Server: File not encrypted on external storage (Nextcloud)

I am also seeing this. I'm using the Nextcloud docker container.

Server configuration detail

Operating system: Linux 4.19.0-041900-generic #201810221809 SMP Mon Oct 22 22:11:45 UTC 2018 x86_64

Webserver: Apache/2.4.25 (Debian) (apache2handler)

Database: pgsql PostgreSQL 10.9 (Ubuntu 10.9-0ubuntu0.18.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0, 64-bit

PHP version: 7.3.5

Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, PDO, session, posix, Reflection, standard, SimpleXML, pdo_sqlite, Phar, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, apcu, exif, gd, imagick, intl, ldap, memcached, pcntl, pdo_mysql, pdo_pgsql, redis, sodium, zip, Zend OPcache

Nextcloud version: 16.0.1 - 16.0.1.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Enabled:
 - accessibility: 1.2.0
 - activity: 2.9.1
 - admin_audit: 1.6.0
 - bruteforcesettings: 1.3.0
 - calendar: 1.7.0
 - camerarawpreviews: 0.7.0
 - cloud_federation_api: 0.2.0
 - comments: 1.6.0
 - contacts: 3.1.3
 - dav: 1.9.2
 - encryption: 2.4.0
 - external: 3.3.0
 - federatedfilesharing: 1.6.0
 - federation: 1.6.0
 - files: 1.11.0
 - files_external: 1.7.0
 - files_external_gdrive: 0.4.0
 - files_fulltextsearch: 1.3.2
 - files_pdfviewer: 1.5.0
 - files_rightclick: 0.13.0
 - files_sharing: 1.8.0
 - files_texteditor: 2.8.0
 - files_trashbin: 1.6.0
 - files_versions: 1.9.0
 - files_videoplayer: 1.5.0
 - firstrunwizard: 2.5.0
 - fulltextsearch: 1.3.4
 - fulltextsearch_elasticsearch: 1.3.3
 - gallery: 18.3.0
 - keeweb: 0.5.1
 - logreader: 2.1.0
 - lookup_server_connector: 1.4.0
 - metadata: 0.9.0
 - news: 13.1.6
 - nextcloud_announcements: 1.5.0
 - notes: 3.0.0
 - notifications: 2.4.1
 - oauth2: 1.4.2
 - onlyoffice: 2.3.0
 - password_policy: 1.6.0
 - previewgenerator: 2.1.0
 - privacy: 1.0.0
 - provisioning_api: 1.6.0
 - qownnotesapi: 19.4.0
 - recommendations: 0.4.0
 - serverinfo: 1.6.0
 - sharebymail: 1.6.0
 - support: 1.0.0
 - survey_client: 1.4.0
 - systemtags: 1.6.0
 - tasks: 0.11.0
 - theming: 1.7.0
 - twofactor_backupcodes: 1.5.0
 - twofactor_nextcloud_notification: 1.1.1
 - twofactor_totp: 2.1.2
 - twofactor_u2f: 3.0.0
 - updatenotification: 1.6.0
 - viewer: 1.0.0
 - workflowengine: 1.6.0
Disabled:
 - user_ldap

{
    "onlyoffice": {
        "verify_peer_off": true
    },
    "htaccess.RewriteBase": "\/",
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": "6379"
    },
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "apps_paths": [
        {
            "path": "\/var\/www\/html\/apps",
            "url": "\/apps",
            "writable": false
        },
        {
            "path": "\/var\/www\/html\/custom_apps",
            "url": "\/custom_apps",
            "writable": true
        }
    ],
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
       ***REMOVED SENSITIVE VALUE***
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "pgsql",
    "version": "16.0.1.1",
    "overwrite.cli.url": "http:\/\/cloud.yalam.co.uk",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "maintenance": false,
    "loglevel": 2,
    "mail_smtpmode": "smtp",
    "mail_smtpsecure": "ssl",
    "mail_sendmailmode": "smtp",
    "mail_smtpauthtype": "LOGIN",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "465",
    "mail_smtpauth": 1,
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
}

External storages: yes

+----------+-----------------------+--------------+---------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+------------------+-------------------+----------+
| Mount ID | Mount Point           | Storage      | Authentication Type | Configuration                                                                                                                                                                                                                                       | Options         | Applicable Users | Applicable Groups | Type     |
+----------+-----------------------+--------------+---------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+------------------+-------------------+----------+
| 2        | /Wasabi               | Amazon S3    | Access key          | bucket: "***REMOVED SENSITIVE VALUE***", hostname: "s3.eu-central-1.wasabisys.com", port: "", region: "eu-central-1", use_ssl: true, use_path_style: false, legacy_auth: false, key: "***REMOVED SENSITIVE VALUE***", secret: "***REMOVED SENSITIVE VALUE***" | readonly: false | All              |                   | Admin    |
| 4        | /gdrive-gapps         | Google Drive | OAuth2              | client_id: " ***REMOVED SENSITIVE VALUE***", client_secret: "***REMOVED SENSITIVE VALUE***", configured: "true", token: "***REMOVED SENSITIVE VALUE***"                                                                                                       | readonly: false | yousef           |                   | Personal |
| 6        | /gdrive-flamingspaz96 | Google Drive | OAuth2              | client_id: "***REMOVED SENSITIVE VALUE***", client_secret: "***", configured: "true", token: "***"                                                                                                       | readonly: false | yousef           |                   | Personal |
+----------+-----------------------+--------------+---------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+------------------+-------------------+----------+

Encryption: yes

User-backends:

• OC\User\Database

Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0

Disregard from me, I think some files were uploaded before encryption was enabled, new uploads I can see are encrypted.

I am experiencing the same issue on nextcloud 17.0
I tried with another nextcloud as external storage.
Also local folder as external storage..
No encryption at all. I see the certs generated in my data volumes, but no encryption whatsoever.
Is this known?

Same here. The remote was configured from the beginning with encryption on, but all files appear as-is in the remote. I can also add files to the remote directly and they will appear as-is in the nextcloud instance.

wow... this is really critical. How nextcloud can have such big issue open since so many time ?

Recently (less than 25 days ago as per the last post from @Skip75) NextCloud 18 was released. Is this issue addressed and resolved for Wasabi in version 18?

I observed the same behavior with nextcloud 18. I used another nextcloud instance as external storage.

The primary purpose of the Nextcloud server-side encryption is to protect users’ files on remote storage, such as Dropbox and Google Drive, and to do it easily and seamlessly from within Nextcloud.

As you can see in this screenshot, the remote file is not encrypted!

Server-side encryption is enabled.

Same here. Activated encryption and then started syncing files to external storage (wasabi). I can log into Wasabi, open the bucket, and there are all the files fully unencrypted.

I just tested this:

1. enable default encryption module in the apps section
   
2. Go to security settings, enable server-side encryption and under 'default encryption module', disable 'Encrypt the home storage'.
   
3. enable external storage in the apps section
   
4. create an 'local' external storage accessible by all users, check if encrypt is enabled on that
   
5. Create a file there
   
6. Look at content of file and see it is perfectly encrypted
   

It works exactly as designed on Nextcloud 18.0.2. There have, as far as I know, no changes in this code since a while.

Please double-check your settings, this is most likely a configuration issue, NOT a bug. It could be broken on a specific type of external storage, perhaps. Report back if you can pinpoint what the problem is, or ask for help on how to configure things on our home user forums on help.nextcloud.com

If you can reproduce the problem, please make a video or a series of clear screenshots on how to reproduce it, like I did above.

Didn't mean to close, sorry.

I configured a remote Nextcloud instance as external storage and enabled encryption on the mount. However when create or edit a file in the remote storage (using my computer or the Web UI of my server), the file is sent to remote server, but it’s unencrypted.

He configured a remote Nextcloud instance as external storage. That's a different story than mounting a local directory as external storage.

Ok, so that was not clear to me. It is about one specific external storage - a Nextcloud external storage. Let me test that.

EDIT: can confirm, this doesn't encrypt the file. I'll try and kick some ppl to look into the technical side of it.

Settings:

Local:

Remote:

(the fact that it has a preview generated is enough showing the issue :cry: )

Thanks for having a look Jos, would be fantastic if it can be solved!

So this actually never worked as federated share and Nextcloud external storages are explitctly excluded.

The issue here is I guess that the option is shown.

@rullzer Could you please provide a link to the documentation.

@rullzer Could you please provide a link to the documentation.

there is none to this case. It just never worked.
The reason is that if you store the files on a different nextcloud encrypted the header tells nextcloud it is encrypted. Leading to improper decrypted files etc.

I just bought a vps, setup a nextcloud 18.0.4 instance with server side encryption enabled and added my nextcloud account hosted by a nextcoud provider as a remote storage hoping it would encrypt all files. Sadly it didn't work and ended up finding this issue.

Question: Are there any plans to support encryption on nextcloud external storages?
Suggestion: Please add this to documentation so more people like me won't have to realize this wouldn't work after spending a couple of days on setting it all up.

@rullzer Are you telling then, that an external nextcloud share is never encrypted?

So let's have the following setup: Two NC instances (call them A and B). B has an external storage configured to write/read data on A. If server-sided encryption is enabled only on B, this will write unencrypted data to the storage on A?

@rullzer Are you telling then, that an external nextcloud share is never encrypted?

So let's have the following setup: Two NC instances (call them A and B). B has an external storage configured to write/read data on A. If server-sided encryption is enabled only on B, this will write unencrypted data to the storage on A?

Yeap. So now the option to use encryption when using another Nextcloud server as storage will no longer show, as it doesn't work... I'll also add a note to the docs.