Disabled encryption but still have encrypted files

Nextcloud version (eg, 20.0.5): 23.0.4
Operating system and version (eg, Ubuntu 20.04): Debian Buster
Apache or nginx version (eg, Apache 2.4.25): nginx 1.14.2
PHP version (eg, 7.4): 7.3

Encryption mode was enabled on this server some time ago. Because of issues it caused, it was disabled. Unfortunately, it appears that some of the files are still encrypted, when they shouldn’t be. This results in it being impossible to open them.

I see this in the logs when I try:

2022/05/03 12:28:26 [error] 15092#15092: *8727526 FastCGI sent in stderr: "PHP message: {"reqId":"z0oq8DXCdc0DrKRIXrwU","level":3,"time":"2022-05-03T19:28:26+00:00","remoteAddr":"1xxx","user":"xxx","app":"no app in context","method":"GET","url":"/core/preview?fileId=438397&c=7d9a7345b372ee0f337c91bcdda1bbac&x=250&y=250&forceIcon=0&a=0","message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0","version":"23.0.4.1"}" while reading response header from upstream, client: xxx, server: xxx, request: "GET /core/preview?fileId=438397&c=7d9a7345b372ee0f337c91bcdda1bbac&x=250&y=250&forceIcon=0&a=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php7.3-fpm.sock:", host: 

I searched around in issues and I found that the process for properly disabling encryption is to do the following:

occ maintenance:mode --on
occ encryption:disable
occ encryption:decrypt-all

I do not know if the decrypt-all was run when encryption was disabled, but only some of the files are still encrypted.

If I run the above now, I get this:

# sudo -u www-data php occ maintenance:mode --on
Maintenance mode enabled
# sudo -u www-data php occ encryption:disable
Nextcloud is in maintenance mode, hence the database isn't accessible.
Cannot perform any command except 'maintenance:mode --off'

Encryption is already disabled
# sudo -u www-data php occ encryption:decrypt-all
Nextcloud is in maintenance mode, hence the database isn't accessible.
Cannot perform any command except 'maintenance:mode --off'

Maintenance mode must be disabled when starting decryption,
in order to load the relevant encryption modules correctly.
Your instance will automatically be put to maintenance mode
during the actual decryption of the files.
# sudo -u www-data php occ maintenance:mode --off
Maintenance mode disabled
# sudo -u www-data php occ encryption:decrypt-all
Server side encryption not enabled. Nothing to do.
# sudo -u www-data php occ encryption:disable
Encryption is already disabled
# sudo -u www-data php occ encryption:decrypt-all
Server side encryption not enabled. Nothing to do.

How can I decrypt these files?

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

  1. Attempt to open certain files, and then I will get an error

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxxx',
  'secret' => 'xx/xxx/xx+xxx+',
  'trusted_domains' => 
  array (
    0 => 'xxx.xxxx.net',
    1 => 'nc.xxx.net',
    2 => 'xxx.xxx',
  ),
  'enable_previews' => true,
  'preview_max_x' => 1024,
  'preview_max_y' => 768,
  'preview_max_scale_factor' => 1,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\Movie',
    6 => 'OC\\Preview\\PDF',
    7 => 'OC\\Preview\\MP3',
    8 => 'OC\\Preview\\TXT',
    9 => 'OC\\Preview\\MarkDown',
  ),
  'filesystem_check_changes' => 0,
  'activity_expire_days' => 14,
  'knowledgebaseenabled' => false,
  'auth.bruteforce.protection.enabled' => true,
  'blacklisted_files' => 
  array (
    0 => '.htaccess',
    1 => 'Thumbs.db',
    2 => 'thumbs.db',
  ),
  'cron_log' => true,
  'datadirectory' => '/srv/nextcloud_data',
  'overwrite.cli.url' => 'http://nc.xx.net/nextcloud',
  'htaccess.RewriteBase' => '/nextcloud',
  'dbtype' => 'mysql',
  'maintenance' => false,
  'mail_smtpdebug' => true,
  'version' => '23.0.4.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xxx',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => 'true',
  'redis' => 
  array (
    'host' => '/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpsecure' => 'ssl',
  'mail_from_address' => 'nc',
  'mail_domain' => 'xxx.net',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'mail.xxx.net',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'nc',
  'mail_smtppassword' => 'xxx',
  'mysql.utf8mb4' => true,
  'theme' => '',
  'trashbin_retention_obligation' => 'auto, 7',
  'updater.release.channel' => 'stable',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' => 
  array (
    0 => 'test2fa',
    1 => 'admin',
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
  'config_is_read_only' => 'True',
  'encryption.legacy_format_support' => false,
  'encryption.key_storage_migrated' => false,
  'app_install_overwrite' => 
  array (
    0 => 'onlyoffice',
  ),
);

Are you able to recover your encryption key to follow the proper decryption process from admin documentation? Wondering if you backed it up.

Or, can you recover from backup.

You are missing part of the required support template. Please fill this form out and edit into your post.

This will give us the technical info and logs needed to help you! Thanks.

I do have the technical ability and access to do so, but am lacking a bit of information about where I would recover that from, and the decryption process itself. Is it something I need to pull out of the database?

I did attempt to fill the support template with everything I had. There were a few parts that I did not have, specifically these:

The output of your Nextcloud log in Admin > Logging:

PASTE HERE

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

PASTE HERE

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

PASTE HERE

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

PASTE HERE

I do not have any of those logs, except for the nginx ones, which I provided in the initial post.

There could be the possibility to decrypt the files outside of Nextcloud if you still have the data folder and config file. If that’s the case then you could try this standalone script: https://github.com/syseleven/nextcloud-tools/blob/master/rescue/decrypt-all-files.php