Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files

[knut-hildebrandt]

Steps to reproduce

1. enable Default encryption module
2. logout and login again (as recommend)
3. go to Security settings to change password

Expected behaviour

Default encrytion module should be enable and work without problems. No clue why changing password is necessary.

Actual behaviour

At login an error message pops up saying: "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files"

Trying to change the password is not possible, because an old password that could be entered never has been set. This even holds true for fresh accounts that are set up after enabling Default encryption module.

See discussion here: https://help.nextcloud.com/t/invalid-private-key-for-encryption-app-please-update-your-private-key-password-in-your-personal-settings-to-recover-access-to-your-encrypted-files/27108/13

Server configuration

Operating system:

Web server:
shared hoster
Database:
mysql 5.6.34
PHP version:
5.6
Nextcloud version: (see Nextcloud admin page)
13.0.0
Updated from an older Nextcloud/ownCloud or fresh install:
from 12.0.5
Where did you install Nextcloud from:
updater
Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

"No errors have been found."

</details>

**List of activated apps:**
<details>
<summary>App list</summary>
 Activity
2.6.1

AppOrder
0.4.1

Audio Player
2.2.5

Auditing / Logging
1.3.0

Brute-force settings
1.0.3

Calendar
1.6.0

Collaborative tags
1.3.0

Comments
1.3.0

Contacts
2.1.0

Default encryption module
2.0.0

Deleted files
1.3.0

External storage support
1.4.1

Federation
1.3.0

File sharing
1.5.0

First run wizard
2.2.1

Gallery
18.0.0

Log Reader
2.0.0

Mail
0.7.10

Monitoring
1.3.0

Nextcloud announcements
1.2.0

Notifications
2.1.2

Password policy
1.3.0

PDF viewer
1.2.0

Share by mail
1.3.0

Talk
3.1.0

Tasks
0.9.6

Text editor
2.5.1

Theming
1.4.1

Update notification
1.3.0

Usage survey
1.1.0

Versions
1.6.0

Video player
1.2.0

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

<?php
$CONFIG = array (
  'instanceid' => '',
  'passwordsalt' => '',
  'secret' => '',
  'trusted_domains' => 
  array (
    0 => 'nextcloud.domain-name.de',
    1 => 'owncloud.domain-name.de',
  ),
  'datadirectory' => '/home/webpages/provider-name/user-name/nextcloud/data',
  'overwrite.cli.url' => 'https://nextcloud.domain-name.de',
  'dbtype' => 'mysql',
  'version' => '13.0.0.14',
  'dbname' => 'db_abc_1',
  'dbhost' => 'user-name.provider-name-db.de',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'USERxyc',
  'dbpassword' => '',
  'logtimezone' => 'UTC',
  'installed' => true,
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'mail_domain' => 'domain-name.de',
  'mail_from_address' => 'mail',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauth' => 1,
  'mail_smtpsecure' => 'ssl',
  'mail_smtpport' => '465',
  'mail_smtphost' => 'mail.provider-name.de',
  'mail_smtpname' => 'mail@domain-name.de',
  'mail_smtppassword' => '',
  'mail_smtpauthtype' => 'PLAIN',
  'updater.release.channel' => 'stable',
);

</details>

**Are you using external storage, if yes which one:** local/smb/sftp/...

3x WebDAV
1 x Unknown: googledrive -> does not work anymore

**Are you using encryption:** yes/no
no
**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...
no
#### LDAP configuration (delete this part if not used)
<details>
<summary>LDAP config</summary>

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM oc_appconfig WHERE appid = 'user_ldap';

Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

</details>

### Client configuration
**Browser:**
Firefox 56
**Operating system:**
Linux
### Logs
#### Web server error log
<details>
<summary>Web server error log</summary>

Insert your webserver log here

</details>

#### Nextcloud log (data/nextcloud.log)
<details>
<summary>Nextcloud log</summary>

Insert your Nextcloud log here

</details>

#### Browser log
<details>
<summary>Browser log</summary>

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

</details>

[knut-hildebrandt]

Just updated to PHP 7.0.27. The problem prevails.

[MorrisJobke]

cc @nextcloud/encryption

[molotovkazic]

@knut-hildebrandt Thanks for creating this issue. I've done the exact same steps as you to reproduce on my new NC13 deployment.

+1 For this getting picked up and seen by the devs. If it's something stupid simple that I'm doing, then let this fool know.

[molotovkazic]

Looks like #8393 is having same issue, thus linking for visibility

[molotovkazic]

@knut-hildebrandt after searching and searching last night I ended up giving up on it. Come back today and try to give it another go and got things working as my whole goal is to enable E2EE (end-to-end encryption) with my new NC13 deployment on FreeNAS.

So, yesterday I enabled the “Default encryption module” & “End-to-End Encryption” Apps. Went through the process of logout/login and that pesky "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files" message hit me. I quickly disabled “Default encryption module” & “End-to-End Encryption” Apps to get rid of the error.

I remember reading in a guide that when you enable the encryption feature it must generate the private keys somewhere.

Looking in the NC13 Admin Manual it doesn't show me anything about the keys Nextcloud 13 Administration Manual - Encryption configuration/encryption_configuration.html and I stumbled onto the ownCloud Admin Manual it has a nice section telling you about the keys and where they're stored ownCloud 8.1 Server Administration Manual - Encryption Configuration - Where Keys are Stored

---

This is the new file structure for ownCloud 8.1:

Private public share key:
data/files_encryption/OC_DEFAULT_MODULE/pubShare_.privateKey

Private recovery key:
data/files_encryption/OC_DEFAULT_MODULE/recovery_.privateKey

Public public share key:
data/files_encryption/OC_DEFAULT_MODULE/pubShare_.publicKey

Public recovery key:
data/files_encryption/OC_DEFAULT_MODULE/recovery_.publicKey

File keys for system-wide mount points:
data/files_encryption/keys/<file_path>//OC_DEFAULT_MODULE/fileKey

Share keys for files on a system-wide mount point (one key for the owner and one key for each user with access to the file):
data/files_encryption/keys/<file_path>//OC_DEFAULT_MODULE/.shareKey

Users’ private keys:
data//files_encryption/OC_DEFAULT_MODULE/.privateKey

Users’ public keys:
data//files_encryption/OC_DEFAULT_MODULE/.publicKey

File keys for files owned by the user:
data//files_encryption/keys/<file_path>//OC_DEFAULT_MODULE/fileKey

Share keys for files owned by the user (one key for the owner and one key for each user with access to the file):
data//files_encryption/keys/<file_path>//OC_DEFAULT_MODULE/.shareKey

---

I checked the paths and didn't see that there was anything there. Then it hit me, I never enabled "Server-side encryption".

Went back and made suer that the "Default encryption module” was enabled, turned on "Server-side encryption" and once I did those paths populated with newly generated keys.

Albeit when I checked in the "OC_DEFAULT_MODULE" directory this is what was listed:

---

data/files_encryption/OC_DEFAULT_MODULE # ls -la

master_#####.privateKey
master_#####.publicKey
pubShare_#####.privateKey
pubShare_#####..publicKey

---

I then went back to Apps and enabled “End-to-End Encryption”, downloaded the latest Prerelease Client and started testing E2EE (end-to-end encryption).

Hope this helps shed some light on things and helps folks in the right direction. If there's something that I'm missing or have left out please let me know as I don't' want to be spreading false information and make someone waste their time.

[spackmat]

@shadadougha that's it, thanks.

I enabled server side encryption, then the keys are created. Then I disabled server side encryption via occ encryption:disable again, since I don't want to use it. The Android client then could enable encryption on an empty folder and showed me my passphrase. Works like a charm (even with instant uploads), now waiting for support within the stable Windows client.

[molotovkazic]

@spackmat word, glad that helped. I'm going to have to disable server side encryption as I'm finding some weird issues going on with the E2EE IoS App and suspect this may be causing it.

Also, I'm doing my NC13 deployment in FreeNAS thanks to this guide How to install Nextcloud 13 in FreeNAS with all checks passed updated to use iocage and the occ encryption:disable command didn't work for me at first and I wanted to cross post for visibility that I ended up having to use the following syntax for this to work:

su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ encryption:disable' and that did it.

Also the guide for Using the occ command is super helpful. If you too are doing a FreeNAS deployment like me below is the proper syntax for running the occ commands

su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ [COMMAND HERE]'

P.S. Sorry for changing my username that you referenced. Figure it'd be easier to have a coherent presence across Git and other forums I help out with.

[Palulukas]

I am also receiving this error with nextcloud 13.0.5, started with 13.0.4.
Every time I want to update the keys in settings->security (personal) it says "saving..." but nothing happens.
The only way to get this error message away is to disable the default encryption module.

I am really looking forward for a bug fix on that one.

Kind regards
Palulukas

[andreagrax]

Me too ,
new install ( 13.0.5 ) just enabled crypto .
Then created a new user and it showed the message at login

[schiessle]

Me too ,
new install ( 13.0.5 ) just enabled crypto .
Then created a new user and it showed the message at login

I tried it in two different ways:

1. fresh 13.0.5 installation
2. enable server side encryption
3. enable default encryption module
4. create a new user
5. login as new user

-> everything works as expected. I don't see the message.

Per default we also use one master key for all users, completely independent from the user password. That's why I don't see how this could ever be triggered in this setup. That's why I tried in addition:

1. fresh 13.0.5 installation
2. enable server side encryption
3. enable default encryption module
4. occ encryption:disable-master-key to use per user keys
5. create a new user
6. login as new user
7. everything works as expected, I don't see the message and can upload/download files
8. change login password in the personal settings
9. logout/login
10. still don't see the message and can read the old files and create new one.

[spackmat]

@schiessle enabling server side encryption (at least one time) solves the problem as described before. So the issue is about the case, where server side encryption shouldn't be used. At least it must be documented, that the default encryption module throws this error, before the server side encryption module generated its keys on install. Better would be to remove this dependency (create the keys in default encryption module or if the keys are not necessary at all, let the right module show this error).

[blu-IT]

I have this issue with Nextcloud 14!
After creating a new user and logging in as this new user for the first time, I get this error:

"Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files."

[466]

I can confirm this on NC 14
e2e does work (android app) but the webinterface throws the error
"Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files."

happens with old and new users.

[ Quite annoying - that pop-up is rendered above the app menu, making clicking those impossible, though zooming out is a workaround ]

[JOduMonT]

this popup appear with a FreshInstall of Nextcloud 14
when I active the Official app : Default encryption module

[sergiomb2]

disable Default encryption module fix the problem thanks

[martinstut]

But disabling the Default encryption module makes E2EE only appear to work. Without the default encryption module, uploaded files are just stored as-is on the server.

My situation: 13.0.7 (no upgrade offered) on a home server (Debian Linux, updated several time through the web updater).
I don't want to use server-side encryption (have had enough troubles with that, especially being unable to change user passwords as an admin, when trying on a different NC instance).
I do want to use the freshly featured E2EE with the new 2.5 client (didn't find instructions on the NC website - might be worth another issue report).

I keep getting the dreaded "wrong private key" popup ("Falscher privater Schlüssel für die Verschlüsselungs-App. Bitte aktualisiere Deinen privaten Schlüssel in Deinen persönlichen Einstellungen um wieder Zugriff auf die verschlüsselten Dateien zu erhalten.").
In (data)/ there is no files_encryption directory (should not be needed for true E2EE anyway).

Please provide instructions for turning on E2EE that do not throw problem messages when thre is no problem, or messages that do point to the real cause.

[clue]

Can confirm I'm seeing the same issue on a fresh Nextcloud 15 installation with the basic encryption module.

The dialog referenced from this popup looks like this:

I have just created this new user and not "changed" a password. Submitting the form will only print "Saving..." and not return. JS console reports an invalid JSON response as detailed in #6834. Apparently, a JSON response was expected, but it actually returned an HTML response with status code 503 containing the text:

Nextcloud
Error
Private Key missing for user: test

Is there anything we can do to help diagnose this issue?

[schmitzkopf]

Can confirm I'm seeing the same issue on a fresh Nextcloud 15 installation with the basic encryption module.

The dialog referenced from this popup looks like this:

I have just created this new user and not "changed" a password. Submitting the form will only print "Saving..." and not return. JS console reports an invalid JSON response as detailed in #6834. Apparently, a JSON response was expected, but it actually returned an HTML response with status code 503 containing the text:

Nextcloud
Error
Private Key missing for user: test

Is there anything we can do to help diagnose this issue?

This is actually true - I set up my Owncloud 15.0 out of the box a month ago, and since two days I have the same errortext...makes no difference for me, if Encryption is enabled or not..

What's really strange, I never changed the PW for this user - so this first I gave is still correct...same as @clue

[koehn]

I'm experiencing the same thing; goofy "Invalid key" warning. I had turned on encryption several years ago, and changed my password in the interim. Now I've migrated my data to S3, and apparently enabling the default encryption app is required even if you don't enable encryption, or large file uploads fail.

So what bit do I need to flip to get this message to go away? I cannot find anything relevant in the database.

[koehn]

It looks like you could fix this issue with a change to lib/KeyManager.php's init() method, where you check to see if encryption is enabled before trying to set it up. If encryption isn't enabled on the admin page, simply call $this->session->setStatus(Session::INIT_SUCCESSFUL); and return true; and nobody needs to see an error message that isn't remotely relevant.

[koehn]

FWIW as a short-term solution I ended up commenting out the relevant lines from apps/encryption/lib/Controller/StatusController.php so that my users and I aren't confronted with a meaningless message/

[NickWinston123]

Had this issue happen on NextCloud 14, and I hoped updating to 15 would fix something but still having the problem. Only seems to be for one user and with only some files, I never changed the password or anything. Restarted my server and had that error happen. https://github.com/nextcloud/server/issues/13998

[jeroenh]

For the sake of completeness, following is my output of php public/occ encryption:status.

  - enabled: true
  - defaultModule: OC_DEFAULT_MODULE

Did anyone spend thoughts on my question if it makes sense to run the following order of commands to trigger a kind of "re encryption of all files with current encryption methods"?

• occ encryption:decrypt-all
• occ encryption:migrate-key-storage-format
• occ encryption:encrypt-all

Thanks in advance.

I tried to do this, but I did not have any encrypted files at the start, but I did have the error.
I changed my password, logged out and back in, but the error persisted.
encrypt:all does still work, but you will end up being unable to access your own files.

[Pazu]

With maintenance mode on (this on a v27.0.2 installation), I ran occ encryption:migrate-key-storage-format but saw the following error.

Nextcloud is in maintenance mode, no apps are loaded.
Commands provided by apps are unavailable.
Updating key storage format
Start to update the keys:
    0 [>---------------------------]An unhandled exception has been thrown:
TypeError: OC\Security\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, bool given, called in /path_to/core/Command/Encryption/MigrateKeyStorage.php on line 161 and defined in /path_to/lib/private/Security/Crypto.php:124
Stack trace:
#0 /path_to/core/Command/Encryption/MigrateKeyStorage.php(161): OC\Security\Crypto->decrypt()
#1 /path_to/core/Command/Encryption/MigrateKeyStorage.php(141): OC\Core\Command\Encryption\MigrateKeyStorage->traverseFileKeys()
#2 /path_to/core/Command/Encryption/MigrateKeyStorage.php(141): OC\Core\Command\Encryption\MigrateKeyStorage->traverseFileKeys()
#3 /path_to/core/Command/Encryption/MigrateKeyStorage.php(141): OC\Core\Command\Encryption\MigrateKeyStorage->traverseFileKeys()
#4 /path_to/core/Command/Encryption/MigrateKeyStorage.php(141): OC\Core\Command\Encryption\MigrateKeyStorage->traverseFileKeys()
#5 /path_to/core/Command/Encryption/MigrateKeyStorage.php(232): OC\Core\Command\Encryption\MigrateKeyStorage->traverseFileKeys()
#6 /path_to/core/Command/Encryption/MigrateKeyStorage.php(208): OC\Core\Command\Encryption\MigrateKeyStorage->updateUserKeys()
#7 /path_to/core/Command/Encryption/MigrateKeyStorage.php(86): OC\Core\Command\Encryption\MigrateKeyStorage->updateUsersKeys()
#8 /path_to/core/Command/Encryption/MigrateKeyStorage.php(68): OC\Core\Command\Encryption\MigrateKeyStorage->updateKeys()
#9 /path_to/3rdparty/symfony/console/Command/Command.php(298): OC\Core\Command\Encryption\MigrateKeyStorage->execute()
#10 /path_to/3rdparty/symfony/console/Application.php(1040): Symfony\Component\Console\Command\Command->run()
#11 /path_to/3rdparty/symfony/console/Application.php(301): Symfony\Component\Console\Application->doRunCommand()
#12 /path_to/3rdparty/symfony/console/Application.php(171): Symfony\Component\Console\Application->doRun()
#13 /path_to/lib/private/Console/Application.php(211): Symfony\Component\Console\Application->run()
#14 /path_to/console.php(100): OC\Console\Application->run()
#15 /path_to/occ(11): require_once('...')```

[jeroenh]

Is there a way to delete and regenerate all private keys? I don't have any encrypted files, so I would happily do this to get rid of the error.

[jeroenh]

Is there a way to delete and regenerate all private keys? I don't have any encrypted files, so I would happily do this to get rid of the error.

So answering my own question: the keys are in data/$USER/files_encryption/OC_DEFAULT_MODULE.
I moved those files to another location, logged out, logged back in and now there are new key files, and no error anymore.

I was able to do this because I did not have any encrypted files. If you do have encrypted files, you will probable be unable to decrypt them.

[Pazu]

Still having this problem.

files:scan --all reveals no problems.

encryption:scan:legacy-format reveals no files using the legacy format.

What on Earth is triggering this?

[stevleibelt]

Is there a way to delete and regenerate all private keys? I don't have any encrypted files, so I would happily do this to get rid of the error.

So answering my own question: the keys are in data/$USER/files_encryption/OC_DEFAULT_MODULE. I moved those files to another location, logged out, logged back in and now there are new key files, and no error anymore.

I was able to do this because I did not have any encrypted files. If you do have encrypted files, you will probable be unable to decrypt them.

Thanks @jeroenh

I know there is a big time gap between my question and your answer but is it possible that you note down all your steps how you've solved this issue for you?

Thanks in advance!

[Pazu]

If encryption:scan:legacy-format returns no files using that format, and says, “All scanned files are properly encrypted. You can disable the legacy compatibility mode,” but the “Invalid private key for encryption app” persists, where, exactly, is the invalid private key to be found?

In data/files_encryption/OC_DEFAULT_MODULE? In there I see three privateKey files: master, pubShare, and recovery. Of those three, only the master file starts with a header, in this case, “HBEGIN:cipher:AES-256-CFB:keyFormat:hash”. The other two simply start with raw data; presumably, the hash.

Does that mean pubShare and recovery are legacy-format private keys? If so, is there some procedure to cause those to be re-generated so as not to use the legacy format?

Running encryption:migrate-key-storage-format apparently succeeds, showing, “Key storage format successfully updated”, but it does not add any HBEGIN to any of the existing .privateKey files which are presently missing it.

[JOduMonT]

interestingly every time I install NextCloud, I had that message until today;

YES I figured out

and here how you could too

these options have a order

1. ENABLE Server-side encryption first

• be sure Default encryption module is enable
  you may or not logout and login again before the step 2

2. ENABLE Encrypt the home storage

So where was my mistake?

I was jumping directly to and only enabling the encryption for the home storage while the server-side encryption was not active.

[rudesome]

In the NC webinterface i disabled the app: Default encryption module , and it solved my issue (am not encrypting btw)

[Pazu]

In the NC webinterface i disabled the app: Default encryption module , and it solved my issue (am not encrypting btw)

You mean you disabled, “Enable server-side encryption”, right? The “Default encryption module” is a radio button, can’t be disabled, presumably unless you have some other encryption module installed.

Is yours a new installation? Did you have files encrypted already? If so, were the files successfully decrypted? Can you now access everything successfully?

Unfortunately, in my case, for some reason, the option to disable server-side encryption is unavailable and cannot be manipulated.

Personally, I would love completely to disable encryption if only to get rid of this ridiculous message which has plagued me and others for years seemingly without any progress on the developer side. I guess no Enterprise customers have ever encountered this.

[rudesome]

@Pazu ; i did receive this notification message since the update to 27.1.3, i never enabled encryption, also the command said: occ encryption:status , so i disabled the application: "Default encryption module" in the apps menu of the NC webinterface

[asheroto]

This happens on a brand new server with Nextcloud 27.1.4.1. Enabled Default Encryption Module, disabled encryption, used SSE-C. Messages appears after logging in. Did not run occ encryption:enable-master-key or occ encryption:disable-master-key.

Files appear to be accessible, though.

I noticed in the logs it says...

"CustomMessage":"Could not decrypt the private key from user \"master_08a2125d\"\" during login. Assume password change on the user back-end."}}

---

I was able to fix it by running occ encryption:enable and then occ encryption:disable. But still should be fixed in the code of course. 😊

[asheroto]

Sticks on "Saving...". HTTP status code reveals 503 Service Unavailable.

2023-12-04_22-16-52_299.mp4

Response says this...

Even though JavaScript is, of course, enabled. No adblocking turned on. Same issue happens on mobile.

If anything, there should be an error handler surrounding this so it would say "Failed, check the logs" or something along those lines. 😊

[bitkris-dev]

Same issue, I've a freshly installed NextCloud 27.1.4 and enabling "Default Encryption Module" gives me the error Your private key password no longer matches your log-in password. Going to "Administration Settings" --> "Personal/Security" and trying to change it gives me a 503 error on the updatePrivateKeyPassword call. I'm forced to disable encryption :/

[RafalLukawiecki]

I have never seen this message until just now, having updated from 23 to 27. We are not using any form of server-side encryption, it has always been disabled. I cannot understand what is causing this message for all the users. The suggestions above did not fix the issue.

[RafalLukawiecki]

Disabling the Default encryption module app makes the message go away.

[asheroto]

Yes, I did not have the issue either until version 27, was on version 24.

[Pazu]

Disabling the Default encryption module app makes the message go away.

Perhaps, but it's apparently not always possible to do so. Sometimes the option to do so is simply disabled and thus unavailable.

[RafalLukawiecki]

As Admin, go to Apps, find the "Default encryption module" and press "Disable"—not in Security settings, but in the list of Apps.

[Pazu]

As Admin, go to Apps, find the "Default encryption module" and press "Disable"—not in Security settings, but in the list of Apps.

Okay, interesting idea. Are there any consequences for doing so with an instance which already has all files encrypted using this module? Wlil they simply be automatically decrypted?

[RafalLukawiecki]

I am afraid I cannot answer that. For us, we have not been using server-side encryption, yet that message has started appearing. Disabling the Default encryption module "app" is an acceptable workaround for us.

[asheroto]

I can disable the default encryption app, but doesn't that disable encryption thus defeating the purpose? 😊

[joshtrichards]

Okay folks: This issue has become a hodgepodge of different scenarios that happen to generate the same error message as the original reporter's situation, but are not necessarily related to each other.

Not all of the root causes are the same.

There may be legitimate underlying bug(s), but in other cases the cause is having multiple incompatible encryption apps installed simultaneously (which is not a supported configuration; and, yes, we should do a better job outright preventing it from being possible for a Server to be configured in this way, but that's a matter covered elsewhere so out-of-scope for this particular Issue).

I also suspect that many here have very different environments too since this issue was opened in 2018.

Also, a million things have changed with encryption since Nextcloud v13 when this issue was opened so it's very difficult to compare your situation to older reports and any suggested workarounds or troubleshooting steps. Lastly, if you're a long-time Nextcloud encryption user, the history of how your data has migrated through different versions of Server is more relevant than it is to those experiencing this error message in more recent installations.

I'm going to do by best to clear out some of the noise here and nudge this issue forward... and hopefully close it out with new dedicated issue(s) with up-to-date information where appropriate. In this way we can all make sure we're looking at problems being faced today and that we've got the appropriate information in-hand to not be blindly digging around for solutions to long ago addressed matters (or where enough has changed that the particularly old reports aren't realistic to map to today's code base or the newer report's ).

After you review the below - if it still seems to you that you've encountered a bug - please open a dedicated issue with your environment's details so that things can be evaluated in today's context (not what was true 6+ years ago). I'd rather chase a few extra duplicate reports than unravel the different threads in this issue.

I understand this is a PITA, but I see no other way to tackle this open issue other than by meeting it head-on. The encryption functionality in Nextcloud, which is really two completely distinct features that have little to do with each other, has evolved a lot over the years. Not everyone here is starting from the same place. Only you can assess your situation, but I'll do my best to help a bit.

(Btw: There are a few things repeated here and there. In some cases I think it's helpful because everyone has different levels of comfort when the word "encryption" gets mentioned and also because I don't have the time to nicely edit this down -- I'm hoping to focus that energy in a more scalable way on the documentation itself rather than here).

Let's get started...

If you're experiencing this problem today in a fairly new installation, please confirm this isn't a configuration matter (which is usually fairly easy to resolve... once you're aware of the underlying cause):

• You cannot use the optional end_to_end_encryption app with the shipped encryption app. That's never been a supported configuration. If you have the Default encryption module app listed under Apps as well as the "End-to-End Encryption" app listed there (enabled) then that is likely the cause of your problems (it's at least going to be the cause of some of your problems because they're not compatible with each other and will break all sorts of things).

But do not change anything yet! First determine the following:

• Do you want to use Server-side encryption or do you want to use End-to-End encryption?
  • These are each very different things with unique use cases (and trade-offs).
  • Both encryption features (and their associated apps) should not be enabled simultaneously within Nextcloud Server.
  • Again, don't change anything yet.
• Do you have good backups of your precious data outside of Nextcloud (and outside of any sync client apps you may be using)?
• Which combination of apps (as first noted above) do you currently have installed and enabled under Apps (or via occ app:list):
  • a) just the encryption app? (labeled "Default encryption module" in the web UI app store entry)
  • b) just the end_to_end_encryption app? (labeled "End-to-End Encryption" in the Web UI app store entry)
  • c) both of the above apps? (not a supported configuration and one of the causes of this error message, which is generated by the encryption app and may appear if you have E2EE active at the same time)
• Are you currently using Server-side encryption? Does it seem to be functioning okay?
• Are you currently using End-to-End encryption? (i.e. do you have it enabled in your client apps and have individual folders encrypted that the Web UI is not allowed to access) Does it seem to be functioning okay between your client apps?
• Have you previously had Server-side encryption in-use, but maybe since disabled it without running the decryption process first?

Again, do not change anything yet. You need to assess your situation a bit in order to determine how to safely unravel things without impacting your data.

If you've installed the end_to_end_encryption app and successfully been using it with your clients, but never truly activated the server-side encryption supported provided by the encryption app then your fix may be as simple as disabling the encryption app since you're not actually using server-side encryption. The error message will likely go away (assuming you aren't experiencing several layers of problems).

WARNING: Do not disable either the encryption app or end_to_end_encryption app without reviewing and confirming your existing environment and having a tested backup of your data!

(e.g. if your files are already encrypted server-side, but you want to use E2EE, you likely will need to follow the decryption process in the Admin Manual before disabling the encryption or you will likely lose your data. Even then, if you've managed to activate E2EE at the same time, it's possible the server-side decryption process may not work since both are not supposed to be used together. In the latter case you may need to clean up your Nextcloud installation, set things up cleanly, and re-add your data into Nextcloud. Also in some cases the encryption-recovery-tools may be useful. Beware that decrypting data server-side will obviously expose your data to the server. If this isn't acceptable, you may prefer to download offline, clean things up on the server by wiping your encrypted data there, then, say, enabling E2EE properly and uploading your data).

Again, backups backups backups

• Server-side encryption is distributed within Nextcloud Server itself (shipped and installed by default as the encryption app). This app appears under Apps and is labeled Default encryption module. While the app itself is installed by default, this mode of encryption is never activated on your storage mediums (e.g. External Storage, your Nextcloud Home directory) unless you turn it on. This app must be disabled if you are going to use the optional End-to-End encryption app, but can otherwise be left installed (regardless of whether you're actually using server-side encryption). It is the encryption feature documented in the Nextcloud Administration Manual here.
• End-to-End encryption is an optional app that must be explicitly installed. This app appears under Apps and is labeled "End-to-End encryption". This feature is often referred to simply as "E2EE". It is only documented here and none of the encryption commands or documentation in the Nextcloud Administration Manual are applicable to it.
• Server-side encryption cannot be used with End-to-End encryption.

If you are using End-to-End encryption:

• The error message this issue is about can only come up if Server-side encryption is still installed and enabled. So that should be a big hint as to the likely cause in your situation.

P.S. I'm a volunteer community member/contributor. I'm sorry you are encountering trouble, but if you need one-on-one advice or troubleshooting assistance, there are other channels for that (read: not me/not here).

P.P.S. Apologies to @knut-hildebrandt - as their modest original report has grown to become a monster that has taken on a life of its own. Hopefully we'll get this sorted out. :-)

[asheroto]

@joshtrichards thanks for the excellent write-up. Hopefully that will help folks distinguish one bug from another. Since the error messages are all similar, I think that's why there's some issue bleed-over. For those of us unfamiliar with the detailed inner-workings of Nextcloud, I think we were stabbing a bit in the dark (I was!), so it's great that you made that post. 😊

For me, the issues I am facing are when using S3 + server side encryption. I detailed the issues in #41992 therefore I will keep future comments on that issue instead of this one. I ended up switching to SSE which works great, although not the preferred encryption method.

[rune1979]

Same issue here:

S3 buckets as Primary storage with OIDC. So, I guess one master-key and no E2EE.

• Very limited documentation in that exact scenario.
• The master-key (private and public) seems placed in the "Primary storage". So, in the hands of the bucket provider. Any attempt to move this to a local dir seems to fail.

[ocean-haiyang]

@knut-hildebrandt after searching and searching last night I ended up giving up on it. Come back today and try to give it another go and got things working as my whole goal is to enable E2EE (end-to-end encryption) with my new NC13 deployment on FreeNAS.

So, yesterday I enabled the “Default encryption module” & “End-to-End Encryption” Apps. Went through the process of logout/login and that pesky "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files" message hit me. I quickly disabled “Default encryption module” & “End-to-End Encryption” Apps to get rid of the error.

I remember reading in a guide that when you enable the encryption feature it must generate the private keys somewhere.

Looking in the NC13 Admin Manual it doesn't show me anything about the keys Nextcloud 13 Administration Manual - Encryption configuration/encryption_configuration.html and I stumbled onto the ownCloud Admin Manual it has a nice section telling you about the keys and where they're stored ownCloud 8.1 Server Administration Manual - Encryption Configuration - Where Keys are Stored

This is the new file structure for ownCloud 8.1:

Private public share key: data/files_encryption/OC_DEFAULT_MODULE/pubShare_.privateKey

Private recovery key: data/files_encryption/OC_DEFAULT_MODULE/recovery_.privateKey

Public public share key: data/files_encryption/OC_DEFAULT_MODULE/pubShare_.publicKey

Public recovery key: data/files_encryption/OC_DEFAULT_MODULE/recovery_.publicKey

File keys for system-wide mount points: data/files_encryption/keys/<file_path>//OC_DEFAULT_MODULE/fileKey

Share keys for files on a system-wide mount point (one key for the owner and one key for each user with access to the file): data/files_encryption/keys/<file_path>//OC_DEFAULT_MODULE/.shareKey

Users’ private keys: data//files_encryption/OC_DEFAULT_MODULE/.privateKey

Users’ public keys: data//files_encryption/OC_DEFAULT_MODULE/.publicKey

File keys for files owned by the user: data//files_encryption/keys/<file_path>//OC_DEFAULT_MODULE/fileKey

Share keys for files owned by the user (one key for the owner and one key for each user with access to the file): data//files_encryption/keys/<file_path>//OC_DEFAULT_MODULE/.shareKey

I checked the paths and didn't see that there was anything there. Then it hit me, I never enabled "Server-side encryption".

Went back and made suer that the "Default encryption module” was enabled, turned on "Server-side encryption" and once I did those paths populated with newly generated keys.

Albeit when I checked in the "OC_DEFAULT_MODULE" directory this is what was listed:

data/files_encryption/OC_DEFAULT_MODULE # ls -la

master_#####.privateKey master_#####.publicKey pubShare_#####.privateKey pubShare_#####..publicKey

I then went back to Apps and enabled “End-to-End Encryption”, downloaded the latest Prerelease Client and started testing E2EE (end-to-end encryption).

Hope this helps shed some light on things and helps folks in the right direction. If there's something that I'm missing or have left out please let me know as I don't' want to be spreading false information and make someone waste their time.

this works perfectly