Server: NC 20.0.2 Legacy encryption - mitigation and documentation thereof

Created on 20 Nov 2020  路  4Comments  路  Source: nextcloud/server

With Nextcloud 20, the term "Legacy encryption" was introduced. The documentation does say little about what legacy encryption is: https://docs.nextcloud.com/server/20/admin_manual/configuration_files/encryption_migration.html
I found another document, which gives hints about what could be meant: https://eprint.iacr.org/2020/1439.pdf

I run the command
occ encryption:scan:legacy-format
with output similar to this:
sudo -u www-data php /var/www/nextcloud/occ encryption:scan:legacy-format Scanning all files for legacy encryption Scanning all files for username /username/files_trashbin/files/file1.odt.d1592989576 does not have a proper header /username/files_trashbin/versions/folder1/file2.xls.v1585723230 does not have a proper header /username/files_versions/folder2/file3.xls.v1189677150 does not have a proper header

Now I got some files with inproper headers. Does my nextcloud still use legacy encryption for all files or does it use a more secure encryption? What are the differences?

When running occ encryption I also encountered a new command:
_Command "encryption" is not defined.
Did you mean one of these?
encryption:change-key-storage-root
encryption:decrypt-all
encryption:disable
encryption:disable-master-key
encryption:enable
encryption:enable-master-key
encryption:encrypt-all
encryption:list-modules
encryption:migrate-key-storage-format
encryption:recover-user
encryption:scan:legacy-format
encryption:set-default-module
encryption:show-key-storage-root
encryption:status_

There is no documentation about encryption:migrate-key-storage-format but an excerpt from the file /nextcloud/core/Command/Encryption/MigrateKeyStorage.php - https://fossies.org/linux/nextcloud/core/Command/Encryption/MigrateKeyStorage.php
75 ->setName('encryption:migrate-key-storage-format') 76 ->setDescription('Migrate the format of the keystorage to a newer format')

Am I supposed to use this command? I have key-type: user keys ( https://docs.nextcloud.com/server/20/admin_manual/configuration_files/encryption_details.html#key-type-user-key )
Will I still be able to use user keys after running this command, and is it save to run it?

My feature request is: please answer this questions and update the documentation of nextcloud.
Thank you very much for maintaining nextcloud! :)

0. Needs triage enhancement
Source
picture Kuphi
👍5 👀1

Most helpful comment

Please someone explain what these "...does not have a proper header" error messages mean and how they can be fixed.

picture mark-orion on 27 Nov 2020
👍6

All 4 comments

For the documentation record:
The command encryption:migrate-key-storage-format can not be run successfully, when your nextcloud is in maintenance mode.
user@server:/home/user# sudo -u www-data php /var/www/nextcloud/occ encryption:migrate-key-storage-format Nextcloud is in maintenance mode - no apps have been loaded Updating key storage format Start to update the keys: 4 [----->----------------------] In Manager.php line 187: Module with ID: OC_DEFAULT_MODULE does not exist. encryption:migrate-key-storage-format
You have to turn off maintenance mode first:
sudo -u www-data php /var/www/nextcloud/occ maintenance:mode --off
then it runs smoothly, but without any notice before start. Does it not bear any risks?:

user@server:/home/user# sudo -u www-data php /var/www/nextcloud/occ encryption:list-modules
OC_DEFAULT_MODULE: Default encryption module [default*]

user@server:/home/user# sudo -u www-data php /var/www/nextcloud/occ encryption:migrate-key-storage-format
Updating key storage format
Start to update the keys:
20 [============================]Key storage format successfully updated

After the migration, occ encryption:scan:legacy-format does still output the same files as "does not have a proper header". Am I supposed to delete those files? Can I simply rm them and then do occ files:scan? (All my files with inproper header are either in the trashbin or in the folder files_versions.

Kuphi picture Kuphi on 21 Nov 2020
👍3

Please someone explain what these "...does not have a proper header" error messages mean and how they can be fixed.

mark-orion picture mark-orion on 27 Nov 2020
👍6

Please someone explain what these "...does not have a proper header" error messages mean and how they can be fixed.

I also have the same question, can i set "encryption.legacy_format_support" to false without any problems?

leblitzdick picture leblitzdick on 2 Dec 2020
👍1

I have the same output on occ encryption:scan:legacy-format of course to other files then the OP. Could it lead to problems if I set encryption.legacy_format_support to false?

BenedictBauerHHN picture BenedictBauerHHN on 3 Dec 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

j-ed picture j-ed  路  75Comments
Wehzie picture Wehzie  路  73Comments
ariselseng picture ariselseng  路  107Comments
mxschmitt picture mxschmitt  路  68Comments
egal88 picture egal88  路  100Comments