a string, boolean given at /var/www/nextcloudurby/lib/private/Security/Crypto.php#138
d) 

Error | PHP | Error: hex2bin(): Input string must be hexadecimal string at /var/www/nextcloudurby/lib/private/Security/Crypto.php#127

Browser log

<<closure>>

OC\Log\ErrorHandler::onError(2, "hash_equals ... n", "/var/www/ne ... p", 138, { 0: "And 3 ... e})

/var/www/nextcloudurby/lib/private/Security/Crypto.php - line 138:

hash_equals(null, false)

/var/www/nextcloudurby/lib/private/Encryption/Keys/Storage.php - line 303:

OC\Security\Crypto->decrypt("*** sensiti ... *")

/var/www/nextcloudurby/lib/private/Encryption/Keys/Storage.php - line 104:

OC\Encryption\Keys\Storage->getKey("/svolpi/fil ... y")

/var/www/nextcloudurby/apps/encryption/lib/KeyManager.php - line 554:

OC\Encryption\Keys\Storage->getFileKey("/svolpi/fil ... x", "master_12e5bf75.shareKey", "OC_DEFAULT_MODULE")

/var/www/nextcloudurby/apps/encryption/lib/KeyManager.php - line 460:

OCA\Encryption\KeyManager->getShareKey("/svolpi/fil ... x", "master_12e5bf75")

/var/www/nextcloudurby/apps/encryption/lib/Crypto/Encryption.php - line 202:

OCA\Encryption\KeyManager->getFileKey("/svolpi/fil ... x", "master_12e5bf75")

/var/www/nextcloudurby/lib/private/Files/Stream/Encryption.php - line 268:

OCA\Encryption\Crypto\Encryption->begin("/svolpi/fil ... x", "svolpi", "r", { oc_encrypt ... "}, [])

<<closure>>

OC\Files\Stream\Encryption->stream_open("ocencryption://", "r", 0, null)

/var/www/nextcloudurby/lib/private/Files/Stream/Encryption.php - line 207:

fopen("ocencryption://", "r", false, null)

/var/www/nextcloudurby/lib/private/Files/Stream/Encryption.php - line 187:

OC\Files\Stream\Encryption::wrapSource(null, null, "ocencryption", "OC\\Files\\Stream\\Encryption", "r")

/var/www/nextcloudurby/lib/private/Files/Storage/Wrapper/Encryption.php - line 475:

OC\Files\Stream\Encryption::wrap(null, "files/3 SUI ... x", "/svolpi/fil ... x", { oc_encrypt ... "}, "svolpi", OCA\Encrypti ... {}, OC\Files\Sto ... l}, OC\Files\Sto ... l}, OC\Encryption\Util {}, OC\Encryption\File {}, "r", 8192, 8192, 8192, true)

/var/www/nextcloudurby/lib/private/Files/Storage/Wrapper/Wrapper.php - line 300:

OC\Files\Storage\Wrapper\Encryption->fopen("files/3 SUI ... x", "r")

/var/www/nextcloudurby/lib/private/Files/View.php - line 1165:

OC\Files\Storage\Wrapper\Wrapper->fopen("files/3 SUI ... x", "r")

/var/www/nextcloudurby/lib/private/Files/View.php - line 1001:

OC\Files\View->basicOperation("fopen", "/3 SUIVI TR ... x", [ "read"], "r")

/var/www/nextcloudurby/apps/dav/lib/Connector/Sabre/File.php - line 434:

OC\Files\View->fopen("3 SUIVI TRA ... x", "r")

/var/www/nextcloudurby/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 90:

OCA\DAV\Connector\Sabre\File->get()

/var/www/nextcloudurby/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89:

Sabre\DAV\CorePlugin->httpGet(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})

/var/www/nextcloudurby/3rdparty/sabre/dav/lib/DAV/Server.php - line 474:

Sabre\DAV\Server->emit("method:GET", [ Sabre\HTTP ... }])

/var/www/nextcloudurby/3rdparty/sabre/dav/lib/DAV/Server.php - line 251:

Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})

/var/www/nextcloudurby/3rdparty/sabre/dav/lib/DAV/Server.php - line 319:

Sabre\DAV\Server->start()

/var/www/nextcloudurby/apps/dav/lib/Server.php - line 332:

Sabre\DAV\Server->exec()

/var/www/nextcloudurby/apps/dav/appinfo/v2/remote.php - line 35:

OCA\DAV\Server->exec()

/var/www/nextcloudurby/remote.php - line 167:

require_once("/var/www/ne ... p")

Hey @TKConmigo

Is this a fresh install of Nextcloud, or did you update from a previous version?

This is an update from a previous version

If you go into the admin settings overview, are there any warnings regarding encryption? I know they changed something encryption wise in one of the latest 20.x releases and users who updated, needed to run an OCC command to check for legacy encryption (Documentation)

Have a look, if this helps you.

i did this command but there are some problem with my encryption with the Header of some of my files and i don’t know how to fix it. And we can’t delete our files on our nextcloud.

When you executed that command, what did it return? Since you are having issues with the encryption, I presume the command returned some kind of warning / message.

Please can you add the following parameter at the end of your config.php and see, if this changes the behaviour?

'encryption.legacy_format_support' => true,

no there are errors when i did this command : php occ encryption:scan:legacy-format
example of errors : files_trashbin/versions/Tableau Suivis Journalier v2.xlsx.v1593695416.d1597758258 does not have a proper header

but what do you want i do ?

Please can you add the following parameter at the end of your config.php and rerun the occ command?

'encryption.legacy_format_support' => true,

The above parameter returns the legacy support and should allow you to handle the files, which are causing you any issues.

Ah, I could not see the parameter in the config you posted initially, hence I asked to add it. Yeah that’s the command I was talking about.

What happens, if you execute the following command:

php occ trashbin:cleanup --all-users

And afterwards this command:

php occ encryption:scan:legacy-format

Sorry but i can’t, this command does delete ALL previous versions of all files. This is only a solution if you do not need any previous versions at all, but i need the previous versions.

No, the command only removes files which have been deleted by users (put in the trash) (see documentation) - Versions of files are not affected by this command.

i will do a preprod soon to test this command with a clone if this vm. So i will be able to say if it works soon

I did the command :

php occ trashbin:cleanup --all-users

and after

php occ encryption:scan:legacy-format

and i have the same errors… (with the headers) do you have any other commands ?

did you manage to fix this?

Any estimation of when this bug will be fixed?

I use the recent Nextcloud 25.0.4, and deleting files when the encryption of files is enabled doesn’t work at all. So from this point of view Nextcloud file encryption is quite useless

After reading this I turned it off and after manually erasing the files off the stor, it just starts working. Its a bit silly that I (at the minute) have to trade encryption for actually being able to make a delete request without a 403.