How do I decrypt NC data that got encrypted

Nextcloud version (eg, 20.0.5): latest version
Operating system and version (eg, Ubuntu 18.04): LTS
Apache or nginx version (eg, Apache 2.4.25): latest
PHP version (eg, 7.4): 7.4

The issue you are facing:

I am having some serious issues with NC. I installed it on a dedicated server, and the client on a laptop. It’s default is to upload all data and leave nothing on the laptop. That is already a bad thing for safety purposes. Main issue I’m having is, that the data was encrypted, but for some reason segments of the drive got corrupted that had the data base on. I know the username and password, but don’t have the decrypt keys. How do I or can I decrypt it without the keys. I’ve rebuilt it all on a new drive so long, and have 48gigs of data that I need decrypted, its rather important. Can anyone help me???

I have also disabled the encryption module for now on the new drive with rebuilt NC. I have also copied the old data to his folder on NC, but he cannot see it, even though his username and password are exactly the same as the previous build.

Is this the first time you’ve seen this error? (Y):

2+ days and still no answer on this???

Basically because it’s not possible afaik.

Once you go encryption you never go back, and if you loose the keys… oops. That’s why I never recommend to use encryption if it’s not super crucial. There’s a big risk of loosing data in case something goes wrong, like a corrupted disk for example.

Oh damn… well, that would have been good to know before this happened. Unfortunately, the disk got corrupted somehow, not sure how though. It did show some errors when doing scans on it, so I suppose “bad sector” or technical fault could be used. This all basically went wrong a few hours after I implemented a NC Server update that came through. So I ran the update, went to get some sleep. Next day I am getting calls that data is missing, or not accessible. Then I started checking and I could not access my data either. Then logged into backend, and started a drive check, this showed issues, but NC would not cause hardware problems, but this was really all crazy coincidences that coincided really weirdly. Afterwards, I did a data recovery scan, and was able to copy about 48% of the data, but its all encrypted, and then tried searching for the keys to decrypt it, and it seems those are not accessible, and seem to be on a bad sector of the drive. I really wish there was a way to decrypt all this. One of the people have all kinds of data on there, like documents, paperwork, letters, and I think some legal company stuff. Also, I found out too late too, when installing the NC client, it has a default of uploading everything selected into the NC cloud, nothing left locally, that is a really bad default for client software.

It’s always like that. When something bad happens, it happens to everything - at once. :confused:

If you have a backup, revert to that. That’s all you can do.

Sorry to hear about what has happened. Unfortunately I also don’t see a way out of this. The point of encryption is that nobody can decrypt the data with the key.

Before and more damage is done I would suggest to hand over the disk to data recovery experts, let them recover as much data as possible and then try to restore keys and decrypt data.

All the best.

1 Like

That’s what backups are for. If a disk goes bad, especially if you do not have some kind of RAID array that provides redundandency, you are always at risk of loosing data. Sure without encryption, chances are high that you can recover the majority of your data. But you shouldn’t rely on that. And it can get expensive, when a disk is physically damaged, doesn’t spin up, whatever. Because then you can’t recover the data yourself anymore, even when you didn’t use encryption.

That of course does not mean that you don’t need backups, when you have RAID! :wink: The one thing you always have to do are proper backups! Everything else is optional, respective depends on how important uptime, availibilty and data security is for you. But under no circumstances you can afford going without proper backups. Can’t say that enough!

One of my issues is the mere fact its all encrypted, backups of the server is not the issue, I am sitting with around 48Gigs of the backed up data on my NAS, however, its all encrypted, and the keys are on the bad sectors of the hard drive. I think the issue was going with disk encryption, that was the mistake for starters, and second mistake was ever thinking the NC client would be a good idea, seeing as it literally moved everything off a couple machines on to the NC cloud instead of just doing a copy. That was from default install. That to be honest is a bad feature and should be fixed to not move anything but only copy the data over as a default. I installed the clients as default meaning it moved the data instead of copying as a default, that’s bad client software default installed config.

Like I said, it seems NC was a bad choice when it comes to a solution for disk encryption. Other problem I’m sitting with is that I cannot get someone to try and do data scan and recovery on the drives as they are sitting in another country’s data center. I use FTP connections to make a backup from the server to my NAS, but it is encrypted, and when I tried to copy the keys, it threw out errors after that NC patch update. So in the end, I think with the multiple issues unfortunately happening all at once, the end result is, DON’T USE Disk encryption, DON’T use NC client, and Make sure to make unencrypted backups. Also to those mentioning RAID, that does not work if its duplicating encrypted data and then duplicates corrupted files. Once files are corrupted and it updates to the mirror then it will corrupt that data too.

I think its pretty simple, NC cloud disk encryption is the worst idea I ever had for additional layer of security. Oh well, if no one has ideas to help, I guess that’s a crap load of documentation data lost, well, encrypted, and I will simply have to start all over again.

That’s a hole diffrent topic. But yes there are issues with the encryption methods of Nextcloud. I would recommend using LUKS disk encryption directly on the OS level, when you want to encrypt your server.

Not an issue if you use LUKS and have proper backups. And by proper backups I mean backups of the hole installion including the database, so that you are able to reinstall the server and do a full recovery.

No, but don’t mistake file synchronistation with backups. The purpose of the sync client ist to make the files available on your client devices. It is not a backup tool.

You can’t say that in general either. You can of course make encrypted backups to a NAS. But you should re-encrypt the data with an appropriate backup tool or use the built in disk encryption functionality of your NAS and not backup the already encrypted files from your Nextcloud. And very important: Keep the encryption keys offline and safe. And if you want to be absolutely sure, don’t just back up to a single place.

1 Like