Unable to change enable/disable of Encrypt the home storage / Disable recovery key / Change recovery key password

I can’t get into NC when the encryption app is in the apps directory(/nextcloud/apps/) because NC generates an internal error.

I enabled encryption in the old NC settings. It’s not server-side encryption. I have disabled it. I enabled Encryption and now get an internal error when I switch NC screens. This is an internal error message after the login screen.

The only workaround I know of is to remove the encryption folder from the apps directory.

I expect that modifying the MariaDB database directly will solve the problem. I look at the database and the only table that contains “encryption” is “oc_e2e_encryption_lock”. Probably not this one.

Is there any way to disable the encryption settings when the encryption app is not in apps directory?

How can I prevent NC from generating an internal error even if the Encryption app exists in the apps folder?


NC 23.0.0, PHP 8.0.14, Nginx 1.20.1, MariaDB 10.2.41, CentOS 7.9

When the administrator is logged in and puts the encryption folder into the apps directory, the following instructions will be displayed.

Default encryption module
Encryption app is enabled but your keys are not initialized, please log-out and log-in again

Encryption manual
https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html

Return to your Admin page to see the Nextcloud Default Encryption Module added to the module selector, and automatically selected. Now you must log out and then log back in to initialize your encryption keys.

I’m aware that the encryption key is initialized when the user logs out and logs back in. However, when the user logs out and logs back in, it generates an internal error.

Is there another way to initialize the “encryption key”?

I updated to NC 23.0.2, which of course did not solve the problem. Perhaps this is not the NC version, but a problem specific to me.

Do you have any hints on how I can go one step further in solving this problem?

I’m having a hard time with this problem, so I’m considering rebuilding the NC itself.
I would like to know what reconstructions are possible in NC.

My ideal reconstruction:

  1. All user data and shared dependencies of each user will be migrated to the new NC as is.
  2. Complete migration of all user data.

I want the second one above to be highly possible. It is most desirable to be able to do the first.

Does the NC provide a way to migrate to another NC?

I tried deleting the “files_encryption” directory in each user directory(
NC/data/USERNAME/files_encryption ). Then I put the encryption app in /NC/apps directory and tried to log in. The user was then able to successfully login without any internal errors.

However, a new problem has arisen. There is a problem with the default encryption module section in the security section of the admin user settings.

I tried to change the password for the recovery key, but the password does not seem to be recognized correctly. I can type any character in the password input field, even if it is blank, I can press the button and the system will not behave in any way. I’m not warned if I deliberately type in the wrong password.

I can change my web browser or operating system to manipulate it, but it doesn’t change anything. How can I deactivate or change the recovery key?

I want to lay out my points once and for all.

I’m trying to find a solution for the Default encryption module.

A very basic question: what is a “Master key”?

Is it different from a recovery key? The Master key is not indicated anywhere in the NC web UI.
When the administrator user opens the Users menu, a popup appears saying “Password change is disabled because the master key is disabled”.

“Encrypt the home storage” in the NC WEB UI is enabled.
*The various password fields are not functioning without any response.

I have disabled server-side encryption. I check with the OCC command and if I run it without “encryption:disable-master-key” specified, it shows that it is already disabled.

I have specified “NC/data/keys” with the command occ encryption:change-key-storage-root to clarify the location of the key. The “.oc_key_storage” exists in that directory.
*I have deleted the “files_encryption” directory under “NC/data/USERNAME/”. Because when I ran the command encryption:change-key-storage-root and tried to reset it to the default location, I got an error that the “files_encryption” directory existed somewhere.

I’m too afraid to run it. If I run “oc encryption:enable-master-key”, which items in NC will change?

I updated to NC23.0.3 and now I get some kind of response in each password field. For example, when I enter the password to disable the recovery key in the Disable recovery key section, it says “Saving…” to the right of “Disable recovery key” appears on the screen. But as a result the key is not disabled.

I want to escape from this problem.

Sorry i do not really understand your problem. Are the files in data/username/files encrypted or not encrypted? Also i only know this video for decryption. Have you execute this command?

My ploblems:

  • ‘Encrypt the home storage’ status unknown
    I left that checkbox in the disabled state and when I reloaded the page, it was in the enabled state. This is no longer reproduced in NC 23.0.3.
    → How do I know if it is encrypted?

  • Recovery key is not recognized.
    For example, I can intentionally enter the wrong key into a form even in NC 23.0.3 and it will not point out that it is the wrong key. I cannot disable or change the recovery key.
    → How do I get NC to recognize the recovery key?

Go through the directory structure at linux level e.g. /path/to/nextcloud/data/username/files . Can you direct read the content of the files or not?

Have you watch the video and execute the command at some point in the past or not?

Can you direct read the content of the files or not?

Yes, I can read.

Have you watch the video and execute the command at some point in the past or not?

I have never enabled ‘server-side encryption’. Am I making a grand mistake? Does the recovery key mean anything if I don’t have server-side encryption enabled? However I was once able to set and change my recovery key.

occ encryption:decrypt-all
Server side encryption not enabled. Nothing to do.

I would like to try activating the “master key” but again I am afraid to do so. I have a desire to verify if activating the master key will help to balance the books of configuration discrepancies in the system.

I currently have the master key disabled. I do not recall if I have enabled this since NC12. At least I have never manipulated the master key with OCC commands.

What problems might arise from activating the master key? My biggest fear is that the data will be encrypted and unreadable.

Or would the default encryption module have nothing to do with the master key at all?