Help with setting up encryption

ℹ️ Support
,
1

Nextcloud version: 16.0.1
Operating system and version: Ubuntu 16.04
Apache or nginx version: 2.4.18
PHP version: 7.3.6

The issue you are facing:
I run a small NC server with just a couple of users. Some of them want the ability to mount external storage but at the same time, maintain data privacy. To help them, I want to enable automatic encryption for external storage only. In addition, I prefer to have the ability to change passwords for users who forget them using the admin interface.

I’ve read the manual and have done the steps below:

  1. Activate the default encryption module
  2. Go to Settings > Security and enable “Server-side encryption” I did not enable the option to encrypt home storage.
  3. Have user mount external storage and create a file there.
  4. Success! The file is encrypted.

However, I have now lost the ability to change user passwords via the admin interface: "
Password change is disabled because the master key is disabled". I have also lost the ability to change the password using the occ command because this gives me the same error!
I never had an opportunity to enable a master key nor does the message tell me how to enable a master key. This is not helpful.

The documentation says that there is an occ command to enable a master key but that this must only be done on an installation with no data. Obviously, this does not apply to my situation.

The ability to change user passwords via the web interface matters to me because I need it at times. So I decided to reverse enabling encryption:

  1. Tell user to disconnect external storage.
  2. Run the occ command to decrypt all data: (occ encryption:decrypt-all)
  3. Disable “Server-side encryption” in Settings > Security.
  4. Deactivate the default encryption module.

This does not restore the functionality to change the user password in the interface.
So now I am stuck. I can not change passwords and I have not achieved my goal to encrypt data on external storage automatically.

Is this the first time you’ve seen this error? Y:

I have a few questions regarding this experience:

  1. Did I misunderstand the manual/documentation?
  2. Did I do something wrong by enabling encryption the way I did?
  3. Is it really unsafe to use occ encryption:enable-master-key on an installation with existing data?
  4. How do I regain the ability to change passwords, either on the CLI or preferably in the admin interface?
2

No one any ideas? I’d appreciate any insight in this matter.

3

I’ve the same issue on 18.0.4, still no answers?

Tried your hints on Nextcloud 16 - Password change is disabled because the master key is disabled, but really garbaged my existing data. Took me a while to restore because of another (home-made :-)) issue …

Is there any documentation available about the nextcloud encryption insights?

4

AFAIK the server-side encryption feature is not production ready and I would not recommend using it at all. At least it seems to be too sketchy to trust anything valuable with it.

5

As I understand it, the reason you can’t change their passwords is because doing so would destroy the key used to encrypt their files, thus destroying their data. At least, this is how it works with EFS.

I realize this doesn’t resolve your current predicament, but if I could offer a suggestion, if you want data to be encrypted at rest on external storage, you may be better off doing full disk encryption on the external storage.