Restore an encrypted Nextcloud file

3d0220fd0f9a5702d0f7 · August 12, 2024, 10:17am

Hello,
I am currently trying different tests to see how I can recover an encrypted file without using a PHP recovery tool. Here is my infrastructure:

version: '3'

services:
  db:
    image: postgres:alpine
    restart: always
    volumes:
      - ./db:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: nextcloud
      POSTGRES_USER: nextcloud
      POSTGRES_PASSWORD: nextcloud

  app:
    image: nextcloud
    ports:
      - 8080:80
    links:
      - db
    volumes:
      - ./nextcloud:/var/www/html
    environment:
      POSTGRES_HOST: db
      POSTGRES_DB: nextcloud
      POSTGRES_USER: nextcloud
      POSTGRES_PASSWORD: nextcloud
    restart: always

volumes:
  db:
  nextcloud:

My goal is to upload a file to Nextcloud, with encryption enabled on my server. I then want to save the corresponding files related to this file, specifically the encrypted file with the master key, and subsequently delete them from the Nextcloud hierarchy.

#!/bin/bash

# Define variables
FILE_NAME="name.pdf"
NEXTCLOUD_FILES_DIR="./nextcloud/nextcloud/data/nextcloud/files/test"
NEXTCLOUD_ENCRYPTION_DIR="./nextcloud/data/nextcloud/files_encryption/keys/files/test"
SAVE_DIR="./nextcloud/save"
SAVE_KEY_DIR="$SAVE_DIR/keys/$FILE_NAME/OC_DEFAULT_MODULE"

mkdir -p "$SAVE_DIR"
mkdir -p "$SAVE_KEY_DIR"

cp "$NEXTCLOUD_FILES_DIR/$FILE_NAME" "$SAVE_DIR/"

cp "$NEXTCLOUD_ENCRYPTION_DIR/$FILE_NAME/OC_DEFAULT_MODULE/master_4a01101e.shareKey" "$SAVE_KEY_DIR/"

rm "$NEXTCLOUD_FILES_DIR/$FILE_NAME"
rm "$NEXTCLOUD_ENCRYPTION_DIR/$FILE_NAME/OC_DEFAULT_MODULE/master_4a01101e.shareKey"

rmdir "$NEXTCLOUD_ENCRYPTION_DIR/$FILE_NAME/OC_DEFAULT_MODULE"
rmdir "$NEXTCLOUD_ENCRYPTION_DIR/$FILE_NAME"

After that, I search in Nextcloud and see that name.pdf is no longer available. Now, I copy the files back to their original location and perform a sync.

#!/bin/bash

FILE_NAME="name.pdf"
NEXTCLOUD_FILES_DIR="./nextcloud/nextcloud/data/nextcloud/files/test"
NEXTCLOUD_ENCRYPTION_DIR="./nextcloud/nextcloud/data/nextcloud/files_encryption/keys/files/test"
SAVE_DIR="./nextcloud/save"
SAVE_KEY_DIR="$SAVE_DIR/keys/$FILE_NAME/OC_DEFAULT_MODULE"

mkdir -p "$NEXTCLOUD_FILES_DIR"
mkdir -p "$NEXTCLOUD_ENCRYPTION_DIR/$FILE_NAME/OC_DEFAULT_MODULE"

cp "$SAVE_DIR/$FILE_NAME" "$NEXTCLOUD_FILES_DIR/"

cp "$SAVE_KEY_DIR/master_4a01101e.shareKey" "$NEXTCLOUD_ENCRYPTION_DIR/$FILE_NAME/OC_DEFAULT_MODULE/"

docker exec -u www-data -it bf php /var/www/html/occ files:scan --path="nextcloud/files/test"

The file then reappears in Nextcloud, but it cannot be opened. Does anyone have an idea of what I might be doing wrong?

wwe · August 14, 2024, 5:09pm

I’m not exactly get what you are trying to achieve. I would not recommend to fiddle with Nextcloud storage directly, rather rely on on the proper backup/restore procedure

maybe this helps you GitHub - nextcloud/encryption-recovery-tools: This project contains tools to recover files that have been encrypted with the Nextcloud End-to-End Encryption or Nextcloud Server-Side Encryption.

3d0220fd0f9a5702d0f7 · August 15, 2024, 11:34am

I only did this as a test, and the backups from production are working with Restic. My question is whether I can re-add a decrypted file that was backed up into Nextcloud’s storage, then perform a scan, and have the file show up again? Or is the only option to decrypt the file with the recovery key and then manually re-add it?

wwe · August 15, 2024, 7:18pm

I’m sorry can not help here. my assumption is

as long you only lost some files and the DB still holds references to the file you can recover file and key (no occ files:scan required)
if you lost both files and corresponding DB records, I suppose there is no way to add “already encrypted” as you do with plain files… decrypt+upload is the safe method IMHO.

in general server encryption encryption-server doesn’t add any security when the storage is located on the same server - an attacker who has control over the server could extract the keys… the only reasonable use-case AFAIK is when you use external (object) storage like S3 and don’t trust the provider…

yahesh · May 11, 2025, 12:16am

@3d0220fd0f9a5702d0f7 I guess I‘m a bit late to the party, but: No you can‘t just delete SSE-encrypted files and add them back later.

The files aren‘t self-contained. There are additional files on disk containing the actual file keys. When you delete the file through Nextcloud, these get deleted as well. So you‘d have to restore them as well.

Also, the integrity check requires the correct file version that‘s stored in the database. So you’d have to modify the file entry in the database as well (or disable integrity checks in the config, breaking major security guarantees in the process).