Encryption Configuration Quick Guide

Encryption Types

ownCloud provides two encryption types:

User-Key:

Every user has their own private/public key pairs, and the private key is protected by the user’s password.

Master Key:

There is only one key (or key pair) and all files are encrypted using that key pair.

These encryption types are not compatible. Please see User-Key Limitations for more details

Enable the Encryption App

Before you can use encryption you must enable the encryption app. You can do this either from the command-line or from the Web-UI.

Enable Encryption From the Command-Line

To enable the encryption app, run the following command:

sudo -u www-data php occ app:enable encryption

If the encryption app successfully enables, then you should see the following confirmation:

encryption enabled
This should never happen, but the encryption app may not be packaged with your ownCloud installation. If so, you will see the following output when you attempt to enable it:
encryption not found

If that happens, then you need to install it manually. You can do this by cloning the encryption app, using the following command:

git clone https://github.com/owncloud/encryption.git apps/encryption

Enable Encryption From the Web-UI

To enable encryption from the Web-UI:

  1. Go to Settings  Admin  Apps and click on Show disabled apps

  2. When the disabled apps are rendered click Enable under "Default encryption module".

  3. After that go to Settings  Admin  Encryption, and enable Enable server-side encryption.

  4. Then, under "Default encryption module", select the desired encryption type, whether "Master Key" (recommended) or "User-key".

  5. Now you must log out and then log back in to initialize your encryption keys.

Master Key Encryption

Overview

  • The recommended type of encryption.

  • Best to activate on new instances with no data.

  • If you have existing data, use encrypt all command. Depending on the amount of existing data, this operation can take a long time.

Activate Master Key-Based Encryption

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ app:enable encryption
sudo -u www-data php occ encryption:enable
sudo -u www-data php occ encryption:select-encryption-type masterkey -y
sudo -u www-data php occ encryption:encrypt-all --yes
sudo -u www-data php occ maintenance:singleuser --off

View the Encryption Status

sudo -u www-data php occ encryption:status

Decrypt Encrypted Files

Depending on the amount of existing data, this operation can take a long time.

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ encryption:decrypt-all
sudo -u www-data php occ maintenance:singleuser --off

Deactivate Master Key-based Encryption

sudo -u www-data php occ encryption:disable
# ignore the "already disabled" message
sudo -u www-data php occ app:disable encryption

If the master key has been compromised or exposed, you can recreate it. You will need the current master key for it.

sudo -u www-data php occ encryption:recreate-master-key

User-Specific Key-based Encryption

Activate User-Specific Key-based Encryption

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ app:enable encryption
sudo -u www-data php occ encryption:enable
sudo -u www-data php occ encryption:select-encryption-type user-keys
sudo -u www-data php occ encryption:encrypt-all --yes
sudo -u www-data php occ maintenance:singleuser --off

After User-specific encryption is enabled, users must log out and log back in to trigger the automatic personal encryption key generation process.

Set a Recovery Key

  • Go to the "Encryption" section of your Admin page.

  • Set a recovery key password.

  • Ask the users to opt-in to the recovery key.

If a user decides not to opt-in to the recovery key and forgets or loses their password, the user’s data cannot be decrypted. This leads to permanent data loss.

They need to:

  • Go to Settings  Personal  Encryption

  • Enable the Recovery Key

View the Encryption Status

sudo -u www-data php occ encryption:status

Decrypt Encrypted Files

If you have an instance with a few users, you can use this example to decrypt the files. Note that you have to enter the password for each user manually. The ownCloud admin must be certain all users already have enabled the recovery password option in their personal settings page.

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ encryption:decrypt-all
#Choose the "Recovery key" Option
#Enter **Recovery Key** for **each user**

# Recovery Key is a password set by the admin
sudo -u www-data php occ maintenance:singleuser --off

If you have a large instance with many users, use this to decrypt the files:

  • Set the variable as export OC_RECOVERY_PASSWORD=1111, then run this set of commands: (Replace "1111" with your actual Recovery Key)

export OC_RECOVERY_PASSWORD=1111
sudo -u www-data php occ maintenance:singleuser --on
sudo -E -u www-data php occ encryption:decrypt-all -m recovery -c yes
sudo -u www-data php occ maintenance:singleuser --off

Deactivate User-Specific Key-based Encryption

sudo -u www-data php occ encryption:disable

# ignore the "already disabled" message
sudo -u www-data php occ app:disable encryption

Cleanup your database

Access your ownCloud database and remove the remaining entries that haven’t been automatically removed with this command:

DELETE * FROM oc_appconfig WHERE appid='encryption';

Cleanup your storage

Lastly you have to delete all encryption keys on storage by running this command:

(Modify the path to your data directory according to your installation)

find /var/www/html/owncloud/data -type d -name "files_encryption" -exec rm -R {} +

At this point, keys are deleted from storage.