I’m looking for a way to backup the encryption keys as mentioned in the documentation. I’m using an S3 comatible external storage as primary storage and there are no encryption keys in the data/ directory.
According to this bug report, the recovery option mentioned in the documentation is not available by default because Nextcloud uses a master key.
My understanding is that I need to find this master key if I want to be able to decrypt my files in case of server failure. Where can I find this key?
Hi @Eagle. Did you ever figure this out? I am also setting up a Nextcloud server (using S3 as primary storage too) and would like to know how to backup the master key.
Ok, I ended up figuring this out by myself and so I am posting it here in case anyone else finds it useful.
When using S3 as primary storage, all files are stored in S3 (not only your own files but also system created files like the master_key file).
The problem then is that the files are stored in S3 without structure and files have names like urn:oid:123 so which one of those files is your master key?
The trick is that Nextcloud stores all the real names to the files in a database table called oc_filecache. Therefore, in order to figure out which file corresponds to your master key, simply connect to the Nextcloud database and run the following query:
SELECT fileid, path, encrypted FROM oc_filecache WHERE path LIKE '%files_encryption/OC_DEFAULT_MODULE/master_%';
You should get two results back. The first one is the public key (path ends with .publicKey) and the second one is your private key (path ends with .privateKey). The first column is the ID for each file. This ID is what’s used to find the corresponding file on S3. So if the ID for a file is 123, the corresponding file inside your S3 bucket is named urn:oid:123. So using this, you are able to download your public and private master keys straight from S3 (as you can see from the results returned by the query, the keys themselves are not encrypted).
With all this said, an advice for anyone who wants to backup their master key when using S3 as the primary storage is to simply activate object versioning in the S3 bucket while also storing regular database dumps somewhere safe. This way if the key is ever deleted from S3 (for some weird reason) you can always undelete the corresponding file.
thank you friend- this is really helpful - im deploying/testing/sorting out my encryption strategy myself - so technically if someone had access to the underlying files of the S3 bucket- they could use the master key to decrypt the files? Im just thinkin out loud here but that sounds a bit - hmm… Im going to use minio so i should look at encryption of the buckets too!
