User Key Encryption and Forgot Password Feature

Hey everyone,

we have a Nextcloud System deployed with User Key Encryption enabled without master key. We have a Recovery Key set up, but that’s opt in. Now, the documentation says “but has the disadvantage that files are permanently lost if the users forget their user passwords”, so I wrote in the email for the users that they shouldn’t loose their passwords because that would result in a data loss (except with recovery key). But one of the users just wrote to me, he tried the Forgot Password function and could set a new passwort. I tried it with a testuser and it still worked. So what is the documentation on about? What does the nextcloud do when resetting a password this way? I’m kinda concerend about the security right now.

1 Like