Disabling serverside encryption

Hey there,

I want to disable server-side encryption of a NextcloudPi Installation with 20 users and 2.5 TB user-data. I already have backups prepared, if anything goes wrong, but a question came up while reading the documentation:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html

There are two commands that I need to use (all while maintenance mode enabled)


occ encryption:decrypt-all [username]

occ encryption:disable

Im not sure if the second command includes the process of the first command, and if not, in wich order I need to use them.

Its maybe a really simple question, but Im doing the process remote, and the chances of completly recovering a backup or long downtime must be as low as possible.

cheers

Hi there :wave:

Personally I haven’t done this so I could be wrong;

As far as I can understand, the second command to disable encryption does not include the process of decrypting the files from the first command.

The documentation was a little unclear there if you need to do this before or after disabling encryption through occ, but I believe it would be before disabling it?

Seems most logical to me anyways.

It also strongly recommends to backup the keys used to encrypt the data beyond just a backup of the user files, so don’t forget to backup those as well :slightly_smiling_face:

1 Like

After try and error, I figuered that
-Encryption must be enabled, to start the decryption process.
-The maintenance mode must be disabled when firing the command, because if not the encryption module app isnt loaded.

The decrypt command automatically puts the instance into maintenance mode (but double check when you do the same as I did!!! (@ future readers…))

Im running the decrypt-all command now, still about 2TB of user data to go through…

When running the decrypt command on a single user I already noticed a few “broken” files, wich couldnt be decrypted, but I guess its a really small percentage and broken files can happen with no encryption too…

If I dont forget I will update this question with the result of the decryption. All partial test I did looked promising, so fingers crossed…

@crustulumtheone , thanks for providing this information. Very helpful. When you ran the command to disable encryption does that turn off Server Side Encryption AND Encrypt Home Storage? It is possible to de-select home storage through the UI so I am just wondering if this needs to be done separately / before running decryption?