Nextcloud server side encryption recursive directory problem

ℹ️ Support
, ,
1
Support intro

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 30.0.4.1
  • Operating system and version (e.g., Ubuntu 24.04):
    • Almalinux 9.3
  • Web server and version (e.g, Apache 2.4.25):
    • Apache 2.45.7
  • PHP version (e.g, 8.3):
    • PHP 8.2.16 FPM
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • VM
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

we don’t know how this situation happened but basically we are here; I put the example of a USER directory:
datadirectory:
FILES: /nextcloud/data/USER/files/folder1/folder2/test.txt
FILES_ENCRYPTION /nextcloud/data/USER/files_encryption/keys/files/folder1/folder2/test.txt

the problem is that practically inside folder2 created a recursive tree (60 times) for example like this:

FILES_ENCRYPTION /nextcloud/data/USER/files_encryption/keys/files/folder1/folder2/files/folder1/folder2/files/folder1/folder2/files/folder1/folder2/files/folder1/folder2/files/folder1/folder2/files/folder1/folder2/files/…

and for many files and directories the reference exists inside the files_encryption but not in the user’s files (i.e., the “original files” no longer exist but there are still related keys inside the files_encryption directory.

we have tried running occ commands pretty much all those regarding “cleaning” the data except recreating the aberration (seems to be potentially dangerous).
we have tried “deleting” the recursive directories as the referenced files no longer exist but, running the user’s occ files:scan when it gets to the files_encryption recursive directories it starts using ram until it is saturated. we put 16GB of ram which php depletes anyway and each time blocked the scan process so we can’t get it to complete…

do you have any suggestion?

Steps to replicate it (hint: details matter!):

  1. Don’t know how, maybe enabling server-side encryption and move/copy multiple files

Configuration

Nextcloud

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "my_nextcloud_instance_url"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "30.0.4.1",
        "overwrite.cli.url": "https:\/\/my_nextcloud_instance_url",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "activity_expire_days": 90,
        "updater.release.channel": "stable",
        "versions_retention_obligation": "auto, 30",
        "app_install_overwrite": [
            "dicomviewer"
        ],
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 1
    }
}

Apps

Enabled:
  - activity: 3.0.0
  - app_api: 4.0.3
  - calendar: 5.0.8
  - circles: 30.0.0
  - cloud_federation_api: 1.13.0
  - comments: 1.20.1
  - contactsinteraction: 1.11.0
  - dashboard: 7.10.0
  - dav: 1.31.1
  - encryption: 2.18.0
  - federatedfilesharing: 1.20.0
  - federation: 1.20.0
  - files: 2.2.0
  - files_downloadlimit: 3.0.0
  - files_pdfviewer: 3.0.0
  - files_reminders: 1.3.0
  - files_sharing: 1.22.0
  - files_trashbin: 1.20.1
  - firstrunwizard: 3.0.0
  - logreader: 3.0.0
  - lookup_server_connector: 1.18.0
  - nextcloud_announcements: 2.0.0
  - notifications: 3.0.0
  - oauth2: 1.18.1
  - password_policy: 2.0.0
  - photos: 3.0.2
  - privacy: 2.0.0
  - provisioning_api: 1.20.0
  - related_resources: 1.5.0
  - serverinfo: 2.0.0
  - settings: 1.13.0
  - sharebymail: 1.20.0
  - support: 2.0.0
  - survey_client: 2.0.0
  - systemtags: 1.20.0
  - text: 4.1.0
  - theming: 2.5.0
  - twofactor_backupcodes: 1.19.0
  - updatenotification: 1.20.0
  - user_status: 1.10.0
  - viewer: 3.0.0
  - weather_status: 1.10.0
  - webhook_listeners: 1.1.0-dev
  - workflowengine: 2.12.0
Disabled:
  - admin_audit: 1.20.0
  - bruteforcesettings: 3.0.0 (installed 2.4.0)
  - files_external: 1.22.0 (installed 1.22.0)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - files_versions: 1.23.0 (installed 1.23.0)
  - recommendations: 3.0.0 (installed 1.0.0)
  - suspicious_login: 8.0.0
  - twofactor_nextcloud_notification: 4.0.0
  - twofactor_totp: 12.0.0-dev
  - user_ldap: 1.21.0

"Versions" app is now disabled for other reasons but when it happened it was definitely enabled

thank you