How live decryption is happening

Hi, I’m a bit puzzled on how exactly encryption and decryption is handled by the nextcloud server.

When I have server side encryption enabled, anything and everything that I upload, are saved encrypted according to Nextcloud documentation. Now, let’s consider the following situation:

  • First, we disable encryption on the server.
    ./occ encryption:disable
  • Next, upload let’s say a video, of around 2 gigs.
  • Now once the file is done uploading, we’ll now encrypt the data manually, and time it.
www-data@0556d84eafc1:~/html$ time ./occ encryption:encrypt-all

You are about to encrypt all files stored in your Nextcloud installation.
Depending on the number of available files, and their size, this may take quite some time.
Please ensure that no user accesses their files during this time!
Note: The encryption module you use determines which files get encrypted.

Do you really want to continue? (y/n) y

Encrypt all files with the Default encryption module

Use master key to encrypt all files.

Start to encrypt users files

 all files encrypted 

real         0m55.895s
user	0m36.863s
sys	        0m9.144s

I’m using a linode nanoserver with wordpress behind an nginx reverse proxy using docker, and while the encryption process is going on the CPU load is at 100% & memory usage bumps as well. Now, if I try and download the file from the server, the delay is negligible, and the load isn’t as much as well compared to around a minute it took for encrypting the file(same for decryption), along with the increased load. It’s like the files are already stored decrypted.

  • Can someone explain this to me, how the files are kept on the server?
  • How is it even getting decrypted upon attempting to download it?
  • Why such a difference between using occ & clicking on download from the web app?