Missing "Enable recovery key" field in the admin settings

[CamZie]

Steps to reproduce

1. Install Nextcloud 13
2. Enable server-side encryption in the admin settings
3. Enable the app "Default encryption module"

Expected behaviour

The fields to enable recovery key should appear in the admin settings under "Encryption".

Actual behaviour

The fields to enable recovery key does not appear, hence we can not create the recovery key.

Server configuration

Operating system: Debian 9.3 (stretch)

Web server: NGINX 1.10

Database: Maria-DB 10.1.26

PHP version: PHP 7

Nextcloud version: 13

Updated from an older Nextcloud/ownCloud or fresh install: Fresh install

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.6.1
  - comments: 1.3.0
  - dav: 1.4.6
  - encryption: 2.0.0
  - federatedfilesharing: 1.3.1
  - federation: 1.3.0
  - files: 1.8.0
  - files_pdfviewer: 1.2.0
  - files_sharing: 1.5.0
  - files_texteditor: 2.5.1
  - files_trashbin: 1.3.0
  - files_versions: 1.6.0
  - files_videoplayer: 1.2.0
  - firstrunwizard: 2.2.1
  - gallery: 18.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.1.0
  - nextcloud_announcements: 1.2.0
  - notifications: 2.1.2
  - oauth2: 1.1.0
  - password_policy: 1.3.0
  - provisioning_api: 1.3.0
  - serverinfo: 1.3.0
  - sharebymail: 1.3.0
  - survey_client: 1.1.0
  - systemtags: 1.3.0
  - theming: 1.4.1
  - twofactor_backupcodes: 1.2.3
  - updatenotification: 1.3.0
  - workflowengine: 1.3.0
Disabled:
  - admin_audit
  - files_external
  - user_external
  - user_ldap

Nextcloud configuration:

Config report

    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "13.0.0.14",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "log_rotate_size": "10485760",
        "log_type": "errorlog",
        "loglevel": "2",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "trashbin_retention_obligation": "auto,90",
        "activity_expire_days": 180,
        "logtimezone": "Europe\/Zurich",
        "maintenance": false

Are you using encryption: yes

Client configuration

Browser: Firefox, Vivaldi and Chrome

Operating system: Linux

Logs

nothing

[MorrisJobke]

cc @schiessle

[tigernero79]

I also have this problem;
I solved by going to the nextcloud folder from the terminal (/var/www/../nextcloud)

and typing the command:

sudo -u www-data php occ encryption:disable-master-key

done this I found the item to set the recovery key

[CamZie]

@tigernero79 thank you for the tip. Still I am not comfortable running the disable:enable-master-key command, since, according to the Nextcloud 13 documentation, it does not even exist and the enable command cannot be undone.

encryption:enable-master-key

Enable the master key. Only available
for fresh installations with no existing
encrypted data! There is also no way to
disable it again.

[tigernero79]

go to the nextcloud folder and run that command Next Log in via the web and you'll find the option to insert the Master Key

[TecJon]

@tigernero79 @CamZie I haven't tried the command either for the same reason. The docs state it is specifically only for new installations. Although, once they state new installation and once an "installation with no existing encrypted data".

[tigernero79]

do you have encrypted data? what does it have to do with new installation I have tested on my nextcloud because even I had no voice of the net after deactivation I appeared and I could create net from the web. I had no problems with data. then do what you feel but there are no problems. I did not have any. I deactivate the net, not the encrypted data. the net fill you from the web then.

[TecJon]

@tigernero79 I am not sure if I understood you correctly. I understand you ran the command and had no problems afterwards with your data.

Like @CamZie, I hesitate to run a command which does not exist according to the documentation. In fact the documentation says the encryption:enable-master-key cannot be undone.

[tigernero79]

you must enter from the terminal in your nextcloud folder type that command that you disability the Master Key done this you can enter through browser in your nextcloud and in the settings in the encryption section you will find again the possibility to re-enter the master key

[bjo81]

If I run encryption:enable-master-key Nextcloud throws an exception because it does not find any master key in the database :/

[tigernero79]

since they are people who do not like to experiment, I have everything for them. Twice that the command to be launched via shell was with that command

sudo -u www-data php occ encryption:disable-master-key

appeared the voice in the web interfaces of nextcloud to set recovery password. only they are afraid of doing anything. what do you want to do with it?

[schiessle]

Nextcloud 13 uses a master-key setup by default. Therefore no recovery key is needed. As long as the user can login they can access their files. Also password recovery, etc works because you encryption keys are no longer bound to the login password. If a admin needs to access the files of a user they also don't need the recovery key. They can just use the impersonate app (https://apps.nextcloud.com/apps/impersonate) to access the users files.

If you really want to go back the the old behavior, which I really don't recommend, you can do so by running sudo -u www-data php occ encryption:disable-master-key as already said. But this only works if you start with a fresh installation aka no encrypted files.

[tigernero79]

@schiessle
are you telling me that the recovery key makes no sense to keep it enabled? just app impersonate?

having I reintroduced in that nextcloud 13 this entry and entered the recovery key with one created by me now I have deactivated option from the encryption panel enough so or to delete the voice do I have to do anything else?

[tigernero79]

just if you see attached the wording to enable the recovery key did not appear right in the menu,

typing:
sudo -u www-data php occ encryption: disable-master-key

it then appeared and allowed me to enter a master key chosen by me is normal?

[tigernero79]

is not it a violation of your privacy that you can access your data even without your consent? to be able to see the files of a non-administrator user without his consent? with impersona?

[schiessle]

are you telling me that the recovery key makes no sense to keep it enabled? just app impersonate?

The recovery key makes sense if you use per-user keys. If you use the master key (a system wide key) it doesn't make sense. That's why we don't offer it in the master key setup which is the default from Nextcloud 13 on. If you upgrade from a older version with per-user keys nothing will change. The default only affects people who activate encryption in Nextcloud >= 13 for the first time.

it then appeared and allowed me to enter a master key chosen by me is normal?

It is not the master key but the recovery key. That's a huge difference:

• recovery key: all files are encrypted additionally with another key, owned by the admin so that they can recover you files in case you lose your password.

• master key: one instance wide key used for all user, no per-user keys

is not it a violation of your privacy that you can access your data even without your consent? to be able to see the files of a non-administrator user without his consent? with impersona?

It all depends on your threat model. Server side encryption was developed for the use case that you use a external storage provider you don't trust. Let's say Amazon S3 as a primary storage, mount your Dropbox, a random ftp server, etc to your Nextcloud. You trust your Nextcloud admin but not the storage provider. In this case you can do server side encryption. As the Nextcloud server handles the encryption/decryption you always have to trust the Nextcloud admin because he could intercept this always. There is no difference if you use per-user keys or the master key.

If you use per-user keys and enable the recovery key you allow your admin to decrypt your files even without hacking their own Nextcloud server. So in this case it is even more similar to the master key, if you look at the potential risk.

Keeping the threat model in mind: Trust your Nextcloud admin but not your Storage admin the master key is as secure as per-user keys but it adds significant benefits:

• you can just reset your login password and everything will continue to work
• if you have a central user management you can change their your login password and your Nextcloud will continue to work
• it works with app passwords
• admins can recover files way more performant
• sharing is way more performant because files doesn't have to be encrypted for each user individually
• you can dynamically add/remove people from groups and group share will still work for all users as expected
• it works with single sign-on and any other user management which doesn't provide a password directly to Nextcloud

That's why we decided to make the master key the default and strongly recommend to use the default. If you don't trust your Nextcloud admin, then end-to-end encryption is the only thing which will help.

[tigernero79]

I get it,

but then the master key is a key generated by nextcloud you can not change it right?

while for the recovery key,
if I accidentally enabled the recovery key instead, then the recovery key entry appeared in the least encryption, how can I permanently disable it without it appearing anymore?

[schiessle]

If the user disable the recovery key again all recovery keys for their files should be deleted and the admin can no longer recover them

[tigernero79]

I meant as admin,

if I launch the command

sudo -u www-data php occ encryption: disable-master-key

I have this situation:

to get rid of the recovery keys, what should I do?

[schiessle]

if you want to switch back to the master key, this isn't possible if you already have encrypted files. You could first try to decrypt app with occ encryption:decrypt-all and then start from scratch by enabling encryption again and run occ encryption:enable-master-key before any file is encrypted.

Or setup a new Nextcloud and move all files over. Depending of the size of your setup this might be the easiest solution

[tigernero79]

ok ok thank's

[schiessle]

I meant as admin,

if I launch the command

sudo -u www-data php occ encryption: disable-master-key

you disabled the master key, so you are in a "per-user key" setup and there you have the option to set a recovery key

[tigernero79]

thanks

[tigernero79]

@schiessle

I have another nextcloud installation where I do not have access to the shell

to be able to enable the master key through a site where I do not have access to the shell, I know that I can use a different shell with a curl command.

can I know which command to run curl to do this?

something similar?

curl -u "Tiger:Password" -X GET https://www.pensierando.it/Nextcloud/ occ encryption: disable-master-key -H "OCS-APIRequest:true"

[boomam]

Are there plans to update the official NextCloud documentation for this large functionality change?

The bit i'm still not clear on, is that if the enablement of the encryption modules now uses a self-generated master key stored within the database, how do we backup/change that key?
I'm all for simplifying the process for users from 'do X, Y & Z' to 'just use it as you always have' - but if there's no way to backup the keys, nor clear documentation on what the users can expect to see, then its a bit of a risk to deploy in a live environment.

Any clearer guidance planned?

[lenusch]

SO vor NC 13 > /// Whats the Master Key? Where is it stored? How can i be save with this Key?
is it the Key within the Config File?

[boomam]

Why is this issue labelled as closed?
Its not resolved, or triaged either? This needs resolving if an expectation of the encryption feature being viable for larger scaled usage is there.

[rotanid]

@schiessle wrote about the closing reason, though he mentioned the app impersonate which states:

This app is not compatible with instances that have encryption enabled.

[boomam]

@rotanid I’m sorry but that’s not correct.
Neither the documentation nor the encryption app have been updated to reflect the status of where the master key is, how to change it or how to recover. Thus making the entire module risky to use in a production environment.

Remember, I am not talking about tigernero79‘s situation, but NextCloud in general. New users, existing users, etc;
An off hand comment on github is not documentation, nor a resolution to what is displayed in app.
Consistency and clarity is what is needed if NC wants to be taken seriously in the enterprise market, especially with the current industry climate towards favoring encryption based on regional laws.
Admins need to have safe knowledge of how to recover data for users or a large enterprise wont even look at it.

This needs documenting correctly and/or the app updating to show the changes.
Intended or not, not doing so doesn’t solve the issue, nor triage it.

[hostingnuggets]

@boomam I totally agree with you as a user of Nextcloud since now a few years. As a bitter example yesterday I lost almost a whole day with another software which had an installation issue which was only "documented" in a github issue. This info could have easily gone into the the install readme...

[kaysond]

Bump. Stumbled upon this while trying to figure out why I couldn't find the option for recovery keys. It's still not update in the docs: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/encryption_configuration.html

[gerroon]

It seems like I have it disabled. So what am I supposed to do to be able to change my users's passwords again? This is totally confusing. I read multiple threads and this bug, I am still not sure about what I am supposed to do. This was no isse in 13 :(

sudo -u www-data php occ encryption:status

• enabled: false
• defaultModule: OC_DEFAULT_MODULE

Nextcloud 14.0.3 on Debian Testing Mysql Apache2

Can someone provide me where to look and what to do about this please?

[tigernero79]

in nextcloud 14 the recovery key is no longer used. if problems from 13 will still exist the voice that you can disable. in nextcloud 14 Just log in as admin and in the users section you can change them there.

[gerroon]

@tigernero79

Thanks for the reply

I logged in as admin, I still do not see a way to add a new user or a way to change passwords.

I cant even change user password in the terminal

sudo -u www-data php occ user:resetpassword myuser
Warning: Resetting the password when using encryption will result in data loss!
Do you want to continue?y
Enter a new password: 
Confirm the new password: 
Can not decrypt the recovery key. Maybe you provided the wrong password. Try again.

[tigernero79]

if you access via the web and not from the terminal, can you do it? why do you want to change password from ssh? If you access your nextcloud via the web, do you have a user section? did you update from 13 to 14 of nextcloud?

[gerroon]

I am using the terminal because the web page does not let me change it , see yourself in the screenshot. As you see I am missing the password boxes.

I upgraded from 13 to 14 sometime ago

And I cant change it in the terminal , so not sure what to do

[tigernero79]

In the Tab password insert new password. Is simple

[gerroon]

I do not understand it, there is no password area to insert any new password. Did you check my screen that I included?

See the image, no places to enter any password, there is a password column there but it is useless since no boxes appears for password underneath.

https://user-images.githubusercontent.com/8519469/47809563-2e8c6180-dd0f-11e8-8e04-cbe495360d85.jpg

Trust me I used to be able to do this before, so I actually know where and how to change the passwords and that is not possible now.

Also see this message at the top of the users screen

"
Password change is disabled because the master key is disabled
"

As you see the passwords cant be change in the ui.

[tigernero79]

try

1. sudo -u www-data php occ encryption:decrypt-all

Then

2. sudo -u www-data php occ encryption: disable-master-key

you should then have the option to recreate the user recovery key

[gerroon]

Thanks here are the results

sudo -u www-data php occ encryption:decrypt-all
Server side encryption not enabled. Nothing to do.

sudo -u www-data php occ encryption:disable-master-key
Master key already disabled

I still get this in user panel

Password change is disabled because the master key is disabled

And I still do not have password boxes to change, so I cant change it.

I think this is a bug

[tigernero79]

try now

sudo -u www-data php occ encryption:enable-master-key

[gerroon]

@tigernero79
Thanks for the reply.

sudo -u www-data php occ encryption:enable-master-key
Warning: Only available for fresh installations with no existing encrypted data! There is also no way to disable it again. Do you want to continue? (y/n)

I have manu users and alot of data. Will I loose my existing data? I so not want to mess up my setup for myself and for my users.

[gerroon]

@tigernero79

So I made a backup and ifred the command you mentioned above. It seems to work now, I did not loose any data. Thanks for the help. I wil report any other I hit regarding this issue here.

thanks

[apiraino]

Came here, too, because I couldnt figure out the situation.

Running a fresh installation of NC15.

Wholeheartedly upvoting a documentation update 👍
https://docs.nextcloud.com/server/15/admin_manual/configuration_files/encryption_configuration.html#enabling-users-file-recovery-keys

[Hubrisious]

I followed the steps provided in this solution and they do not work for me.

I'm on Centos7 using NC15.0.4.

I have tried various ways from decrypting/disabling then encrypting/enabling but nothing seems to get my recovery keys up.

Any other methods I should try?

[2nutz4u]

I have created a recovery key but as @gerroon mentioned I do not see password recovery option on the users page. Am I missing something? I am looking in the right place? Please help! Thank you.

[asim-vax]

SO vor NC 13 > /// Whats the Master Key? Where is it stored? How can i be save with this Key?
is it the Key within the Config File?

Does anyone have more information on where it is, so i can back it up?
Thanks!

[Dakavon]

That's why we decided to make the master key the default and strongly recommend to use the default. If you don't trust your Nextcloud admin, then end-to-end encryption is the only thing which will help.

This should find its way to the Nextcould encryption manual. Thanks!

[nunesgh]

I have been looking for an explanation of the encryption configuration as given by @schiessle in #8283 (comment) for the past two years! Why isn't it part of the official documentation? It should definitely be there, as proposed by @Dakavon.

[Philzen]

Feeling lucky i found this issue thread, b/c i was following https://docs.nextcloud.com/server/24/admin_manual/configuration_files/encryption_configuration.html#enabling-users-file-recovery-keys, which is the page for nextcloud:latest but doesn't mention anywhere that the whole section only applies to Nextcloud <13 – while beginning with v13 the whole "enable recovery key"-section will not be displayed as it is not needed with the master key setup (if i understand this thread correctly).

Since v13 a lot of time has passed, shouldn't this have been added to the docs all along?

[NEVARLeVrai]

hey i made
docker exec -u www-data -it nextcloud-aio-nextcloud bash -c "echo y | php occ encryption:decrypt-all"
docker exec -u www-data -it nextcloud-aio-nextcloud bash -c "echo y | php occ encryption:disable-master-key"

then i have put a recovery key
then i did
sudo -u www-data php occ encryption:enable-master-key

and recovery key settings gones again is this normal ?
Becaus if i didnt make this
sudo -u www-data php occ encryption:enable-master-key
i was not able to change account password
@tigernero79