Files were silently e2e encrypted, how to decrypt

Hi there,

For a few years now I’ve set up a NC server for my family.

At some point my brother asked me whether it would be possible to enable e2e encryption as he wanted to store sensitive information.

I enabled that in order for him (and me) to test (built-in setting in administration with link to

It wasn’t successful and I decided to disable it after a while. So far so good.

The problem is, my sister who is also running the macOS client, got many of her photos silently encrypted without ever noticing because her client was suddenly happy to see e2e encryption being available and used it for (some) files (I guess those which were modified).

Problem: e2e is now off, I won’t enable it anytime soon again but I’ve no clue how to help her decrypt her “automatically” encrypted photos.

I’m fine scripting the decryption of each and every photo but I need help here on where to find the encryption key (may it be on her macOS laptop, on the server, …) and “how” to decrypt those files (which tool to use, which encryption algorithm to seek for, …)

That would be very important for her to get back her precious photo…

Thanks for helping out.


When you really mean End-to-End encryption (~client to client encryption), the encryption and decryption is done on the client. With e2e encryption the server has no idea and no information about the encryption. For the server the encrypted files are just data blobs.

However, I’m not sure if you don’t mean server-side encryption, because you linked to the documentation about server-side encryption.
The server-side encryption definitely encrypts the files on the server and stores the files encrypted on the server’s storage, but the files are still accessible via the web GUI.
For server-side encryption, the documentation you linked also shows how to decrypt files on the server:
occ encryption:decrypt-all

If however your sister really used e2e encryption, then the files are encrypted by the NC client on her computer. I have never used e2e encryption and hence don’t know what options the client has enabled and how to configure that, but I assume that you should find something in folder sync configuration or in the client configuration.

1 Like

Hi there,

@Schmu I just wrote everything I knew but yes, I’m really speaking about e2e and NOT server-side encryption.

I’ve got access to the laptop, I have absolutely no clue where the encryption key/passphrase/whatever was/is stored/archived, I searched for common places, I opened a NC-related SQlite DB, nothing.

I don’t see anything and I can’t find any documentation on what to look for. Is there really nobody who could help me getting that kind of info? Once I have a “key”, I can try to manually decipher the files…

What you enabled is server side encryption, not e2e. Editing your post title to avoid further confusion.

@just Why are you changing what I wrote. I enabled, at some point server-side encryption. This is off for a long time. My problem is really e2e. Please help if you can but don’t assume you understand better than me, those files where really encrypted on the client-side, trying to run

occ encryption:decrypt-all

shows that everything is already decrypted, which is not solving my files because they stay encrypted, but were encrypted when I test-enabled e2e.

okie dokie. Merry Christmas