New install of NC18, server-side encryption with object store as primary causes invalid files

Nextcloud version: 18.0.4
Operating system and version: Ubuntu 20.04
Apache or nginx version: 1.17.10
PHP version: 7.4.4

The issue you are facing:
Is it possible to use an object store as primary storage with the default server-side encryption?

After turning on the server-side encryption module by following the manual I can’t view or open any files uploaded after that point.

As the docs say, I can’t disable the default encryption module, but If I turn off “Encrypt the home storage”, then any files uploaded after that point are available (and also unencrypted on my object store)

  1. I installed and setup NC 18.0.4 this morning, worked with just admin user and a local primary storage. Test this with the default files, uploaded one of my own to confirm it works.

  2. Reset the install so I could switch to an S3-compatible object store as primary storage. Again tested with only the admin user, default files and one of my own uploaded and downloaded. This works!

  3. Added a non-admin users, uploaded a few files, PDF, txt, png, etc. I confirmed I could download and view them.

  4. Following the NC admin guide, turned on server side encryption, enabled the default encryption module, and then checked “Encrypt the home storage”.

  5. Logged out and back in (although I think this isn’t required now with the server-wide encryption key). Any files uploaded after this point are no longer downloadable or viewable by either admin or my test user.

When trying to use the in-browser viewer them, the log shows:

"Exception": "OCP\\Encryption\\Exceptions\\GenericEncryptionException",
"Message": "Bad Signature",

Followed by a bunch of json blobs with:

message: "Trying to access array offset on value of type null at /usr/share/nginx/nextcloud/3rdparty/aws/aws-sdk-php/src/RetryMiddleware.php#144"

It looks as though maybe the files are encrypted, but the web UI for downloading and previewing doesn’t know how to decrypt properly?

After I moved the data folder to a new location, two of my users got all their files missing. The files were still on the server, so I had to run an 8h-long occ files:scan --all

After that all files were back on the web interface, but I was facing the same Bad Signature 503 error, unable to preview or download. Maybe because after the folder move NC thinks the files are different because of timestamp?

This solved my problem:

Adding 'encryption_skip_signature_check' => true to the config/config.php file but I’m unsure if this generates any security risk.