The Basics
- Nextcloud Server version (e.g., 29.x.x):
32.0.3
- Operating system and version (e.g., Ubuntu 24.04):
Ubuntu 22.04.05 LTS
- Web server and version (e.g, Apache 2.4.25):
2.4.63
- Reverse proxy and version _(e.g. nginx 1.27.2)
-
- PHP version (e.g, 8.3):
8.3.17
- Is this the first time you’ve seen this error? (Yes / No):
yes
- When did this problem seem to first start?
15-Dec-2025
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
Bare Metal
- Are you using CloudfIare, mod_security, or similar? (Yes / No)
-
Excessive presence of shareKey files using user key encryption:
Hi there,
i am using user key encryption and there is an excessive number of shareKeys present.
After moving all keys to one directory like suggested in the docs, i have a ~500MB key file directory with ~81k files in it.
From docs i have derived, that shareKeys are generated for sharing encrypted files. So I would have expected 2 files per user + one file per currently shared file. There are <10 shared files on this instance so this cant be the cause.
Two options come to my mind:
- Nextcloud somehow creates shareKeys for (nearly) every file without need
- (worst case) I’ve been hacked and someone keeps an backdoor entry to all encrypted files with a share that is not visible in Nextcloud user interface
Anyhow i would love to understand why this happens as it seems to be quite a security issue to me and how i can prevent / reverse it.
Best
grafjan
Steps to replicate it (hint: details matter!):
-
enable user key encryption
-
use Nextcloud for a while
-
inspect present encryption keys in /data directory
Log entries
Nextcloud
Not present anymore
Configuration
Nextcloud
occ encryption:status
enabled: true
defaultModule: OC_DEFAULT_MODULE
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
...
],
"allowed_admin_ranges": [
...
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "32.0.3.2",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"default_phone_region": "XX",
"logtimezone": "yyy\/xxx",
"log_type": "file",
"logfile": "\/var\/log\/nextcloud\/nextcloud.log",
"loglevel": 2,
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_smtpauth": true,
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauthtype": "LOGIN",
"maintenance": false,
"overwrite.cli.url": "https:\/\/my.domain",
"htaccess.RewriteBase": "\/",
"filelocking.enabled": true,
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0,
"timeout": 0
},
"files_antivirus": {
"av_background_scan": "off"
},
"appcodechecker": true,
"maintenance_window_start": 1,
"sharing.enable_share_mail": false,
"filesystem_check_changes": 0,
"no_unsupported_browser_warning": false,
"theme": "",
"encryption.legacy_format_support": false,
"mail_smtpsecure": "ssl"
}
}
Apps
Enabled:
- admin_audit: 1.22.0
- app_api: 32.0.0
- bruteforcesettings: 5.0.0-dev.0
- calendar: 6.1.1
- cloud_federation_api: 1.16.0
- contacts: 8.1.1
- cookbook: 0.11.5
- dav: 1.34.2
- deck: 1.16.2
- encryption: 2.20.0
- federatedfilesharing: 1.22.0
- files: 2.4.0
- files_antivirus: 6.1.0
- files_downloadlimit: 5.0.0-dev.0
- files_pdfviewer: 5.0.0-dev.0
- files_reminders: 1.5.0
- files_sharing: 1.24.1
- files_trashbin: 1.22.0
- files_versions: 1.25.0
- logreader: 5.0.0-dev.0
- lookup_server_connector: 1.20.0
- music: 2.4.1
- nextcloud_announcements: 4.0.0-dev.0
- notes: 4.12.4
- notifications: 5.0.0-dev.0
- oauth2: 1.20.0
- password_policy: 4.0.0-dev.0
- photos: 5.0.0-dev.1
- previewgenerator: 5.11.0
- privacy: 4.0.0-dev.0
- profile: 1.1.0
- provisioning_api: 1.22.0
- related_resources: 3.0.0-dev.0
- serverinfo: 4.0.0-dev.0
- settings: 1.15.1
- survey_client: 4.0.0-dev.0
- suspicious_login: 10.0.0-dev.0
- tasks: 0.17.1
- text: 6.0.1
- theming: 2.7.0
- twofactor_backupcodes: 1.21.0
- twofactor_totp: 14.0.0
- updatenotification: 1.22.0
- viewer: 5.0.0-dev.0
- webhook_listeners: 1.3.0
- workflowengine: 2.14.0
Disabled:
- activity: 5.0.0-dev.0 (installed 2.17.0)
- circles: 32.0.0 (installed 25.0.0)
- comments: 1.22.0 (installed 1.15.0)
- contactsinteraction: 1.13.1 (installed 1.6.0)
- dashboard: 7.12.0 (installed 7.5.0)
- federation: 1.22.0 (installed 1.15.0)
- files_external: 1.24.0
- files_rightclick: 0.15.1 (installed 1.6.0)
- firstrunwizard: 5.0.0-dev.0 (installed 2.14.0)
- geoblocker: 0.5.18 (installed 0.5.18)
- limit_login_to_ip: 4.2.0 (installed 4.2.0)
- recommendations: 5.0.0-dev.0 (installed 1.4.0)
- sharebymail: 1.22.0 (installed 1.21.0)
- support: 4.0.0-dev.0 (installed 1.8.0)
- systemtags: 1.22.0 (installed 1.15.0)
- twofactor_nextcloud_notification: 6.0.0-dev.0
- user_ldap: 1.23.0
- user_status: 1.12.0 (installed 1.5.0)
- weather_status: 1.12.0 (installed 1.5.0)