How to fix hash_hkdf() errors due to changed/lost secret key?

mito173 · March 21, 2026, 5:01pm

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 33.0.0
Operating system and version (e.g., Ubuntu 24.04):
- Debian 13 on VM hosted by Strato
Web server and version (e.g, Apache 2.4.25):
- Apache/2.4.66 (Debian)
Reverse proxy and version _(e.g. nginx 1.27.2)
- n.a.
PHP version (e.g, 8.3):
- 8.3
Is this the first time you’ve seen this error? (Yes / No):
- Yes
When did this problem seem to first start?
- After server migration
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- TAR download, manual install
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Summary of the issue you are facing:

The Logging page in the Nextcloud Administartion section shows the following two erors frequently:

Loglevel: Error
Application: Index
Message:
xceptionhash_hkdf(): Argument #2 ($key) cannot be empty in file ‘/var/www/mauscloud/lib/private/Security/Crypto.php’ line 147

→ New entry each time I open the Administration Settings
Loglevel: Error
Application: Core
Message: ValueErrorhash_hkdf(): Argument #2 ($key) cannot be empty Error while running background job OCA\DAV\BackgroundJob\EventReminderJob (id: 809, arguments: null)

→ New entry each time the background jobs run

Steps to replicate it (hint: details matter!):

Old VM installation (Debian 10) with Nextcloud 32.0.6 was EOL, backed up Nextclod file storage and database but unfortunately not /var/www/nextcloud.
Installed Debian 13 and Nextcloud 32.0.6 with PHP 8.2 as on the old Debian 10 installation.
Restored storage and database . Nextcloud did not come up due to missing apps.
Installed all required apps on a 2nd host with a vanilla Nextcloud and copied the necessary app folders over to my ‘production’ Nextcloud instance.
After this, Nextcloud started up and seemed to run fine.
Clients did not reconnect automatically, I had to enter the login for each client again but then file-sync worked.
Updated PHP to version 8.3. and Nextcloud to 33.0.0
Checked the system in more detail and realized the errors in the log. Unfortunately I am not even sure, if they already existed in the old Debian 10 installation, which I updated from a quite old version only recently.

Log entries

Nextcloud

I copied only one message for each app (core and index) from nextcloud.log. They show up frequently and seem to have all the same content.

{"reqId":"wI92FQ6MmiINBQLIjTkz","level":3,"time":"March 21, 2026 16:50:02","remoteAddr":"","user":"--","app":"core","method":"","url":"--","scriptName":"/var/www/mauscloud/cron.php","message":"Error while running background job OCA\\DAV\\BackgroundJob\\EventReminderJob (id: 809, arguments: null)","userAgent":"--","version":"33.0.0.16","occ_command":["/var/www/mauscloud/cron.php"],"exception":{"Exception":"ValueError","Message":"hash_hkdf(): Argument #2 ($key) cannot be empty","Code":0,"Trace":[{"file":"/var/www/mauscloud/lib/private/Security/Crypto.php","line":147,"function":"hash_hkdf"},{"file":"/var/www/mauscloud/lib/private/Security/Crypto.php","line":102,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/mauscloud/lib/private/Security/IdentityProof/Manager.php","line":121,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/mauscloud/lib/private/Security/IdentityProof/Manager.php","line":135,"function":"retrieveKey","class":"OC\\Security\\IdentityProof\\Manager","type":"->"},{"file":"/var/www/mauscloud/apps/notifications/lib/Push.php","line":261,"function":"getKey","class":"OC\\Security\\IdentityProof\\Manager","type":"->"},{"file":"/var/www/mauscloud/apps/notifications/lib/App.php","line":37,"function":"pushToDevice","class":"OCA\\Notifications\\Push","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/mauscloud/lib/private/Notification/Manager.php","line":313,"function":"notify","class":"OCA\\Notifications\\App","type":"->"},{"file":"/var/www/mauscloud/apps/dav/lib/CalDAV/Reminder/NotificationProvider/PushProvider.php","line":83,"function":"notify","class":"OC\\Notification\\Manager","type":"->"},{"file":"/var/www/mauscloud/apps/dav/lib/CalDAV/Reminder/ReminderService.php","line":147,"function":"send","class":"OCA\\DAV\\CalDAV\\Reminder\\NotificationProvider\\PushProvider","type":"->"},{"file":"/var/www/mauscloud/apps/dav/lib/BackgroundJob/EventReminderJob.php","line":47,"function":"processReminders","class":"OCA\\DAV\\CalDAV\\Reminder\\ReminderService","type":"->"},{"file":"/var/www/mauscloud/lib/public/BackgroundJob/Job.php","line":47,"function":"run","class":"OCA\\DAV\\BackgroundJob\\EventReminderJob","type":"->"},{"file":"/var/www/mauscloud/lib/public/BackgroundJob/TimedJob.php","line":85,"function":"start","class":"OCP\\BackgroundJob\\Job","type":"->"},{"file":"/var/www/mauscloud/core/Service/CronService.php","line":176,"function":"start","class":"OCP\\BackgroundJob\\TimedJob","type":"->"},{"file":"/var/www/mauscloud/core/Service/CronService.php","line":98,"function":"runCli","class":"OC\\Core\\Service\\CronService","type":"->"},{"file":"/var/www/mauscloud/cron.php","line":52,"function":"run","class":"OC\\Core\\Service\\CronService","type":"->"}],"File":"/var/www/mauscloud/lib/private/Security/Crypto.php","Line":147,"message":"Error while running background job OCA\\DAV\\BackgroundJob\\EventReminderJob (id: 809, arguments: null)","exception":"{\"class\":\"ValueError\",\"message\":\"hash_hkdf(): Argument #2 ($key) cannot be empty\",\"code\":0,\"file\":\"/var/www/mauscloud/lib/private/Security/Crypto.php:147\",\"trace\":\"#0 /var/www/mauscloud/lib/private/Security/Crypto.php(147): hash_hkdf()\\n#1 /var/www/mauscloud/lib/private/Security/Crypto.php(102): OC\\Security\\Crypto->decryptWithoutSecret()\\n#2 /var/www/mauscloud/lib/private/Security/IdentityProof/Manager.php(121): OC\\Security\\Crypto->decrypt()\\n#3 /var/www/mauscloud/lib/private/Security/IdentityProof/Manager.php(135): OC\\Security\\IdentityProof\\Manager->retrieveKey()\\n#4 /var/www/mauscloud/apps/notifications/lib/Push.php(261): OC\\Security\\IdentityProof\\Manager->getKey()\\n#5 /var/www/mauscloud/apps/notifications/lib/App.php(37): OCA\\Notifications\\Push->pushToDevice()\\n#6 /var/www/mauscloud/lib/private/Notification/Manager.php(313): OCA\\Notifications\\App->notify()\\n#7 /var/www/mauscloud/apps/dav/lib/CalDAV/Reminder/NotificationProvider/PushProvider.php(83): OC\\Notification\\Manager->notify()\\n#8 /var/www/mauscloud/apps/dav/lib/CalDAV/Reminder/ReminderService.php(147): OCA\\DAV\\CalDAV\\Reminder\\NotificationProvider\\PushProvider->send()\\n#9 /var/www/mauscloud/apps/dav/lib/BackgroundJob/EventReminderJob.php(47): OCA\\DAV\\CalDAV\\Reminder\\ReminderService->processReminders()\\n#10 /var/www/mauscloud/lib/public/BackgroundJob/Job.php(47): OCA\\DAV\\BackgroundJob\\EventReminderJob->run()\\n#11 /var/www/mauscloud/lib/public/BackgroundJob/TimedJob.php(85): OCP\\BackgroundJob\\Job->start()\\n#12 /var/www/mauscloud/core/Service/CronService.php(176): OCP\\BackgroundJob\\TimedJob->start()\\n#13 /var/www/mauscloud/core/Service/CronService.php(98): OC\\Core\\Service\\CronService->runCli()\\n#14 /var/www/mauscloud/cron.php(52): OC\\Core\\Service\\CronService->run()\\n#15 {main}\"}","CustomMessage":"Error while running background job OCA\\DAV\\BackgroundJob\\EventReminderJob (id: 809, arguments: null)"}}

{"reqId":"XPJPRwGIcumr7ZtfmQ0A","level":3,"time":"March 21, 2026 16:55:55","remoteAddr":"81.169.155.11","user":"--","app":"index","method":"HEAD","url":"/ocm-provider/","scriptName":"/index.php","message":"hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/mauscloud/lib/private/Security/Crypto.php' line 147","userAgent":"Nextcloud-Server-Crawler/33.0.0","version":"33.0.0.16","exception":{"Exception":"Exception","Message":"hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/mauscloud/lib/private/Security/Crypto.php' line 147","Code":0,"Trace":[{"file":"/var/www/mauscloud/lib/private/AppFramework/App.php","line":153,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/mauscloud/lib/private/Route/Router.php","line":321,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/mauscloud/lib/base.php","line":1155,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/mauscloud/index.php","line":25,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/mauscloud/lib/private/AppFramework/Http/Dispatcher.php","Line":150,"Previous":{"Exception":"ValueError","Message":"hash_hkdf(): Argument #2 ($key) cannot be empty","Code":0,"Trace":[{"file":"/var/www/mauscloud/lib/private/Security/Crypto.php","line":147,"function":"hash_hkdf"},{"file":"/var/www/mauscloud/lib/private/Security/Crypto.php","line":102,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/mauscloud/lib/private/Security/IdentityProof/Manager.php","line":109,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/mauscloud/lib/private/Security/IdentityProof/Manager.php","line":174,"function":"retrieveKey","class":"OC\\Security\\IdentityProof\\Manager","type":"->"},{"file":"/var/www/mauscloud/lib/private/OCM/OCMSignatoryManager.php","line":105,"function":"getAppKey","class":"OC\\Security\\IdentityProof\\Manager","type":"->"},{"file":"/var/www/mauscloud/lib/private/OCM/OCMDiscoveryService.php","line":225,"function":"getLocalSignatory","class":"OC\\OCM\\OCMSignatoryManager","type":"->"},{"file":"/var/www/mauscloud/core/Controller/OCMController.php","line":58,"function":"getLocalOCMProvider","class":"OC\\OCM\\OCMDiscoveryService","type":"->"},{"file":"/var/www/mauscloud/lib/private/AppFramework/Http/Dispatcher.php","line":205,"function":"discovery","class":"OC\\Core\\Controller\\OCMController","type":"->"},{"file":"/var/www/mauscloud/lib/private/AppFramework/Http/Dispatcher.php","line":118,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/mauscloud/lib/private/AppFramework/App.php","line":153,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/mauscloud/lib/private/Route/Router.php","line":321,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/mauscloud/lib/base.php","line":1155,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/mauscloud/index.php","line":25,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/mauscloud/lib/private/Security/Crypto.php","Line":147},"message":"hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/mauscloud/lib/private/Security/Crypto.php' line 147","exception":"{\"class\":\"Exception\",\"message\":\"hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/mauscloud/lib/private/Security/Crypto.php' line 147\",\"code\":0,\"file\":\"/var/www/mauscloud/lib/private/AppFramework/Http/Dispatcher.php:150\",\"trace\":\"#0 /var/www/mauscloud/lib/private/AppFramework/App.php(153): OC\\AppFramework\\Http\\Dispatcher->dispatch()\\n#1 /var/www/mauscloud/lib/private/Route/Router.php(321): OC\\AppFramework\\App::main()\\n#2 /var/www/mauscloud/lib/base.php(1155): OC\\Route\\Router->match()\\n#3 /var/www/mauscloud/index.php(25): OC::handleRequest()\\n#4 {main}\",\"previous\":{\"class\":\"ValueError\",\"message\":\"hash_hkdf(): Argument #2 ($key) cannot be empty\",\"code\":0,\"file\":\"/var/www/mauscloud/lib/private/Security/Crypto.php:147\",\"trace\":\"#0 /var/www/mauscloud/lib/private/Security/Crypto.php(147): hash_hkdf()\\n#1 /var/www/mauscloud/lib/private/Security/Crypto.php(102): OC\\Security\\Crypto->decryptWithoutSecret()\\n#2 /var/www/mauscloud/lib/private/Security/IdentityProof/Manager.php(109): OC\\Security\\Crypto->decrypt()\\n#3 /var/www/mauscloud/lib/private/Security/IdentityProof/Manager.php(174): OC\\Security\\IdentityProof\\Manager->retrieveKey()\\n#4 /var/www/mauscloud/lib/private/OCM/OCMSignatoryManager.php(105): OC\\Security\\IdentityProof\\Manager->getAppKey()\\n#5 /var/www/mauscloud/lib/private/OCM/OCMDiscoveryService.php(225): OC\\OCM\\OCMSignatoryManager->getLocalSignatory()\\n#6 /var/www/mauscloud/core/Controller/OCMController.php(58): OC\\OCM\\OCMDiscoveryService->getLocalOCMProvider()\\n#7 /var/www/mauscloud/lib/private/AppFramework/Http/Dispatcher.php(205): OC\\Core\\Controller\\OCMController->discovery()\\n#8 /var/www/mauscloud/lib/private/AppFramework/Http/Dispatcher.php(118): OC\\AppFramework\\Http\\Dispatcher->executeController()\\n#9 /var/www/mauscloud/lib/private/AppFramework/App.php(153): OC\\AppFramework\\Http\\Dispatcher->dispatch()\\n#10 /var/www/mauscloud/lib/private/Route/Router.php(321): OC\\AppFramework\\App::main()\\n#11 /var/www/mauscloud/lib/base.php(1155): OC\\Route\\Router->match()\\n#12 /var/www/mauscloud/index.php(25): OC::handleRequest()\\n#13 {main}\"}}","CustomMessage":"hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/mauscloud/lib/private/Security/Crypto.php' line 147"}}

Configuration

Nextcloud

Output of occ config:list :

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "mauscloud.patschull.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "33.0.0.16",
        "overwrite.cli.url": "https:\/\/mauscloud.patschull.de",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "DE",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": "1",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "log_type": "file",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": "1",
        "logdateformat": "F d, Y H:i:s",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": "true",
        "enable_previews": "true",
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown"
        ],
        "preview_max_x": "1024",
        "preview_max_y": "768",
        "preview_max_scale_factor": "1",
        "auth.bruteforce.protection.enabled": "true",
        "trashbin_retention_obligation": "auto,7",
        "skeletondirectory": "",
        "defaultapp": "file",
        "activity_expire_days": "14",
        "integrity.check.disabled": "false",
        "updater.release.channel": "stable",
        "maintenance_window_start": 2,
        "maintenance": false,
        "theme": "",
        "serverid": "173",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": "0",
            "timeout": "0.0"
        },
        "memcache.locking": "\\OC\\Memcache\\Redis"
    },
    "apps": {
        "activity": {
            "enabled": "yes",
            "installed_version": "6.0.0-dev.0",
            "types": "filesystem"
        },
        "admin_audit": {
            "enabled": "yes",
            "installed_version": "1.23.0",
            "types": "logging"
        },
        "app_api": {
            "enabled": "yes",
            "installed_version": "33.0.0",
            "types": ""
        },
        "backgroundjob": {
            "lastjob": "1"
        },
        "bruteForce": {
            "whitelist_2": "109.193.64.223\/32",
            "whitelist_3": "91.1.231.17\/32",
            "whitelist_2_comment": "Mausnest",
            "whitelist_3_comment": "Gm\u00fcnd"
        },
        "bruteforcesettings": {
            "apply_allowlist_to_ratelimit": "1",
            "enabled": "yes",
            "installed_version": "6.0.0-dev.0",
            "types": ""
        },
        "calendar": {
            "enabled": "[\"users_intern\"]",
            "installed_version": "6.2.1",
            "types": ""
        },
        "circles": {
            "enabled": "yes",
            "installed_version": "33.0.0",
            "loopback_tmp_scheme": "https",
            "maintenance_run": "0",
            "maintenance_update": "{\"maximum\":3,\"3\":1774109702,\"2\":1774111202,\"1\":1774111501}",
            "migration_22": "1",
            "migration_run": "0",
            "types": "filesystem,dav"
        },
        "cloud_federation_api": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": "filesystem"
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "1.23.0",
            "types": "logging"
        },
        "contacts": {
            "enabled": "[\"users_intern\"]",
            "installed_version": "8.4.1",
            "types": "dav"
        },
        "contactsinteraction": {
            "enabled": "[\"admin\",\"users_intern\"]",
            "installed_version": "1.14.1",
            "types": "dav"
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "emailTestSuccessful": "1",
            "enterpriseLogoChecked": "yes",
            "files_metadata_installed": "1",
            "installed.bundles": "[\"CoreBundle\"]",
            "installedat": "1538765343.9658",
            "lastcron": 1774111501,
            "lastupdateResult": "[]",
            "lastupdatedat": 1774109845,
            "metadataGenerationDone": true,
            "moveavatarsdone": "yes",
            "newUser.sendEmail": "no",
            "previewMovedDone": true,
            "previewsCleanedUp": "1",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "scss.variables": "c628b9e2101e67c57993cab13888aa9b",
            "shareapi_only_share_with_group_members": "no",
            "shareapi_restrict_user_enumeration_to_group": "yes",
            "theming.variables": "5aa3eee9c54ef2d7bfff805cd569b985",
            "vendor": "nextcloud",
            "files_metadata": {
                "photos-original_date_time": {
                    "value": null,
                    "type": "int",
                    "etag": "",
                    "indexed": true,
                    "editPermission": 0
                },
                "photos-exif": {
                    "value": null,
                    "type": "array",
                    "etag": "",
                    "indexed": false,
                    "editPermission": 0
                },
                "photos-ifd0": {
                    "value": null,
                    "type": "array",
                    "etag": "",
                    "indexed": false,
                    "editPermission": 0
                },
                "photos-size": {
                    "value": null,
                    "type": "array",
                    "etag": "",
                    "indexed": false,
                    "editPermission": 0
                },
                "photos-gps": {
                    "value": null,
                    "type": "array",
                    "etag": "",
                    "indexed": false,
                    "editPermission": 0
                },
                "photos-place": {
                    "value": null,
                    "type": "string",
                    "etag": "",
                    "indexed": true,
                    "editPermission": 0
                },
                "files-live-photo": {
                    "value": null,
                    "type": "string",
                    "etag": "",
                    "indexed": false,
                    "editPermission": 0
                },
                "blurhash": {
                    "value": null,
                    "type": "string",
                    "etag": "8413b73c23e5f00576874c544ebc1dc9",
                    "indexed": false,
                    "editPermission": 0
                }
            },
            "oc.integritycheck.checker": "[]"
        },
        "dashboard": {
            "enabled": "[\"users_intern\"]",
            "installed_version": "7.13.0",
            "types": ""
        },
        "dav": {
            "buildCalendarReminderIndex": "yes",
            "buildCalendarSearchIndex": "yes",
            "builtSocialSearchIndex": "yes",
            "chunks_migrated": "1",
            "enabled": "yes",
            "installed_version": "1.36.0",
            "regeneratedBirthdayCalendarsForYearFix": "yes",
            "types": "filesystem"
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "1.23.0",
            "types": ""
        },
        "federation": {
            "enabled": "no",
            "installed_version": "1.22.0",
            "types": "authentication"
        },
        "files": {
            "cronjob_scan_files": "500",
            "default_quota": "137,4 GB",
            "enabled": "yes",
            "installed_version": "2.5.0",
            "mimetype_version": "33.0.0.16",
            "types": "filesystem"
        },
        "files_downloadactivity": {
            "enabled": "no",
            "installed_version": "1.17.0",
            "types": "filesystem"
        },
        "files_downloadlimit": {
            "enabled": "yes",
            "installed_version": "5.1.0-dev.0",
            "types": ""
        },
        "files_pdfviewer": {
            "enabled": "yes",
            "installed_version": "6.0.0-dev.0",
            "types": ""
        },
        "files_reminders": {
            "enabled": "yes",
            "installed_version": "1.6.0",
            "types": ""
        },
        "files_rightclick": {
            "enabled": "no",
            "installed_version": "1.6.0",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "1.25.2",
            "types": "filesystem"
        },
        "files_texteditor": {
            "enabled": "no",
            "installed_version": "2.8.0",
            "types": ""
        },
        "files_trashbin": {
            "background_job_expire_trash_offset": 0,
            "enabled": "yes",
            "installed_version": "1.23.0",
            "types": "filesystem,dav"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.26.0",
            "types": "filesystem,dav"
        },
        "firstrunwizard": {
            "enabled": "no",
            "installed_version": "2.12.0",
            "types": "logging"
        },
        "gallery": {
            "enabled": "no",
            "installed_version": "18.4.0",
            "types": ""
        },
        "logreader": {
            "enabled": "yes",
            "installed_version": "6.0.0",
            "shownLevels": "[3,4]",
            "types": "logging"
        },
        "lookup_server_connector": {
            "enabled": "yes",
            "installed_version": "1.21.0",
            "types": "authentication"
        },
        "nextcloud_announcements": {
            "enabled": "yes",
            "installed_version": "5.0.0",
            "pub_date": "Thu, 24 Oct 2019 00:00:00 +0200",
            "types": "logging"
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "6.0.0",
            "types": "logging"
        },
        "oauth2": {
            "enabled": "yes",
            "installed_version": "1.21.0",
            "types": "authentication"
        },
        "password_policy": {
            "enabled": "yes",
            "installed_version": "5.0.0-dev.0",
            "maximumLoginAttempts": "10",
            "types": "authentication"
        },
        "photos": {
            "enabled": "yes",
            "installed_version": "6.0.0-dev.0",
            "lastPlaceMappedUser": "t_mickey",
            "lastPlaceMappingDone": "true",
            "types": "dav,authentication"
        },
        "privacy": {
            "enabled": "[\"users_intern\"]",
            "installed_version": "5.0.0-dev.0",
            "readableLocation": "de",
            "types": ""
        },
        "profile": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": ""
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "1.23.0",
            "types": "prevent_group_restriction"
        },
        "recommendations": {
            "enabled": "yes",
            "installed_version": "6.0.0-dev.0",
            "types": ""
        },
        "related_resources": {
            "enabled": "yes",
            "installed_version": "4.0.0-dev.0",
            "types": ""
        },
        "serverinfo": {
            "cached_count_appdata_files": 2543,
            "cached_count_filecache": 427299,
            "cached_count_storages": "15",
            "enabled": "[\"admin\"]",
            "installed_version": "5.0.0-dev.0",
            "size_appdata_storage": -1,
            "types": ""
        },
        "settings": {
            "enabled": "yes",
            "installed_version": "1.16.0",
            "types": ""
        },
        "sharebymail": {
            "enabled": "yes",
            "installed_version": "1.23.0",
            "types": "filesystem"
        },
        "sharerenamer": {
            "enabled": "no",
            "installed_version": "3.2.0",
            "types": ""
        },
        "sharingpath": {
            "default_copy_prefix": "",
            "default_enabled": "yes",
            "default_sharing_folder": "",
            "enabled": "no",
            "installed_version": "0.4.4",
            "types": ""
        },
        "support": {
            "SwitchUpdaterServerHasRun": "yes",
            "enabled": "yes",
            "installed_version": "5.0.0",
            "types": "session"
        },
        "survey_client": {
            "enabled": "no",
            "installed_version": "5.0.0-dev.0",
            "last_sent": 1772224801,
            "types": "",
            "last_report": "{\"id\":\"oc112cafsvkg\",\"items\":[[\"server\",\"version\",\"32.0.5.0\"],[\"server\",\"code\",\"other\"],[\"server\",\"enable_avatars\",\"yes\"],[\"server\",\"enable_previews\",\"yes\"],[\"server\",\"memcache.local\",\"\\\\OC\\\\Memcache\\\\APCu\"],[\"server\",\"memcache.distributed\",\"none\"],[\"server\",\"asset-pipeline.enabled\",\"no\"],[\"server\",\"filelocking.enabled\",\"yes\"],[\"server\",\"memcache.locking\",\"\\\\OC\\\\Memcache\\\\Redis\"],[\"server\",\"debug\",\"no\"],[\"server\",\"cron\",\"cron\"],[\"php\",\"version\",\"8.3.4\"],[\"php\",\"memory_limit\",-1],[\"php\",\"max_execution_time\",0],[\"php\",\"upload_max_filesize\",2097152],[\"database\",\"type\",\"mysql\"],[\"database\",\"version\",\"10.6.17\"],[\"database\",\"size\",1167622144],[\"apps\",\"activity\",\"5.0.0-dev.0\"],[\"apps\",\"admin_audit\",\"1.22.0\"],[\"apps\",\"app_api\",\"32.0.0\"],[\"apps\",\"bruteforcesettings\",\"5.0.0-dev.0\"],[\"apps\",\"calendar\",\"6.2.1\"],[\"apps\",\"circles\",\"32.0.0\"],[\"apps\",\"cloud_federation_api\",\"1.16.0\"],[\"apps\",\"comments\",\"1.22.0\"],[\"apps\",\"contacts\",\"8.3.4\"],[\"apps\",\"contactsinteraction\",\"1.13.1\"],[\"apps\",\"dashboard\",\"7.12.0\"],[\"apps\",\"dav\",\"1.34.2\"],[\"apps\",\"federatedfilesharing\",\"1.22.0\"],[\"apps\",\"federation\",\"1.22.0\"],[\"apps\",\"files\",\"2.4.0\"],[\"apps\",\"files_downloadactivity\",\"disabled\"],[\"apps\",\"files_downloadlimit\",\"5.0.0-dev.0\"],[\"apps\",\"files_pdfviewer\",\"5.0.0-dev.0\"],[\"apps\",\"files_reminders\",\"1.5.0\"],[\"apps\",\"files_rightclick\",\"disabled\"],[\"apps\",\"files_sharing\",\"1.24.1\"],[\"apps\",\"files_texteditor\",\"disabled\"],[\"apps\",\"files_trashbin\",\"1.22.0\"],[\"apps\",\"files_versions\",\"1.25.0\"],[\"apps\",\"firstrunwizard\",\"disabled\"],[\"apps\",\"gallery\",\"disabled\"],[\"apps\",\"logreader\",\"5.0.0-dev.0\"],[\"apps\",\"lookup_server_connector\",\"1.20.0\"],[\"apps\",\"nextcloud_announcements\",\"4.0.0-dev.0\"],[\"apps\",\"notifications\",\"5.0.0-dev.0\"],[\"apps\",\"oauth2\",\"1.20.0\"],[\"apps\",\"password_policy\",\"4.0.0-dev.0\"],[\"apps\",\"photos\",\"5.0.0-dev.1\"],[\"apps\",\"privacy\",\"4.0.0-dev.0\"],[\"apps\",\"profile\",\"1.1.0\"],[\"apps\",\"provisioning_api\",\"1.22.0\"],[\"apps\",\"recommendations\",\"5.0.0-dev.0\"],[\"apps\",\"related_resources\",\"3.0.0-dev.0\"],[\"apps\",\"serverinfo\",\"4.0.0-dev.0\"],[\"apps\",\"settings\",\"1.15.1\"],[\"apps\",\"sharebymail\",\"1.22.0\"],[\"apps\",\"sharerenamer\",\"disabled\"],[\"apps\",\"sharingpath\",\"disabled\"],[\"apps\",\"support\",\"4.0.0-dev.0\"],[\"apps\",\"survey_client\",\"4.0.0-dev.0\"],[\"apps\",\"systemtags\",\"1.22.0\"],[\"apps\",\"tasks\",\"0.17.1\"],[\"apps\",\"text\",\"6.0.1\"],[\"apps\",\"theming\",\"2.7.0\"],[\"apps\",\"twofactor_backupcodes\",\"1.21.0\"],[\"apps\",\"updatenotification\",\"1.22.0\"],[\"apps\",\"user_status\",\"1.12.0\"],[\"apps\",\"user_usage_report\",\"3.0.0\"],[\"apps\",\"viewer\",\"5.0.0-dev.0\"],[\"apps\",\"weather_status\",\"1.12.0\"],[\"apps\",\"webhook_listeners\",\"1.3.0\"],[\"apps\",\"workflowengine\",\"2.14.0\"],[\"stats\",\"num_files\",1298274],[\"stats\",\"num_users\",13],[\"stats\",\"num_storages\",15],[\"stats\",\"num_storages_local\",2],[\"stats\",\"num_storages_home\",13],[\"stats\",\"num_storages_other\",0],[\"stats\",\"num_comments\",0],[\"stats\",\"num_comment_markers\",0],[\"stats\",\"num_systemtags\",0],[\"stats\",\"num_systemtags_mappings\",0],[\"files_sharing\",\"num_shares\",48],[\"files_sharing\",\"num_shares_user\",23],[\"files_sharing\",\"num_shares_groups\",2],[\"files_sharing\",\"num_shares_link\",21],[\"files_sharing\",\"num_shares_link_no_password\",21],[\"files_sharing\",\"num_fed_shares_sent\",0],[\"files_sharing\",\"num_fed_shares_received\",0],[\"files_sharing\",\"permissions_0_1\",1],[\"files_sharing\",\"permissions_3_1\",3],[\"files_sharing\",\"permissions_0_5\",1],[\"files_sharing\",\"permissions_0_7\",1],[\"files_sharing\",\"permissions_0_15\",3],[\"files_sharing\",\"permissions_0_17\",3],[\"files_sharing\",\"permissions_3_17\",18],[\"files_sharing\",\"permissions_0_21\",2],[\"files_sharing\",\"permissions_1_21\",2],[\"files_sharing\",\"permissions_2_21\",2],[\"files_sharing\",\"permissions_0_23\",1],[\"files_sharing\",\"permissions_0_31\",11],[\"encryption\",\"enabled\",\"no\"],[\"encryption\",\"default_module\",\"no\"]]}"
        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "1.23.0",
            "types": "logging"
        },
        "tasks": {
            "enabled": "[\"tasks\"]",
            "installed_version": "0.17.1",
            "types": ""
        },
        "text": {
            "enabled": "[\"users_intern\"]",
            "installed_version": "7.0.0-dev.3",
            "types": "dav"
        },
        "theming": {
            "backgroundMime": "image\/jpeg",
            "background_color": "#485580",
            "cachebuster": "21",
            "enabled": "yes",
            "faviconMime": "image\/gif",
            "installed_version": "2.8.0",
            "logoDimensions": "324x400",
            "logoMime": "image\/gif",
            "logoheaderMime": "image\/gif",
            "name": "MausCloud",
            "primary_color": "#485580",
            "slogan": "***REMOVED SENSITIVE VALUE***",
            "types": "logging",
            "url": "***REMOVED SENSITIVE VALUE***"
        },
        "twofactor_backupcodes": {
            "enabled": "yes",
            "installed_version": "1.22.0",
            "types": ""
        },
        "twofactor_totp": {
            "enabled": "yes",
            "installed_version": "15.0.0-dev.0",
            "types": ""
        },
        "updatenotification": {
            "bruteforcesettings": "2.2.0",
            "calendar": "6.2.1",
            "contacts": "8.3.5",
            "core": "33.0.0.16",
            "enabled": "[\"admin\",\"users_intern\"]",
            "files_downloadactivity": "1.16.0",
            "files_rightclick": "0.15.1",
            "installed_version": "1.23.0",
            "sharerenamer": "3.2.0",
            "tasks": "0.16.1",
            "types": "",
            "update_check_errors": 0
        },
        "user_status": {
            "enabled": "[\"users_intern\"]",
            "installed_version": "1.13.0",
            "types": ""
        },
        "user_usage_report": {
            "enabled": "yes",
            "installed_version": "4.0.0",
            "types": "filesystem"
        },
        "viewer": {
            "enabled": "yes",
            "installed_version": "6.0.0-dev.0",
            "types": ""
        },
        "weather_status": {
            "enabled": "yes",
            "installed_version": "1.13.0",
            "types": ""
        },
        "webhook_listeners": {
            "enabled": "yes",
            "installed_version": "1.5.0",
            "types": "filesystem"
        },
        "workflowengine": {
            "enabled": "yes",
            "installed_version": "2.15.0",
            "types": "filesystem"
        }
    }
}

Apps

The output of occ app:list :

Enabled:

activity: 6.0.0-dev.0
admin_audit: 1.23.0
app_api: 33.0.0
bruteforcesettings: 6.0.0-dev.0
calendar: 6.2.1
circles: 33.0.0
cloud_federation_api: 1.17.0
comments: 1.23.0
contacts: 8.4.1
contactsinteraction: 1.14.1
dashboard: 7.13.0
dav: 1.36.0
federatedfilesharing: 1.23.0
files: 2.5.0
files_downloadlimit: 5.1.0-dev.0
files_pdfviewer: 6.0.0-dev.0
files_reminders: 1.6.0
files_sharing: 1.25.2
files_trashbin: 1.23.0
files_versions: 1.26.0
logreader: 6.0.0
lookup_server_connector: 1.21.0
nextcloud_announcements: 5.0.0
notifications: 6.0.0
oauth2: 1.21.0
password_policy: 5.0.0-dev.0
photos: 6.0.0-dev.0
privacy: 5.0.0-dev.0
profile: 1.2.0
provisioning_api: 1.23.0
recommendations: 6.0.0-dev.0
related_resources: 4.0.0-dev.0
serverinfo: 5.0.0-dev.0
settings: 1.16.0
sharebymail: 1.23.0
support: 5.0.0
systemtags: 1.23.0
tasks: 0.17.1
text: 7.0.0-dev.3
theming: 2.8.0
twofactor_backupcodes: 1.22.0
twofactor_totp: 15.0.0-dev.0
updatenotification: 1.23.0
user_status: 1.13.0
user_usage_report: 4.0.0
viewer: 6.0.0-dev.0
weather_status: 1.13.0
webhook_listeners: 1.5.0
workflowengine: 2.15.0

Disabled:

encryption: 2.21.0
federation: 1.23.0 (installed 1.22.0)
files_external: 1.25.1
firstrunwizard: 6.0.0-dev.0 (installed 2.12.0)
survey_client: 5.0.0-dev.0 (installed 5.0.0-dev.0)
suspicious_login: 11.0.0-dev.0
twofactor_nextcloud_notification: 7.0.0
user_ldap: 1.24.0

I would appreciate any idea how to fix this.
Thanks a lot!

mito173 · March 23, 2026, 5:23pm

Before anyone asks: yes, I saw some other threads in this forum with ‘hash_hkdf()’ in the title but they did not provide a solution to me as I am unable to restore my original Nextcloud installation.

What I know:

Not having a backup from my config.php was a terrible mistake.
My issue most likely is related to the ‘secret’ key, which is not empty now but probably different from the value I had in my original Nextcloud instance.

Claude Sonnet 4.6 recommended the following:

The keypair stored in the database was encrypted with the old instance’s secret. Since you migrated, if the secret changed, decryption fails. So regenerate Identity Proof Keys:
# Delete the corrupted/mismatched identity proof keys

sudo -u www-data php /var/www/mauscloud/occ config:app:delete core identityproof_key_public
sudo -u www-data php /var/www/mauscloud/occ config:app:delete core identityproof_key_private

# Force regeneration
sudo -u www-data php /var/www/mauscloud/occ maintenance:repair

It tried this, but unfortunately it did not solve the isssue

What do I need to reset an how? I have only six users on my Nextcloud instance, so I could set the passwords again (as long I am able to log in as admin) - but will this be enough? File sync and user login does work!

How would I reset the secrets for the ‘index’ and ‘core’ application, which seems to be related to the Administration settings and Background jobs?

Kind regards,
Michael

mito173 · March 28, 2026, 1:27pm

I managed to fix the Application: Core error with Message:

ValueErrorhash_hkdf(): Argument #2 ($key) cannot be empty Error while running background job OCA\DAV\BackgroundJob\EventReminderJob (id: 809, arguments: null)

I observed that the error not only were related to the cron jobs but also to a strange empty Nextcloud notification window on my Mac. So I assumed that the message might be caused by the Notification app which was confirmed by disabling it.

To fix this I deleted the application configuration in the database

DELETE FROM oc_appconfig WHERE appid=‘notifications’;
DELETE FROM oc_preferences WHERE appid=‘notifications’;

and enabled the app again:
sudo -u www-data php occ app:enable notifications

After this, the error did not show up anymore when running the cron jobs:
sudo -u www-data php cron.php

mito173 · March 28, 2026, 1:44pm

The 2nd error seems harder to fix an I meanwhile unsure if this is even a Nextcloud bug:

The error

Application: Index
Message:
xceptionhash_hkdf(): Argument #2 ($key) cannot be empty in file ‘/var/www/mauscloud/lib/private/Security/Crypto.php’ line 147

shows up

each time I open the Administration Settings
or when I do curl -I https://mydomain.de/ocm-provider/

When explaining the issue to GPT 5.4, it states:

The only realistic fix is to reset the OCM / identity proof signing material so Nextcloud regenerates it with the current secret.

Because Nextcloud doesn’t expose a neat OCC command for this, the remaining practical approaches are:

disable access to OCM endpoint, if you do not need federation

or remove the stored signing material from the DB once we find its actual table/key

or patch around it until upstream provides a repair path

At this point, the best next step is to inspect the tables most likely to contain internal cryptographic material that was not covered yet.

Please run these schema inspections first:

DESCRIBE oc_jobs;
DESCRIBE oc_storages;
DESCRIBE oc_systemtag;
DESCRIBE oc_share;
DESCRIBE oc_direct_edit;
DESCRIBE oc_twofactor_providers;
DESCRIBE oc_whats_new;

Search all text-like columns for suspicious OCM/identity content.

After this, the AI gets pretty unspecific, though. There seems no good way to fix this aprt from

Since /ocm-provider/ is the trigger, and you likely do not need OCM federation, you can stop the error by blocking that endpoint at Apache level.

That’s a workaround to a fix

Any idea how tp proceed? - Should I create an Issue at GitHub since this seems to be an internal error, which occ maintenance:repair does not seem to catch?

mito173 · March 28, 2026, 4:27pm

Root cause / conclusion

This turned out to be caused by a lost or changed secret in config.php after migration.

The error is not related to file encryption, but to OCM / IdentityProof / federation signing keys.
That is why it shows up on:

/ocm-provider/
Administration Settings
OCM/federation-related requests

The stack trace points to OC\Security\IdentityProof\Manager and OCMDiscoveryService, which try to decrypt a stored key using the instance secret. If that secret no longer matches the DB state, decryption fails and ends in:

hash_hkdf(): Argument #2 ($key) cannot be empty

What was checked

We checked the usual places for stale encrypted values:

oc_appconfig
oc_preferences
oc_authtoken
oc_accounts
oc_accounts_data
federation-related jobs in oc_jobs

Also tried:

clearing oc_authtoken
clearing oc_bruteforce_attempts
clearing login preferences
disabling circles
disabling some related apps where possible
restoring an old secret from backup

None of that fully resolved the issue.

Important finding

Even restoring an older secret from backup did not fix it.

This means one of the following is true:

the restored secret was not the exact one matching the restored DB state
or the affected OCM/identity-proof key material had already been regenerated/re-written at some point and is now inconsistent

So in practice, the instance is in a state where the relevant encrypted OCM signing material can no longer be decrypted correctly.

Practical conclusion

If you do not use federation / server-to-server sharing

This can be treated as a migration artifact.

Nextcloud can still work normally for local use, file sync, Web UI, etc., but:

OCM/federation remains broken
/ocm-provider/ may keep logging errors
Administration Settings may continue to trigger that log entry

Recommended mitigations:

disable server-to-server sharing/federation options where possible
ignore the error if federation is not needed
optionally block /ocm-provider/ at the web server level to reduce external triggers
remove federation-related background jobs if desired

Example settings to force-disable federation-related behavior:

bash

sudo -u www-data php occ config:app:set files_sharing incoming_server2server_share_enabled --value=no
sudo -u www-data php occ config:app:set files_sharing outgoing_server2server_share_enabled --value=no
sudo -u www-data php occ config:app:set files_sharing lookupServerEnabled --value=no
sudo -u www-data php occ config:app:set federation autoAddServers --value=0
sudo -u www-data php occ maintenance:repair

Optional cleanup of related jobs:

sql

DELETE FROM oc_jobs
WHERE class IN (
  'OCA\\Files_Sharing\\BackgroundJob\\FederatedSharesDiscoverJob',
  'OCA\\DAV\\BackgroundJob\\FederatedCalendarPeriodicSyncJob'
);

If you do need federation / OCM

The likely only real fix is to restore a matching backup pair of:

the exact original config.php containing the correct secret
and a database backup from the same state/time

A random older secret is not enough if it does not match the database state containing the encrypted OCM/identity key material.

Final takeaway

Without the exact original secret matching the restored DB state, this appears not fully recoverable.

So the practical answer is:

local Nextcloud usage can still be fine
but OCM/federation-related functionality stays broken
and a full fix requires a matching historical backup of both config.php and database