Issues with server side encryption

svh · February 4, 2025, 1:53pm

I have server-side encryption enabled for external storage since a couple of years, but never used any external storage.
It works as expected when files or directories are uploaded from local storage, but when copied within the Nextcloud’s external storage or from the main (unencrypted) storage of the Nextcloud server, the files become unreadable. I only use Nextcloud’s copy function.
I tried this with external S3 storage as well as with a directory of the local server filesystem included as external storage.

For example:
A directory d1 containing some files and another nested directory d2 containing files are copied.
The files in d1 are readable (decrypted), but the files in d2 aren’t. These files are encrypted but not decrypted when opened or downloaded to a local machine.

As far as I remember there has been changes to encryption a few years ago. Is this maybe related to this?

Any help will be greatly appreciated.

The Basics

Nextcloud Server version:
- 30.0.5
Operating system and version:
- Ubuntu 22.04
Web server and version:
- Apache 2.4.52
Reverse proxy and version
- nginx 1.26.2
PHP version:
- 8.3.16

Steps to replicate it:

Enable server-side encryption.
It is enabled for a couple of years but I have never used it.
Set up external storage
Copy directory including sub-directory from internal storage to external storage.
Try to view files in sub-directory.

Log entries

I did not find any related log entries.

Configuration

Nextcloud

The output of occ config:list system :

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "sub.domain.top"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "30.0.5.1",
        "overwrite.cli.url": "https:\/\/sub.domain.top",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "stable",
        "encryption.legacy_format_support": false,
        "encryption.key_storage_migrated": false,
        "default_phone_region": "EN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpsecure": "ssl",
        "maintenance_window_start": 1,
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "app_install_overwrite": [
            "quicknotes"
        ]
    }
}

Apps

The output of occ app:list :

Enabled:
  - activity: 3.0.0
  - app_api: 4.0.5
  - bookmarks: 15.0.5
  - bruteforcesettings: 3.0.0
  - calendar: 5.0.9
  - circles: 30.0.0
  - cloud_federation_api: 1.13.0
  - comments: 1.20.1
  - contacts: 6.1.3
  - contactsinteraction: 1.11.0
  - dashboard: 7.10.0
  - dav: 1.31.1
  - deck: 1.14.3
  - encryption: 2.18.0
  - federatedfilesharing: 1.20.0
  - federation: 1.20.0
  - files: 2.2.0
  - files_antivirus: 5.6.1
  - files_downloadlimit: 3.0.0
  - files_external: 1.22.0
  - files_pdfviewer: 3.0.0
  - files_reminders: 1.3.0
  - files_sharing: 1.22.0
  - files_trashbin: 1.20.1
  - files_versions: 1.23.0
  - firstrunwizard: 3.0.0
  - forms: 4.3.6
  - groupfolders: 18.0.9
  - logreader: 3.0.0
  - lookup_server_connector: 1.18.0
  - mail: 4.1.2
  - metadata: 0.21.0
  - nextcloud_announcements: 2.0.0
  - notes: 4.11.0
  - notifications: 3.0.0
  - oauth2: 1.18.1
  - password_policy: 2.0.0
  - passwords: 2024.12.21
  - photos: 3.0.2
  - privacy: 2.0.0
  - provisioning_api: 1.20.0
  - quicknotes: 0.8.23
  - recommendations: 3.0.0
  - related_resources: 1.5.0
  - richdocuments: 8.5.3
  - richdocumentscode: 24.4.1103
  - secrets: 2.1.2
  - serverinfo: 2.0.0
  - settings: 1.13.0
  - sharebymail: 1.20.0
  - spreed: 20.1.3
  - support: 2.0.0
  - survey_client: 2.0.0
  - systemtags: 1.20.0
  - tables: 0.8.3
  - tasks: 0.16.1
  - text: 4.1.0
  - theming: 2.5.0
  - timemanager: 0.3.16
  - twofactor_backupcodes: 1.19.0
  - twofactor_totp: 12.0.0-dev
  - updatenotification: 1.20.0
  - user_status: 1.10.0
  - viewer: 3.0.0
  - weather_status: 1.10.0
  - webhook_listeners: 1.1.0-dev
  - workflowengine: 2.12.0

Roni_Tim · February 5, 2025, 11:19am

The issue is with how Nextcloud handles encryption when copying files within external storage or from unencrypted storage. This might be related to changes made in encryption a few years ago. Try checking your encryption settings or re-encrypting the files.

For an SMTP server, you could try SMTPmart, Mailgun or Amazon SES for reliable email sending.

svh · February 5, 2025, 7:30pm

Thanks.
I have already tried decrypting all files, disabling encryption and re-enabling it, but unfortunately the result is the same. I also checked the status and legacy format with the occ command. Everything seems to be fine.
Since the top level files are encrypted and decrypted correctly, but the subdirectories aren’t, I think the encryption is basically working.

svh · February 12, 2025, 8:18pm

I have now tried a fresh installation:

the latest Nextcloud version 30.0.5
only the basic recommended apps including the default encryption module and external storage app
enabled encryption
created a local folder outside the Nextcloud’s path and configured it as external storage available to all users

It’s the same result: The files in the first level directory are encrypted and properly decrypted before opening, but the files in the second level directory are not. Same result when I download the directory.
I have not done any additional configuration or changed anything else.

Including this test installation, I have this problem on 3 different Nextcloud instances.

I suppose it should work, but how?

svh · February 12, 2025, 9:02pm

I finally found something
There is hope for Nextcloud 31: https://github.com/nextcloud/server/pull/48651

It seems that the encrypted flag is not set correctly when copying. I tried to set it manually in the DB for one file and now it opens as expected.

system · February 20, 2025, 9:03pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.