Nextcloud version: 16.0.1
Operating system and version: Ubuntu 16.04
Apache or nginx version: 2.4.18
PHP version: 7.3.6
The issue you are facing:
I run a small NC server with just a couple of users. Some of them want the ability to mount external storage but at the same time, maintain data privacy. To help them, I want to enable automatic encryption for external storage only. In addition, I prefer to have the ability to change passwords for users who forget them using the admin interface.
I’ve read the manual and have done the steps below:
- Activate the default encryption module
- Go to Settings > Security and enable “Server-side encryption” I did not enable the option to encrypt home storage.
- Have user mount external storage and create a file there.
- Success! The file is encrypted.
However, I have now lost the ability to change user passwords via the admin interface: "
Password change is disabled because the master key is disabled". I have also lost the ability to change the password using the occ command because this gives me the same error!
I never had an opportunity to enable a master key nor does the message tell me how to enable a master key. This is not helpful.
The documentation says that there is an occ command to enable a master key but that this must only be done on an installation with no data. Obviously, this does not apply to my situation.
The ability to change user passwords via the web interface matters to me because I need it at times. So I decided to reverse enabling encryption:
- Tell user to disconnect external storage.
- Run the occ command to decrypt all data: (occ encryption:decrypt-all)
- Disable “Server-side encryption” in Settings > Security.
- Deactivate the default encryption module.
This does not restore the functionality to change the user password in the interface.
So now I am stuck. I can not change passwords and I have not achieved my goal to encrypt data on external storage automatically.
Is this the first time you’ve seen this error? Y:
I have a few questions regarding this experience:
- Did I misunderstand the manual/documentation?
- Did I do something wrong by enabling encryption the way I did?
- Is it really unsafe to use
occ encryption:enable-master-key
on an installation with existing data? - How do I regain the ability to change passwords, either on the CLI or preferably in the admin interface?