Server: Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files

Just updated to PHP 7.0.27. The problem prevails.

cc @nextcloud/encryption

@knut-hildebrandt Thanks for creating this issue. I've done the exact same steps as you to reproduce on my new NC13 deployment.

+1 For this getting picked up and seen by the devs. If it's something stupid simple that I'm doing, then let this fool know.

Looks like #8393 is having same issue, thus linking for visibility

@knut-hildebrandt after searching and searching last night I ended up giving up on it. Come back today and try to give it another go and got things working as my whole goal is to enable E2EE (end-to-end encryption) with my new NC13 deployment on FreeNAS.

So, yesterday I enabled the “Default encryption module” & “End-to-End Encryption” Apps. Went through the process of logout/login and that pesky "_Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files_" message hit me. I quickly disabled “Default encryption module” & “End-to-End Encryption” Apps to get rid of the error.

I remember reading in a guide that when you enable the encryption feature it must generate the private keys somewhere.

Looking in the NC13 Admin Manual it doesn't show me anything about the keys Nextcloud 13 Administration Manual - Encryption configuration/encryption_configuration.html and I stumbled onto the ownCloud Admin Manual it has a nice section telling you about the keys and where they're stored ownCloud 8.1 Server Administration Manual - Encryption Configuration - Where Keys are Stored

This is the new file structure for ownCloud 8.1:

Private public share key:
data/files_encryption/OC_DEFAULT_MODULE/pubShare_.privateKey

Private recovery key:
data/files_encryption/OC_DEFAULT_MODULE/recovery_.privateKey

Public public share key:
data/files_encryption/OC_DEFAULT_MODULE/pubShare_.publicKey

Public recovery key:
data/files_encryption/OC_DEFAULT_MODULE/recovery_.publicKey

File keys for system-wide mount points:
data/files_encryption/keys///OC_DEFAULT_MODULE/fileKey

Share keys for files on a system-wide mount point (one key for the owner and one key for each user with access to the file):
data/files_encryption/keys///OC_DEFAULT_MODULE/.shareKey

Users’ private keys:
data//files_encryption/OC_DEFAULT_MODULE/.privateKey

Users’ public keys:
data//files_encryption/OC_DEFAULT_MODULE/.publicKey

File keys for files owned by the user:
data//files_encryption/keys///OC_DEFAULT_MODULE/fileKey

Share keys for files owned by the user (one key for the owner and one key for each user with access to the file):
data//files_encryption/keys///OC_DEFAULT_MODULE/.shareKey

I checked the paths and didn't see that there was anything there. Then it hit me, I never enabled "Server-side encryption".

Went back and made suer that the "Default encryption module” was enabled, turned on "Server-side encryption" and once I did those paths populated with newly generated keys.

Albeit when I checked in the "OC_DEFAULT_MODULE" directory this is what was listed:

data/files_encryption/OC_DEFAULT_MODULE # ls -la

master_#####.privateKey
master_#####.publicKey
pubShare_#####.privateKey
pubShare_#####..publicKey

I then went back to Apps and enabled “End-to-End Encryption”, downloaded the latest Prerelease Client and started testing E2EE (end-to-end encryption).

Hope this helps shed some light on things and helps folks in the right direction. If there's something that I'm missing or have left out please let me know as I don't' want to be spreading false information and make someone waste their time.

@shadadougha that's it, thanks.

I enabled server side encryption, then the keys are created. Then I disabled server side encryption via occ encryption:disable again, since I don't want to use it. The Android client then could enable encryption on an empty folder and showed me my passphrase. Works like a charm (even with instant uploads), now waiting for support within the stable Windows client.

@spackmat word, glad that helped. I'm going to have to disable server side encryption as I'm finding some weird issues going on with the E2EE IoS App and suspect this may be causing it.

Also, I'm doing my NC13 deployment in FreeNAS thanks to this guide How to install Nextcloud 13 in FreeNAS with all checks passed updated to use iocage and the occ encryption:disable command didn't work for me at first and I wanted to cross post for visibility that I ended up having to use the following syntax for this to work:

su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ encryption:disable' and that did it.

Also the guide for Using the occ command is super helpful. If you too are doing a FreeNAS deployment like me below is the proper syntax for running the occ commands

su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ [COMMAND HERE]'

P.S. Sorry for changing my username that you referenced. Figure it'd be easier to have a coherent presence across Git and other forums I help out with.

I am also receiving this error with nextcloud 13.0.5, started with 13.0.4.
Every time I want to update the keys in settings->security (personal) it says "saving..." but nothing happens.
The only way to get this error message away is to disable the default encryption module.

I am really looking forward for a bug fix on that one.

Kind regards
Palulukas

Me too ,
new install ( 13.0.5 ) just enabled crypto .
Then created a new user and it showed the message at login

Me too ,
new install ( 13.0.5 ) just enabled crypto .
Then created a new user and it showed the message at login

I tried it in two different ways:

1. fresh 13.0.5 installation
2. enable server side encryption
3. enable default encryption module
4. create a new user
5. login as new user

-> everything works as expected. I don't see the message.

Per default we also use one master key for all users, completely independent from the user password. That's why I don't see how this could ever be triggered in this setup. That's why I tried in addition:

1. fresh 13.0.5 installation
2. enable server side encryption
3. enable default encryption module
4. occ encryption:disable-master-key to use per user keys
5. create a new user
6. login as new user
7. everything works as expected, I don't see the message and can upload/download files
8. change login password in the personal settings
9. logout/login
10. still don't see the message and can read the old files and create new one.

@schiessle enabling server side encryption (at least one time) solves the problem as described before. So the issue is about the case, where server side encryption shouldn't be used. At least it must be documented, that the default encryption module throws this error, before the server side encryption module generated its keys on install. Better would be to remove this dependency (create the keys in default encryption module or if the keys are not necessary at all, let the right module show this error).

I have this issue with Nextcloud 14!
After creating a new user and logging in as this new user for the first time, I get this error:

"Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files."

I can confirm this on NC 14
e2e does work (android app) but the webinterface throws the error
"Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files."

happens with old and new users.

[ Quite annoying - that pop-up is rendered above the app menu, making clicking those impossible, though zooming out is a workaround ]

this popup appear with a FreshInstall of Nextcloud 14
when I active the Official app : Default encryption module

disable Default encryption module fix the problem thanks

But disabling the Default encryption module makes E2EE only appear to work. Without the default encryption module, uploaded files are just stored as-is on the server.

My situation: 13.0.7 (no upgrade offered) on a home server (Debian Linux, updated several time through the web updater).
I don't want to use server-side encryption (have had enough troubles with that, especially being unable to change user passwords as an admin, when trying on a different NC instance).
I do want to use the freshly featured E2EE with the new 2.5 client (didn't find instructions on the NC website - might be worth another issue report).

I keep getting the dreaded "wrong private key" popup ("Falscher privater Schlüssel für die Verschlüsselungs-App. Bitte aktualisiere Deinen privaten Schlüssel in Deinen persönlichen Einstellungen um wieder Zugriff auf die verschlüsselten Dateien zu erhalten.").
In (data)/ there is no files_encryption directory (should not be needed for true E2EE anyway).

Please provide instructions for turning on E2EE that do not throw problem messages when thre is no problem, or messages that do point to the real cause.

Can confirm I'm seeing the same issue on a fresh Nextcloud 15 installation with the basic encryption module.

The dialog referenced from this popup looks like this:

I have just created this new user and not "changed" a password. Submitting the form will only print "Saving..." and not return. JS console reports an invalid JSON response as detailed in https://github.com/nextcloud/server/issues/6834. Apparently, a JSON response was expected, but it actually returned an HTML response with status code 503 containing the text:

Nextcloud
Error
Private Key missing for user: test

Is there anything we can do to help diagnose this issue?

Can confirm I'm seeing the same issue on a fresh Nextcloud 15 installation with the basic encryption module.

The dialog referenced from this popup looks like this:

I have just created this new user and not "changed" a password. Submitting the form will only print "Saving..." and not return. JS console reports an invalid JSON response as detailed in #6834. Apparently, a JSON response was expected, but it actually returned an HTML response with status code 503 containing the text:

Nextcloud
Error
Private Key missing for user: test

Is there anything we can do to help diagnose this issue?

This is actually true - I set up my Owncloud 15.0 out of the box a month ago, and since two days I have the same errortext...makes no difference for me, if Encryption is enabled or not..

What's really strange, I never changed the PW for this user - so this first I gave is still correct...same as @clue

I'm experiencing the same thing; goofy "Invalid key" warning. I had turned on encryption several years ago, and changed my password in the interim. Now I've migrated my data to S3, and apparently enabling the default encryption app is required even if you don't enable encryption, or large file uploads fail.

So what bit do I need to flip to get this message to go away? I cannot find anything relevant in the database.

It looks like you could fix this issue with a change to lib/KeyManager.php's init() method, where you check to see if encryption is enabled before trying to set it up. If encryption isn't enabled on the admin page, simply call $this->session->setStatus(Session::INIT_SUCCESSFUL); and return true; and nobody needs to see an error message that isn't remotely relevant.

FWIW as a short-term solution I ended up commenting out the relevant lines from apps/encryption/lib/Controller/StatusController.php so that my users and I aren't confronted with a meaningless message/

Had this issue happen on NextCloud 14, and I hoped updating to 15 would fix something but still having the problem. Only seems to be for one user and with only some files, I never changed the password or anything. Restarted my server and had that error happen. https://github.com/nextcloud/server/issues/13998

So, any news on this? Right now I need to have this module enabled to have auto upload from this app working, but having the message at the top is a bit annoying :(

any news on this? I just started seeing it after updating to 15.0.6 and it's really annoying

it's a pity, that this issue is now a year old :/

I tried the instruction written in first post but no change for a few years.
"Default encryption module" still enabled.

Today I did below and the message gone. Is it correct operation?

# sudo -u www-data php ./occ encryption:status
  - enabled: false
  - defaultModule: OC_DEFAULT_MODULE
# sudo -u www-data php ./occ encryption:enable
Encryption enabled

Default module: OC_DEFAULT_MODULE
# sudo -u www-data php ./occ encryption:status
  - enabled: true
  - defaultModule: OC_DEFAULT_MODULE

@takagiwa - Can you look at your files directly on your server? Are they encrypted there?
Your command is working for me! Thanks!

Your solution worked for me. Thanks!

@ArrowComputingTech and @jeshusho
Thank you for your response!

My files are not encrypted (before and after the operation).
I haven't set file encryption option.

I ran into this issue again and enabling disabling as in @takagiwa no longer helps (it did help me last time I had the error) -- so again the only solution I've found is disabling the "Default encryption module" completely to get the error to go away.

I just upgraded to nextcloud 15.0.8, and after enabling the default encryption module I am also getting this error.

(To clarify, I had this error before the upgrade as well)

Having this issue after restoring ftom a backup on NC16. Is there a way to create new encryption keys for the users? Don't have any encrypted files yet, but would like to use encryption in future. Also E2E not working with this unsolved

Same problem. I logged in for the first time ever on this Nextcloud, activated Default Encryption Module, then went to Settings, where it told me to logout and login again, which I did. And now it only gives me the error: "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files". I didn't even setup a key.
Files are not encrypted, I can access them.
Nextcloud 16.0.1

We're also affected by this issue. Nextcloud 16.0.1 using LDAP.

This issue is more than several years old. Why has this not been fixed yet. GRRR

Same here on new installation 16.0.3

same here on new installation 16.0.3

I solved with
"sudo -u www-data php ./occ encryption: enable" launched from the nextcloud directory via terminal. but with shared hosting without terminal acecsso it will be a problem. what a real fix?

It is simply pathetic not being able to provide a properly working encryption solution after all those years. Why provide those features at all if they are simply a joke from a security AND software development perspective?

@KhryptorGraphics @new251
Fortunately, the project is open source, and so you can fix it yourself.

It is true that the project is open source but getting to the 16.0.3 release and getting the bugs found in v13 and coming back seems absurd to me. the bug test system should be reviewed

@tigernero79
Then review it.

If someone wants to start debugging:

https://github.com/nextcloud/server/blob/8042e6b8fb0f0b4d3dd2c291729144f767575c56/apps/encryption/lib/Controller/StatusController.php#L76-L81

This code triggers the message.

https://github.com/nextcloud/server/blob/38a90130ce425d531a804dff591df4a883de3154/apps/encryption/lib/KeyManager.php#L357-L390

For some reason $privateKey is not true and status is not changed. Do you see "Could not decrypt the private key from user ..." in your logs? As start i would remove the catch block for PrivateKeyMissingException and DecryptionFailedException to log this messages. Any help is appreciated.

@ArrowComputingTech

what does it mean then examine it?
If I knew how to do it, don't you think I would have given an input as a user "kesselb"?
instead of arguing, you understand that already reporting a problem on github without looking at means collaborating.
is a serious bug that drags on from nextcloud 13 I believe that it is not a mistake to try to understand how to solve it. is there github for this or not?
can you say that it is a bug that has existed for too long or is someone doing wrong?
I do not understand. make controversy about anything.

Pulling out of the problem stating that the users/reporters could fix the problem on their own because NC is Open-Source sounds like "we don't care that our outstanding proposition over our competitors (E2EE) doesn't work at all for so many people for years in such a emberrassing way " in my ears. This problem here and the windows client reliably breaking E2EE folders at first contact for so many users are both showstoppers and blaming people for not being able to fix any given problem in any given project in any given programming language is just ridiculous.

I had a look into this with a fresh installation of Nextcloud 16.0.3. This is how I reproduced the problem:

• Install Nextcloud.
• Login as admin.
• Visit the "Apps" overview and head over to "Disabled Apps".
• Activate the "Default encryption module".
• Visit the "Settings" overview and head over to "Security" in the "Administration" section.
• Activate the "Enable server-side encryption" checkbox under the "Server-side encryption" headline.
• Press the "Enable encryption" button.
• Logout and log back in as admin.
• Be greeted with the "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files." message.

The expected workflow seems to be broken at some points:

1. When visiting the "Settings" overview and heading over to "Security" in the "Administration" section after logging in again (or in fact, already after refreshing the page) the "Enable server-side encryption" checkbox is deactivated again. Presumably Nextcloud is not able to properly find out that the encryption has already been activated.
2. Activating the server-side encryption doesn't seem to generate any encryption keys but after enabling the encryption the web UI automatically thinks that these should have been generated which leads to the actual error message. (On the file level there are none of the expected "files_encryption" folders.)
3. Creating new users and logging in with them doesn't create a new keypair either so they also get the "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files." message on login.
4. On the file level no encryption takes place.

To solve the problem at hand you can use the occ tool. As it seems, the master key encryption is nowadays enabled by default. If you don't want to use a single encryption key but one for each user you have to disable the master key encryption first: sudo -u www-data ./occ encryption:disable-master-key

You get a warning that you should do this only on a fresh installation without already encrypted data:

Warning: Only perform this operation for a fresh installations with no existing encrypted data! There is no way to enable the master key again. We strongly recommend to keep the master key, it provides significant performance improvements and is easier to handle for both, users and administrators. Do you really want to switch to per-user keys?

Even though you "activated" the encryption through the web UI the occ tool doesn't think that it has been activated. Therefore you have to activate the encryption now: sudo -u www-data ./occ encryption:enable

Only now will individual user keys be generated when the corresponding users log on. Nextcloud also generates user keys for newly created users now as well.

The still unencrypted files are accessible as before (even though the text editor of the web UI doesn't seem to be able to open any unencrypted text file now). Sharing files with users that don't have their own user key yet is now totally broken. The shares are written to the database but the corresponding file encryption keys (and therefore the shared files) are not available to the recipient. Trying to download such a broken file even leads to an ERROR 500. (Unsharing the file and re-sharing it when the receiving user has their individual user key fixes this problem.)

Therefore, in order to not end up with a partially broken system, it is best to directly start the encryption of the existing files. In the process the individual user keys get generated as well. Each user key is encrypted with a temporary password that you have to provide to the corresponding users: sudo -u www-data ./occ encryption:encrypt-all

You are warned that this may take a while:

You are about to encrypt all files stored in your Nextcloud installation.
Depending on the number of available files, and their size, this may take quite some time.
Please ensure that no user accesses their files during this time!
Note: The encryption module you use determines which files get encrypted.

As the first step of the process you get the list of newly created user keys, their corresponding temporary passwords and more information about what the users have to do next. The passwords are also stored as a backup into the file oneTimeEncryptionPasswords.csv within the Nextcloud data folder:

Encrypt all files with the Default encryption module
====================================================


Create key-pair for every user
------------------------------

This module will encrypt all files in the users files folder initially.
Already existing versions and files in the trash bin will not be encrypted.



 Key-pair created for all users 
 [============================]

Generated encryption key passwords
----------------------------------

+----------+----------------------+
| Username | Private key password |
+----------+----------------------+
| yahe     | xxxxxxxx             |
+----------+----------------------+

The following users already had a key-pair which was reused without setting a new password:

    kenny
    ncadmin


A list of all newly created passwords was written to data/oneTimeEncryptionPasswords.csv

Each of these users need to login to the web interface, go to the
personal settings section "basic encryption module" and
update the private key password to match the login password again by
entering the one-time password into the "old log-in password" field
and their current login password

Do you want to send the passwords directly to the users by mail? (y/n) n


Start to encrypt users files
----------------------------



 all files encrypted 
 [============================]

Now you and your users should be ready to go:

• Log in.
• Visit the "Settings" overview and head over to "Security".
• Under the headline "Basic encryption module" enter the temporary user key password as the "Old log-in password" and your actual login password as the "Current log-in password" and hit the "Update Private Key Password" button.
• The success of this process should be visible through a "Private key password successfully updated." message.

Having the same problem with Nextcloud 16.0.2.. Did a clean install of Nextcloud multiple times and tried to do the encryption activation slightly different each time, but it didn't help.. I always get the same error.. Don't get it to work and for now don't have the time to do complex manual fixing trials..

I had an old Nextcloud 13 installation laying around on the same server with encryption enabled.. Used that one and updated it to Nextcloud 16.0.3, encryption is still working now ^^ So that's my workaround ^^

@yahesh is our hero of the month for all the debugging work done here and in other encryption bug reports. Hopefully the devs put all your hard work to good use. NC's encryption is awfully buggy for a highly advertised flagship feature.

Confirming that I also was unable to turn on server-side encryption through the web interface on 16.0.3, and the workaround in https://github.com/nextcloud/server/issues/8546#issuecomment-514139714 was successful :+1:

Additionally, I noticed that the official documentation states maintenance mode must be enabled before using occ encryption:encrypt-all. However, if you try this, it complains that

In Manager.php line 210:
Default encryption module not loaded

My solution for this was to leave maintenance mode off, but disconnect all clients to be sure no file access took place while the process was happening. Everything completed just fine doing this.

Other discrepancies I noticed in the documentation: It implies that user keys are the default but server-wide keys were made the default at some point along the way. It also doesn't mention use of encryption:disable-master-key to switch to user keys.

I just wanted to try the solution of @yahesh on a fresh installed nextcloud 16.0.3 installation.
I also had the private key error.

But than I was prompted to upgrade to 16.0.4. I run the upgrade from the web-frontend.
Afterwards I made a chmod 777 on occ
and I run ./occ upgrade

Upgrade was performed.

Than I tried the command ./occ encryption:disable-master-key

but OCC said that the command encryption:disable-master-key is not known.

So I went to out of the maintenance mode checked in the nextcloud front-end again the Settings-->Security--> Enable Server Side encryption-box and this time it was working.

No error message any more.

So my only conclusion is that this is related to the Upgrade and the bug has already been fixed? Or my chmod 777 on occ file during the upgrade process, or the chmod 777 enabled the creation of the keys? Now of course it is back at 644.

Any clue?

Happy problem is sovled for me!!!

It works!! I tried @yahesh solution on a fresh installed nextcloud installation of 16.0.3 (on SHARED HOSTING).

For those with Shared Hosting without access to OCC, try the OCC Web from app store (https://apps.nextcloud.com/apps/occweb). NC 15 version still works for NC 16, just download the tar.gz, upload to /nextcloud/app/ folder, untar it, and enable it under disabled apps. disable it after you are done.

So I basically did what @yahesh did... (background: default encryption module was disabled, server-side ecnryption was disabled).

I ran: sudo -u www-data ./occ encryption:disable-master-key in the occweb. Then went to enable the 'defualt encryption module' app in the webgui, followed by sudo -u www-data ./occ encryption:enable

That stupid annoying "invalid private key for enecryption please update" warning disappeared.

@xCozmox I was also on 16.0.3 but didn't upgrade. to 16.0.4

just want to say i still get this issue. but all users use LDAP so theres no "changing passwords" either..

It works!! I tried @yahesh solution on a fresh installed nextcloud installation of 16.0.3 (on SHARED HOSTING).

For those with Shared Hosting without access to OCC, try the OCC Web from app store (https://apps.nextcloud.com/apps/occweb). NC 15 version still works for NC 16, just download the tar.gz, upload to /nextcloud/app/ folder, untar it, and enable it under disabled apps. disable it after you are done.

So I basically did what @yahesh did... (background: default encryption module was disabled, server-side ecnryption was disabled).

I ran: sudo -u www-data ./occ encryption:disable-master-key in the occweb. Then went to enable the 'defualt encryption module' app in the webgui, followed by sudo -u www-data ./occ encryption:enable

That stupid annoying "invalid private key for enecryption please update" warning disappeared.

@xCozmox I was also on 16.0.3 but didn't upgrade. to 16.0.4

this worked perfectly! thse two commands then log out and back in. no message! thanks!

@yahesh it works just awesome！

@nickvergessen or whoever is better suited to look into this from Nextcloud:

Encryption is a feature mentioned on the home page and is documented in the guide and the app is "Featured", which means "They ... are ready for production use". Could the exact steps for using this for production be documented in the official guide? Or maybe a couple of small bugs fixed so that people would run into less problems?

https://docs.nextcloud.com/server/18/admin_manual/configuration_files/encryption_configuration.html is not enough?

Or maybe a couple of small bugs fixed so that people would run into less problems?

which bugs?

@nickvergessen As you can read in this thread here the documentation does not seem to be sufficient to enable the server-side encryption as it does not describe broken steps in the setup process.

This issue is a bug report. I realize it's a bit long to read through, but don't you consider the problems people are having an indication of a bug? I had to use occ like @yahesh described since everything couldn't be completed via the GUI.

I am now having this issue after upgrading from 15 to 18. Can someone point to the correct solution in this thread? or a guide somewhere? there are a lot of different things suggested here.

@brimwats The solution that seems to be working for everyone is here: https://github.com/nextcloud/server/issues/8546#issuecomment-514139714

So, sorry if I missed something, but this seems to be fixed with the comment above then?
If so closing, if not, feel free to re-open

Where is this documented in the official documentation? How about fixing the code so that it isn't necessary?

@ptman thanks for the additional info :)
Could you maybe help me and edit the documentation?
You can directly click the edit button from any doc page now, that would really help :bowing_woman:

@skjnldsv I, personally, don't consider a workaround to be a proper solution. For the relevant breakages, I'm quoting @yahesh's comment https://github.com/nextcloud/server/issues/8546#issuecomment-514139714:

The expected workflow seems to be broken at some points:

1. When visiting the "Settings" overview and heading over to "Security" in the "Administration" section after logging in again (or in fact, already after refreshing the page) the "Enable server-side encryption" checkbox is deactivated again. Presumably Nextcloud is not able to properly find out that the encryption has already been activated.

2. Activating the server-side encryption doesn't seem to generate any encryption keys but after enabling the encryption the web UI automatically thinks that these should have been generated which leads to the actual error message. (On the file level there are none of the expected "files_encryption" folders.)

3. Creating new users and logging in with them doesn't create a new keypair either so they also get the "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files." message on login.

4. On the file level no encryption takes place.

The workaround involves using the occ tool to perform all the broken steps above manually, one at a time.

Sharing files with users that don't have their own user key yet is now totally broken. The shares are written to the database but the corresponding file encryption keys (and therefore the shared files) are not available to the recipient. Trying to download such a broken file even leads to an ERROR 500. (Unsharing the file and re-sharing it when the receiving user has their individual user key fixes this problem.)

See also #20146

I got this now too, did nothing by myself with encryption..

https://github.com/nextcloud/documentation/pull/1962

I tried the workaround instructions, but don't see any password fields in the encryption module settings, so I'm unable to complete them. I got as far as running encrypt-all successfully. More files are accessible via sharing now than before, but I'm still getting the private key errors.

NC 18.0.3

Just upgraded to NC 20.0.0 and ran into this issue.

@dreamflasher So we meet again. :D

My workaround should also work with Nextcloud 20.

@yahesh small world :)

Thanks a lot for your workaround, that looks like the solution!

I had to roll back to 19.0.5 because the workaround mentioned by @yahesh didn't work for my docker environment.

• The "Default Encryption Module" was already enabled after updating from 19.0.5 to 20.0.2
• After "Enable server-side encryption" and logging out, I was unable to log back in again, as I was presented with the "Internal Server Error" page
• Using ./occ encryption:disable-master-key resulted in the following output:

www-data@26df4e7bb14c:~/html$ ./occ encryption:disable-master-key
An unhandled exception has been thrown:
Exception: Authenticated ciphertext could not be decoded. in /var/www/html/lib/private/Security/Crypto.php:122
Stack trace:
#0 /var/www/html/lib/private/Encryption/Keys/Storage.php(285): OC\Security\Crypto->decrypt('-----BEGIN PUBL...')
#1 /var/www/html/lib/private/Encryption/Keys/Storage.php(230): OC\Encryption\Keys\Storage->getKey('/files_encrypti...')
#2 /var/www/html/lib/private/Encryption/Keys/Storage.php(122): OC\Encryption\Keys\Storage->getKeyWithUid('/files_encrypti...', NULL)
#3 /var/www/html/apps/encryption/lib/KeyManager.php(615): OC\Encryption\Keys\Storage->getSystemUserKey('pubShare_acc3bf...', 'OC_DEFAULT_MODU...')
#4 /var/www/html/apps/encryption/lib/KeyManager.php(171): OCA\Encryption\KeyManager->getPublicShareKey()
#5 /var/www/html/apps/encryption/lib/Users/Setup.php(87): OCA\Encryption\KeyManager->validateShareKey()
#6 /var/www/html/apps/encryption/lib/AppInfo/Application.php(73): OCA\Encryption\Users\Setup->setupSystem()
#7 /var/www/html/apps/encryption/appinfo/app.php(37): OCA\Encryption\AppInfo\Application->setUp()
#8 /var/www/html/lib/private/legacy/OC_App.php(289): require_once('/var/www/html/a...')
#9 /var/www/html/lib/private/legacy/OC_App.php(171): OC_App::requireAppFile(Object(OCA\Encryption\AppInfo\Application))
#10 /var/www/html/lib/private/legacy/OC_App.php(131): OC_App::loadApp('encryption')
#11 /var/www/html/lib/private/Console/Application.php(127): OC_App::loadApps()
#12 /var/www/html/console.php(99): OC\Console\Application->loadCommands(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Consol
#13 /var/www/html/occ(11): require_once('/var/www/html/c...')
#14 {main}

Next OC\ServerNotAvailableException: Could not decrypt key in /var/www/html/lib/private/Encryption/Keys/Storage.php:287
Stack trace:
#0 /var/www/html/lib/private/Encryption/Keys/Storage.php(230): OC\Encryption\Keys\Storage->getKey('/files_encrypti...')
#1 /var/www/html/lib/private/Encryption/Keys/Storage.php(122): OC\Encryption\Keys\Storage->getKeyWithUid('/files_encrypti...', NULL)
#2 /var/www/html/apps/encryption/lib/KeyManager.php(615): OC\Encryption\Keys\Storage->getSystemUserKey('pubShare_acc3bf...', 'OC_DEFAULT_MODU...')
#3 /var/www/html/apps/encryption/lib/KeyManager.php(171): OCA\Encryption\KeyManager->getPublicShareKey()
#4 /var/www/html/apps/encryption/lib/Users/Setup.php(87): OCA\Encryption\KeyManager->validateShareKey()
#5 /var/www/html/apps/encryption/lib/AppInfo/Application.php(73): OCA\Encryption\Users\Setup->setupSystem()
#6 /var/www/html/apps/encryption/appinfo/app.php(37): OCA\Encryption\AppInfo\Application->setUp()
#7 /var/www/html/lib/private/legacy/OC_App.php(289): require_once('/var/www/html/a...')
#8 /var/www/html/lib/private/legacy/OC_App.php(171): OC_App::requireAppFile(Object(OCA\Encryption\AppInfo\Application))
#9 /var/www/html/lib/private/legacy/OC_App.php(131): OC_App::loadApp('encryption')
#10 /var/www/html/lib/private/Console/Application.php(127): OC_App::loadApps()
#11 /var/www/html/console.php(99): OC\Console\Application->loadCommands(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Consol
#12 /var/www/html/occ(11): require_once('/var/www/html/c...')

• From then on, neither disabling encryption or encrypt-all worked and I had to reroll to 19.0.5.
• I checked permissions, everything was owned by www-data:www-data

@kesselb can we get this added to the faq + known issues list? It and the workaround have already been added to the documentation here:
https://docs.nextcloud.com/server/20/admin_manual/configuration_files/encryption_configuration.html#invalid-private-key-for-encryption-app