Encryption screw-up

Demo 2017-03-17 11:03:57 UTC #1

Nextcloud version (eg, 10.0.2): 11.0.2.7
Operating system and version (eg, Ubuntu 16.04): Debian Jessie
Apache or nginx version (eg, Apache 2.4.25): Nginx 1.10.3
PHP version (eg, 5.6): 5.6.30

Yesterday I reinstalled Nextcloud, after screwing up an upgrade from 10 to 11. (did it together with a server migration and accidentally ran some commands on the old server which still had v10 installed) When everything was working nicely, I decided to enable encryption.
Reading the admin manual, I just copy/pasted commands into my SSH session without reading the whole page first, so I just read the part about recovery keys afterward. I did however see the warning about an approximate increase in size of about 35%, so I added 50% of extra space to my data volume. Then I started occ encryption:encrypt-all and went to sleep. This morning, I discovered that my entire volume had been filled, so I extended it again, but when I logged in I got the Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files. warning in my screen.
Problem is, I've never set any password or recovery key, nor did I change the password of my account recently. Disabling encryption does not get me my files back, occ encryption:decrypt-all wants my recovery key password, which I've never set, occ encryption:decrypt-all username with the user's login password throws an [OC\HintException] Bad Signature

Is there anything I could try, or is starting from scratch again and re-adding my data the only option?

tflidd 2017-03-18 16:41:49 UTC #2

@bjoern

If you don't use external storage, please read the documentation again, there is little benefit of the encryption app and you run into many problems. For sensitive data, use additional client side encryption (e.g. VeraCrypt Containers).

bjoern 2017-03-20 13:25:21 UTC #3

"encrypt all" creates for each user a private and a public key. The private key is encrypted with a random password. At the end of the process you get a list of this passwords. If the process was aborted in between there is no way to get the passwords for your private key.

If you try it again I would suggest to first enable encryption, then re-login with your user so that you already have a private key encrypted with your login password and then run "encrypt all" if you really have to. It is also completely OK to continue without it and only encrypt (new) files when you upload/edit them. In general encryption is really something which should be considered on initial setup and not something which should be enabled/disabled on a running instance.

Beside that I can only second @tflidd advice.

Demo 2017-03-20 13:32:38 UTC #4

Thanks for the explanation. I have indeed never seen the encryption process finish. I will re-upload all data and not even bother encrypting, since the server is in my house anyway. Encrypting my data was basically for learning how the encryption module works.