Nextcloud 16 - Password change is disabled because the master key is disabled

reko · July 5, 2019, 9:48am

Hello,

I’m encountering this “problem” after I have migrated from Owncloud 10.2 to Nextcloud 12, and then updated till Nextcloud 16: when I click Admin user icon and then click on “Users”, the following message shows up:

“Password change is disabled because the master key is disabled”

And of course, I can’t change no one password.

Do you have any suggestion?

(NC v 16.0.2)

Thanks in advance.

Cheers.

DByte · July 5, 2019, 12:33pm

I have the same issue since trying to enable file encryption:

This is on NC 16.0.1. Unfortunately no solution yet.
Did you enable encryption?

reko · July 9, 2019, 2:42pm

I’ve ended up to disabled the following module “Default encryption module” and now works. I don’t know why it was enabled by default. Never encounter in a “normal” installation.

Cheers.

DByte · July 9, 2019, 4:19pm

Glad to see that worked for you. Wish my issue was resolved so easily too, but it isn’t.

Asif_Khan · November 28, 2019, 12:54am

@DByte any luck in finding the solution? I am also having same problem.

DByte · November 28, 2019, 8:56am

No, still no solution for me. I have no idea why it isn’t working, unfortunately. At this point, I don’t think I’ll find an answer. Maybe when the upgrade to NC17 it will fix things but until then, as admin I can not change user passwords.

Asif_Khan · November 28, 2019, 6:19pm

@DByte I have updated NC to stable version 17.0.1 and still I can’t change user password and still having that error “Password change is disabled because the master key is disabled”

Any Solution @Schmu, @Jospoortvliet, @nickvergessen ?

DByte · November 29, 2019, 9:20am

Actually, scratch my earlier post. I decided to try solving this again and I managed to get password changing to work correctly again. This is what I did:

I made sure that I had a full, working backup in case things would go completely wrong.
I reread the admin manual about enabling and disabling encryption. I figured I would need to disable encryption to get things working again.
I logged into the command line of the NC server so I could use the occ command to see what was actually happening.
- ```
occ encryption:status
```
  This showed that encryption was enabled using the default encryption module. That is what I wanted to disable, which according to the manual requires the server is set to maintenance mode.
- ```
occ maintenance:mode --on
```
  ( no error so far)
- ```
occ encryption:disable
```
  (encryption disabled successfully)
So far so good, encryption was disabled, which I verified by checking its status again.
I switched maintenance mode off again:
- ```
occ maintenance:mode --off
```
  However, I still could not change passwords and the message about the missing master key was still there.
At this point, I figured the only thing left to do, was to create a master key. The documentation warns that you should not do this on a server that contains data, however the command line tool warns that you should not do this on a server which contains encrypted data. Since I had not encrypted my local storage, I hoped that this was a safe action. (Hence why I checked to see if I had a working backup).
Returning to the command line, I gave the command to create a master key:
- ```
occ encryption:enable-master-key
```
  I ignored the warning I mentioned above and created the master key. That only took a second.
I returned to the admin web interface, refreshed my users page and the message about the missing master key was gone. I now have the option to change the passwords of my users again.

Encryption is still disabled for now and I am not sure if I want to enable it again. If I do, it would be for remote storage anyway, to protect data on other platforms.

I took a risk doing this and it has worked out for me. I can not guarantee that you will be successful using this approach but I wanted to share it here anyway, for the sake of others willing to live dangerously.

michaelof · May 6, 2020, 1:42pm

@DByte: Thanks for your great post!
Same issue for me on my 18.0.4, tried step by step your hints, but CAN’T do the last step:

sudo -u wwwrun php occ encryption:enable-master-key

Nextcloud is in maintenance mode - no apps have been loaded

Command “encryption:enable-master-key” is not defined.

Did you mean one of these?
encryption:change-key-storage-root
encryption:decrypt-all
encryption:disable
encryption:enable
encryption:encrypt-all
encryption:list-modules
encryption:set-default-module
encryption:show-key-storage-root
encryption:status

Any hints? Seems to be changed since 16.x

DByte · May 6, 2020, 2:32pm

@michaelof: You’re welcome, it was my hope that it would help others. And since I’m not a programmer, helping others to work with NC is sort of my way of “giving back”.

Before I enabled the master key, I turned maintenance mode off again. See the fifth main bullet, and then the sub bullet? When in maintenance mode, no apps are loaded. That includes the encryption app.

Perhaps that’s your issue. If things really are different in 18.0.4., I’m probably not much help. I haven’t touched encryption since I posted that earlier post.

rahrah_studios · November 7, 2023, 4:56pm

Re-enabling the master key worked for me as well. I had previously disabled it due to “Invalid encryption key error”. Re-enabling did not bring back the error and I’m glad it didn’t. Thanks for the suggestion.