Server: Upgrade 13->14: master key disabled

GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/6636 (Automaitc Upgrade process - Disable backup), https://github.com/nextcloud/server/issues/7545 (TOTP and Spreed disabled after upgrading to 13 beta 3), https://github.com/nextcloud/server/issues/2964 (Master key replacement), https://github.com/nextcloud/server/issues/7201 (Disable external_user app when upgrading from 12 to 13), and https://github.com/nextcloud/server/issues/9911 (Nextcloud upgrade to 13.0.4 Failed).

I was getting this message even though I've NEVER enabled encryption. I found that if I have the default encryption module app installed, I could run the command
sudo -u www-data php occ encryption:enable-master
Output: Warning: Only available for fresh installations with no existing encrypted data!
Master key successfully enabled.
now my master key is enabled and I removed the Default encryption app.
I can now change user passwords if I need to.
I suggest you Do Not try this if you use encryption.

Thanks for the reply but i dont want to mess with the encryption. I have a couple of users and dont want to risk their files.

I'm getting this error too. Any idea how to fix this? I have the default encryption module app enabled.

Take a look at: https://github.com/nextcloud/server/issues/10630 and https://github.com/nextcloud/server/pull/10718

This does not seem to be a bug. You simply have to use the occ command to change users passwords since NC 14.

For example, you can use the command like:
occ encryption:recover-user username

thanks for pointing that out - that still leaves the bloody annoying message though.

thanks for pointing that out - that still leaves the bloody annoying message though.

yes, if this isn't a bug then maybe the message text should be changed to something more helpful

cc @nextcloud/encryption

Hi,
I'm on 14.0.2 and I don't have this command, any reason why ?

Command "encryption:recover-user" is not defined.

Did you mean one of these?
encryption:change-key-storage-root
encryption:decrypt-all
encryption:disable
encryption:enable
encryption:encrypt-all
encryption:list-modules
encryption:set-default-module
encryption:show-key-storage-root
encryption:status
group:removeuser

thanks

Below my steps to enalbe Master key

root@cloud:~/web/cloud php occ encryption:status

• enabled: true
• defaultModule: OC_DEFAULT_MODULE
  root@cloud:~/web/cloud php occ encryption:disable
  Encryption disabled
  root@cloud:~/web/cloud php occ encryption:enable
  Encryption enabled

root@cloud:~/web/cloud php occ encryption:enable
Encryption is already enabled

root@cloud:~/web/cloud php occ encryption:list-modules

• OC_DEFAULT_MODULE: Default encryption module [default*]

root@cloud:~/web/cloud php occ encryption:enable-master
Warning: Only available for fresh installations with no existing encrypted data! There is also no way to disable it again. Do you want to continue? (y/n) y
Master key successfully enabled.
I think nothing lost about data, ok all my users data for now is demo data.
But the think is if users have data backup it first.

@linuxmangr

Thank you for posting but I have a slightly different problem. I do not have encryption enabled but I sill can not change the users passwords on NC14 after an upgrade (really a migration). Can you think of why this might be since you understand this better?

@linuxmangr

Thank you for posting but I have a slightly different problem. I do _not_ have encryption enabled but I sill can not change the users passwords on NC14 after an upgrade (really a migration). Can you think of why this might be since you understand this better?

Hello,
When you try to change password of users you see somthing like this

Also a message pops up saying “Password change is disabled because the master key is disabled.”

If yes is the problem when I say to enable and disable enalbe Master key

@linuxmangr

If yes is the problem when I say to enable and disable enalbe Master key

Can you re-phrase this? It does not parse.

@linuxmangr

If yes is the problem when I say to enable and disable enalbe Master key

Can you re-phrase this? It does not parse.

When you try to change the users password what you get ? Message on notice or something else ?

@linuxmangr EDIT: I was repying to the wrong GitHub post. I am sorry.

Hello,
Please check this page Using the occ command
There all what you need from documentation of Nextcloud

@linuxmangr The admin user who will change the password is not someone who can use the command line. How can this be handled inside the GUI?

Please tell me when you try to change the user password like admin user what you get ?
Can you make screenshot ?

@linuxmangr

This is a screenshot as logged in as Admin user and vieweing the Users page. You see how under "Password" there is no field the4 Admin can type into. But on our other NC installation you see "New Password" and the Admin can click in the field and change password for each user.

Default Encryption App is not enabled.

Thank you.

@linuxmangr Maybe the solution is for me to understand exactly where I should enable and disable enalbe Master key. Can you tell me exactly where this is? Again I have Default Encryption Module disabled. Thank you.

Hi,
For first you need to enable the Default Encryption Module enable.
After go to Settings and you see to enable the "Server-side encryption"
Read here Enable Encryption
The most important
To avoid all this, create a Recovery Key. Go to the Encryption section of your Admin page and set a recovery key password.
Part Recovery Keys
If you enable this is worked well.

@linuxmangr We don't want default encryption.

@linuxmangr But are you saying that if we do all of these things then the Admin will be able to change the user's passwords all in the GUI interface?

Good evening
I have the same message when listing the users "Password change is disabled because the master key is disabled" and I have default encryption enabled since several years
I gave it to try to use "occ encryption:enable-master-key" and as written in the warning, I lost access to all my files
But I am not crazy, I had a mysqldump + lvm snapshot, so I reverted back

If you have this problem, do not try to enable the master key using this command....

Best Regards

Good evening
I have the same message when listing the users "Password change is disabled because the master key is disabled" and I have default encryption enabled since several years
I gave it to try to use "occ encryption:enable-master-key" and as written in the warning, I lost access to all my files
But I am not crazy, I had a mysqldump + lvm snapshot, so I reverted back

If you have this problem, do not try to enable the master key using this command....

Best Regards

Hi,
You are add php before command ""occ encryption:enable-master-key"" to show like
"php occ encryption:enable-master-key" here working you default php version

@linuxmangr I still do not understand why I see this message on a server that I do not have encryption on?

Also I completely do not understand what NC is talking about with this encryption. I am an expert with RSA/PGP/SSH but the messages are not even in clear English. Can anyone explain this situation?

@linuxmangr I still do not understand why I see this message on a server that I do not have encryption on?

Also I completely do not understand what NC is talking about with this encryption. I am an expert with RSA/PGP/SSH but the messages are not even in clear English. Can anyone explain this situation?

Please look this page Encryption
If you not understand I try to explain to you step by step.

Hi,
You are add php before command ""occ encryption:enable-master-key"" to show like
"php occ encryption:enable-master-key" here working you default php version

Of course I used the php command, I even used
sudo -u www-data php /var/www/nextcloud/occ encryption:enable-master-key

Nevertheless, I have the error message from admin User list whereas encryption is working since ages, and if I use it, all my data is not accessible anymore
I am still using Nextcloud 14, I will see with version 15 if I still have this error displayed

Best Regards

@linuxmangr

Please look this page Encryption

But my server does not use Encryption. And the reason it does not use encryption is because I do not have the time to read that terribly written document. Are you saying I need to understand this document so I can not use encryption?

@linuxmangr

Please look this page Encryption

But my server _does not use Encryption_. And the reason it does not use encryption is because I do not have the time to read that terribly written document. Are you saying I need to understand this document so I can _not_ use encryption?

Hi,
To enable Encryption not need to read many documents but some little parts.
Without Encryption you can not to enable the way to can change the users passwords when you need.
Is simple.
I can help you if you found the way to send me some way to connect to you NC.
I need ssh/web login if is possible.

To enable Encryption not need to read many documents but some little parts.

@linuxmangr Please read what I am saying so many times: I DO NOT USE ENCRYPTION AND I DO NOT WANT TO USE ENCRYPTION. I only want to make this error go away.

(But thank you for your offer to help.)

To enable Encryption not need to read many documents but some little parts.

@linuxmangr Please read what I am saying so many times: I DO NOT USE ENCRYPTION AND I DO NOT WANT TO USE ENCRYPTION. I only want to make this error go away.

Hi,
You first problem is "an not change the users passwords" and Default Encryption App is not enabled
And the screenshot say clear about master key.
So if you want to change users passwords you need enable Default Encryption Apps and nothing more
And try change users password.

@linuxmangr Okay thank you this is much more clear. I did this and it works! I still have another issue but I posted that in my own thread. (Had no intention to take this one over myself - sorry!). New issue: https://github.com/nextcloud/server/issues/13048

Thank you! (Also you understand I only was YELLING because I think we were not communicating for a moment. But I thank you very much for your work!)

@linuxmangr Okay thank you this is _much_ more clear. I did this and it works! I still have another issue but I posted that in my own thread. (Had no intention to take this one over myself - sorry!). New issue: #13048

Thank you! (Also you understand I only was YELLING because I think we were not communicating for a moment. But I thank you very much for your work!)

No prroblem.
I glad to help you, and happy if is work now.

@linuxmangr Okay thank you this is _much_ more clear. I did this and it works! I still have another issue but I posted that in my own thread. (Had no intention to take this one over myself - sorry!). New issue: #13048

Thank you! (Also you understand I only was YELLING because I think we were not communicating for a moment. But I thank you very much for your work!)

About other problem I read the problem but not now.

@linuxmangr Well it sort of works. Another issue: https://github.com/nextcloud/server/issues/13054

I have the same message on admin user page (user list ), my encryption module is already running :
www-data@myserv:~/var/www/cloud$ php ./occ encryption:status

• enabled: true
• defaultModule: OC_DEFAULT_MODULE

All my file are encrypted (local + S3)

Is it a bug who display only this message without a good reason ?

Please check this page Using the occ command
Disable it once and after enable again.

disabling and enabling does nothing - message still there.

Ok I think I found what is causing this. But I'm unsure how to proceed (@schiessle)

https://github.com/nextcloud/server/blob/master/settings/Controller/UsersController.php#L174

Basicallyu it assumes you never alterd the master key settings. Even if you disabled all of encyrption.

@rullzer

you never alterd the master key settings. Even if you disabled all of encyrption.

Can you tell me what this means. You and @linuxmangr are throwing words like "master key" and "encryption" around and I have used Nextcloud for about a year and I don't know what any of that means.

You should never switch from per-user keys to the master key if you already have encrypted files.

If you have encrypted files and use per-user keys the admin can't change your login password because this would make your private key inaccessible. Users still can change their password in the personal settings which will keep login password and private key password in sync.

if you are sure that you don't have any encrypted files, e.g. because you just enabled the "default encryption module" app but never server side encryption in the admin settings you can disable the "default encryption module app" again which will allow you to change passwords again as a admin after #13172 was approved, merged and backported