Occ encryption:scan:legacy-format

I get encryption error when I update nextcloud 20 I request your help

I think you’ve read the documenation as written in the warning message? If yes, please be more precise and explain what your problem is. Please also see:

Hi All, after a “bumpy” upgrade to NC20, I have cleared all issues except for the one reported here. I have followed the documentation and run the command occ encryption:scan:legacy-format

However, I get an error message that says:

 There are no commands defined in the "encryption:scan" namespace.  
  Did you mean this?                                                 

I’ve searched and googled around but I can’t find a solution. Can anyone help?

Thanks in advance

Could it be possible that the encryption app has been disabled on your server?
Can you please provide the output of “./occ”.


seems I have the same problem. Here the output of occ:

Nextcloud XXXXXXXXX 20.0.3

  command [options] [arguments]

  -h, --help            Display this help message
  -q, --quiet           Do not output any message
  -V, --version         Display this application version
      --ansi            Force ANSI output
      --no-ansi         Disable ANSI output
  -n, --no-interaction  Do not ask any interactive question
      --no-warnings     Skip global warnings, show command output only
  -v|vv|vvv, --verbose  Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

Available commands:
  check                                  check dependencies of the server environment
  help                                   Displays help for a command
  list                                   Lists commands
  status                                 show some status information
  upgrade                                run upgrade routines after installation of a new release. The release has to be installed before.
  activity:send-mails                    Sends the activity notification mails
  app:check-code                         check code to be compliant
  app:disable                            disable an app
  app:enable                             enable an app
  app:getpath                            Get an absolute path to the app directory
  app:install                            install an app
  app:list                               List all available apps
  app:remove                             remove an app
  app:update                             update an app or all apps
  background:ajax                        Use ajax to run background jobs
  background:cron                        Use cron to run background jobs
  background:webcron                     Use webcron to run background jobs
  broadcast:test                         test the SSE broadcaster
  config:app:delete                      Delete an app config value
  config:app:get                         Get an app config value
  config:app:set                         Set an app config value
  config:import                          Import a list of configs
  config:list                            List all configs
  config:system:delete                   Delete a system config value
  config:system:get                      Get a system config value
  config:system:set                      Set a system config value
  dav:create-addressbook                 Create a dav addressbook
  dav:create-calendar                    Create a dav calendar
  dav:list-calendars                     List all calendars of a user
  dav:move-calendar                      Move a calendar from an user to another
  dav:remove-invalid-shares              Remove invalid dav shares
  dav:send-event-reminders               Sends event reminders
  dav:sync-birthday-calendar             Synchronizes the birthday calendar
  dav:sync-system-addressbook            Synchronizes users to the system addressbook
  db:add-missing-columns                 Add missing optional columns to the database tables
  db:add-missing-indices                 Add missing indices to the database tables
  db:add-missing-primary-keys            Add missing primary keys to the database tables
  db:convert-filecache-bigint            Convert the ID columns of the filecache to BigInt
  db:convert-mysql-charset               Convert charset of MySQL/MariaDB to use utf8mb4
  db:convert-type                        Convert the Nextcloud database to the newly configured one
  encryption:change-key-storage-root     Change key storage root
  encryption:decrypt-all                 Disable server-side encryption and decrypt all files
  encryption:disable                     Disable encryption
  encryption:enable                      Enable encryption
  encryption:encrypt-all                 Encrypt all files for all users
  encryption:list-modules                List all available encryption modules
  encryption:migrate-key-storage-format  Migrate the format of the keystorage to a newer format
  encryption:set-default-module          Set the encryption default module
  encryption:show-key-storage-root       Show current key storage root
  encryption:status                      Lists the current status of encryption
  federation:sync-addressbooks           Synchronizes addressbooks of all federated clouds
  files:cleanup                          cleanup filecache
  files:scan                             rescan filesystem
  files:scan-app-data                    rescan the AppData folder
  files:transfer-ownership               All files and folders are moved to another user - shares are moved as well.
  files_external:applicable              Manage applicable users and groups for a mount
  files_external:backends                Show available authentication and storage backends
  files_external:config                  Manage backend configuration for a mount
  files_external:create                  Create a new mount configuration
  files_external:delete                  Delete an external mount
  files_external:export                  Export mount configurations
  files_external:import                  Import mount configurations
  files_external:list                    List configured admin or personal mounts
  files_external:notify                  Listen for active update notifications for a configured external mount
  files_external:option                  Manage mount options for a mount
  files_external:verify                  Verify mount configuration
  group:add                              Add a group
  group:adduser                          add a user to a group
  group:delete                           Remove a group
  group:list                             list configured groups
  group:removeuser                       remove a user from a group
  integrity:check-app                    Check integrity of an app using a signature.
  integrity:check-core                   Check integrity of core code using a signature.
  integrity:sign-app                     Signs an app using a private key.
  integrity:sign-core                    Sign core using a private key.
  l10n:createjs                          Create javascript translation files for a given app
  log:file                               manipulate logging backend
  log:manage                             manage logging configuration
  log:tail                               Tail the nextcloud logfile
  log:watch                              Watch the nextcloud logfile
  mail:account:create                    creates IMAP account
  mail:account:diagnose                  Diagnose a user's IMAP connection
  mail:account:export                    Exports a user's IMAP account(s)
  mail:account:export-threads            Exports a user's account threads
  mail:account:sync                      Synchronize an IMAP account
  mail:account:train                     Train the classifier of new messages
  mail:clean-up                          clean up all orphaned data
  mail:thread                            Build threads from the exported data of an account
  maintenance:data-fingerprint           update the systems data-fingerprint after a backup is restored
  maintenance:mimetype:update-db         Update database mimetypes and update filecache
  maintenance:mimetype:update-js         Update mimetypelist.js
  maintenance:mode                       set maintenance mode
  maintenance:repair                     repair this installation
  maintenance:theme:update               Apply custom theme changes
  maintenance:update:htaccess            Updates the .htaccess file
  migrations:execute                     Execute a single migration version manually.
  migrations:migrate                     Execute a migration to a specified version or the latest available version.
  migrations:status                      View the status of a set of migrations.
  news:feed:add                          Add a feed
  news:feed:delete                       Remove a feed
  news:feed:list                         List all feeds
  news:folder:add                        Add a folder
  news:folder:delete                     Remove a folder
  news:folder:list                       List all folders
  news:generate-explore                  Prints a JSON string which represents the given feed URL and votes, e.g.: {"title":"Feed - Title","favicon":"www.web.com\/favicon.ico","url":"www.web.com","feed":"www.web.com\/rss.xml","description":"description is here","votes":100}
  news:opml:export                       Print OPML file
  news:show-feed                         Prints a JSON string which represents the given feed as it would be in the DB.
  news:updater:after-update              removes old read articles which are not starred
  news:updater:all-feeds                 DEPRECATED: use news:feed:list instead.
Prints a JSON string which contains all feed ids and user ids, e.g.: {"feeds": [{"id": 39, "userId": "john"}, // etc ]}
  news:updater:before-update             This is used to clean up the database. It deletes folders and feeds that are marked for deletion
  news:updater:update-feed               Console API for updating a single user's feed
  notification:generate                  Generate a notification for the given user
  notification:test-push                 Generate a notification for the given user
  preview:repair                         distributes the existing previews into subfolders
  richdocuments:activate-config          Activate config changes
  richdocuments:convert-bigint           Convert the ID columns of the richdocuments tables to BigInt
  richdocuments:update-empty-templates   Update empty template files
  security:bruteforce:reset              resets bruteforce attemps for given IP address
  security:certificates                  list trusted certificates
  security:certificates:import           import trusted certificate
  security:certificates:remove           remove trusted certificate
  sharing:cleanup-remote-storages        Cleanup shared storage entries that have no matching entry in the shares_external table
  sharing:expiration-notification        Notify share initiators when a share will expire the next day.
  talk:poll                              Simple polls for Nextcloud Talk
  talk:poll:vote                         Vote on a simple poll
  text:reset                             Reset a text document
  theming:config                         Set theming app config values
  trashbin:cleanup                       Remove deleted files
  trashbin:expire                        Expires the users trashbin
  trashbin:size                          Configure the target trashbin size
  twofactorauth:cleanup                  Clean up the two-factor user-provider association of an uninstalled/removed provider
  twofactorauth:disable                  Disable two-factor authentication for a user
  twofactorauth:enable                   Enable two-factor authentication for a user
  twofactorauth:enforce                  Enabled/disable enforced two-factor authentication
  twofactorauth:state                    Get the two-factor authentication (2FA) state of a user
  update:check                           Check for server and app updates
  user:add                               adds a user
  user:delete                            deletes the specified user
  user:disable                           disables the specified user
  user:enable                            enables the specified user
  user:info                              show user info
  user:lastseen                          shows when the user was logged in last time
  user:list                              list configured users
  user:report                            shows how many users have access
  user:resetpassword                     Resets the password of the named user
  user:setting                           Read and modify user settings
  versions:cleanup                       Delete versions
  versions:expire                        Expires the users file versions
  workflows:list                         Lists configured workflows

In my config.php I have following:

$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'instanceid' => 'AAAAAAAAAAA',
  'passwordsalt' => 'BBBBBBBBBB',
  'secret' => 'CCCCCCCCCCC',
  'trusted_domains' =>
  array (
    0 => 'bla.blub.blo',
    1 => 'blo.bla.bli',
  'datadirectory' => 'PATH',
  'overwrite.cli.url' => 'URL',
  'dbtype' => 'mysql',
  'version' => '',
  'dbname' => 'DB',
  'dbhost' => 'DB_HOST',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'DB_USER',
  'dbpassword' => 'DB_PASSWD',
  'logtimezone' => 'UTC',
  'installed' => true,
  'loglevel' => 0,
  'maintenance' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_from_address' => 'ADDRESS',
  'mail_domain' => 'DOMAIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'SMTP',
  'mail_smtpport' => 'PORT',
  'mail_smtpname' => 'ADDRESS',
  'mail_smtppassword' => 'PASSWD',
  'theme' => '',
  'updater.release.channel' => 'stable',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'mysql.utf8mb4' => true,
  'has_rebuilt_cache' => true,
  'app_install_overwrite' =>
  array (
    0 => 'groupfolders',
  'updater.secret' => 'SECRET',
  'encryption.legacy_format_support' => true,
  'encryption.key_storage_migrated' => false,

Do you have an idea?


the end to end encryption is disabled at my machine and I want not to change this. I also checked this:

# sudo -u www-data php /var/www/html/nextcloud/occ encryption:status                    
  - enabled: false
  - defaultModule: OC_DEFAULT_MODULE

Nevertheless, I told occ to migrate the keys:

# sudo -u www-data php /var/www/html/nextcloud/occ encryption:migrate-key-storage-format
Updating key storage format
Start to update the keys:
   13 [============================]Key storage format successfully updated

Thereafter I remove the entry for encryption.legacy_format_support and everything seems to be o.k…



1 Like

I did these operations, the problem continues,

I searched google but could not find a source

@j-ed, thanks for the reply, sorry I didn’t answer I was distracted on to other topics for a few days.

My issue was exactly the same as @fermat2a… Now solved. Thanks to all!

1 Like

Can you tell me how you did it? My problem continues.
sudo -u www-data php /var/www/nextcloud/occ encryption:status

  • enabled: true
  • defaultModule: OC_DEFAULT_MODULE

@idriskoc: The solution for me was, exactly what fermat2a did.
Let me try to summarize it:

occ maintenance:mode --on

occ encryption:migrate-key-storage-format

The output should look like
Updating key storage format
Start to update the keys:
22 [============================]Key storage format successfully updated

Then delete the complete line
'encryption.legacy_format_support' => true,

occ maintenance:mode --off


occ encryption:status
then gives
- enabled: false
- defaultModule: OC_DEFAULT_MODULE

In all the above occ needs to be replaced depending on your installation.
On Ubuntu based installations it frequently is:
sudo -u www-data php /var/www/html/nextcloud/occ
On my Fedora based installation it is:
sudo -u apache php /var/www/nextcloud/occ


Hi there,

I know this is not exactly related, but maybe anyone may still be able to help me here:

I’m confronted with the informational message in the admin backend saying I should use occ encryption:scan:legacy-format to scan for encrypted files in legacy format and that the command would return whether I can safely upgrade to the new format or not.
Actually it only outputs it’s status, saying that it has scanned files of users but doesn’t say anything about the possibility to safely change encryption format.
How is the positive output supposed to look like?

Thank you very much for your help
problem solved