(Server Side) Encryption: Again this pain in the ass

bmaehr · March 1, 2025, 8:47pm

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 31.0.0
Operating system and version (e.g., Ubuntu 24.04):
- nextcloud:fpm docker image
Web server and version (e.g, Apache 2.4.25):
- nginx:alpine
Reverse proxy and version _(e.g. nginx 1.27.2)
- Apache/2.4.58 (Ubuntu)
PHP version (e.g, 8.3):
- 8.4
Is this the first time you’ve seen this error? (Yes / No):
- Yes
When did this problem seem to first start?
- After update to 31.0.0
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- docker compose
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Summary of the issue you are facing:

Some users get “Keys are not initialized, please log out and login again”
Some users get “Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files.”
In the log files there is “ServerNotAvailableException Could not decrypt key Could not boot encryption: Could not decrypt key”

I have been search for hours in the communit discussions and many people have similar problems and the only advice that seams to sometimes be succesfull is “remove the app” and disable encryption. Are you serious?

Also her is nothing really helpful:
“Could not decrypt key” upon login

My master key file is not changed since 2016 and the config.php from 2018 contains the same secret. So how can it be suddenly broken?

The main problem for fixing this kind of problems is the missing documentation about where which setting is stored.

For example can you change the encryption:change-key-storage-root. But what directory should it be? data ? data/files_encryption ? data/files_encryption ? data/files_encryption/keys ? data/files_encryption/OC_DEFAULT_MODULE?

Where in the database is stored the value and if it is enabled?

Where the keys for the user are searched? Is that also stored somewhere in the database? Is it stored somewhere in the database if it is enabled?

Why are the keys/direcoriers not generated when logging in? Can they be generated with some occ command?

What is the legacy filekey format? How can I recognice that? Why does running occ encryption:fix-key-location not output anything?

bmaehr · March 1, 2025, 8:55pm

Same here:

root@vserver:/srv/cloud# docker compose exec --user www-data fpm php occ encryption:migrate-key-storage-format -vvv
Updating key storage format
Start to update the keys:
    3 [============================]Key storage format successfully updated

No helpful information on that output …

jason_marinaro · March 16, 2025, 7:43am

bmaehr · March 23, 2025, 12:24pm

After days of searching for the problem and comparing the old server with the new one I found the reason:

The setting 'encryption.key_storage_migrated' => false was missing in config.php

bmaehr · March 23, 2025, 1:47pm

Running encryption:migrate-key-storage-format did change the master keys in data/files_encryption/OC_DEFAULT_MODULE but not (most) keys of the users.

Additionally it did complain that it was not able to access

Failed to open path /cf24dfe4-6ffe-1033-8fd0-8f0b1c49f400/files_encryption/OC_DEFAULT_MODULE/cf24dfe4-6ffe-1033-8fd0-8f0b1c49f400.privateKey
Failed to open path /cf24dfe4-6ffe-1033-8fd0-8f0b1c49f400/files_encryption/OC_DEFAULT_MODULE/cf24dfe4-6ffe-1033-8fd0-8f0b1c49f400.publicKey

Funny enough the private key of this user was changed.