Encryption Configuration Quick Guide

Encryption Types

ownCloud provides two encryption types:

User-Key:

Every user has their own private/public key pairs, and the private key is protected by the user’s password.

Master Key:

There is only one key (or key pair) and all files are encrypted using that key pair.

These encryption types are not compatible. Please see User-Key Limitations for more details

Enable the Encryption App

Before you can use encryption you must enable the encryption app. You can do this either from the command-line or from the Web-UI.

Enable Encryption From the Command-Line

To enable the encryption app, run the following command:

sudo -u www-data php occ app:enable encryption

If the encryption app successfully enables, then you should see the following confirmation:

encryption enabled
This should never happen, but the encryption app may not be packaged with your ownCloud installation. If so, you will see the following output when you attempt to enable it:
encryption not found

If that happens, then you need to install it manually. You can do this by cloning the encryption app, using the following command:

git clone https://github.com/owncloud/encryption.git apps/encryption

Enable Encryption From the Web-UI

To enable encryption from the Web-UI:

  1. Go to Settings  Admin  Apps and click on Show disabled apps

  2. When the disabled apps are rendered click Enable under "Default encryption module".

  3. After that go to Settings  Admin  Encryption, and enable Enable server-side encryption.

  4. Then, under "Default encryption module", select the desired encryption type, whether "Master Key" (recommended) or "User-key".

  5. Now you must log out and then log back in to initialize your encryption keys.

Master Key Encryption

Overview

  • The recommended type of encryption.

  • Best to activate on new instances with no data.

  • If you have existing data, use encrypt all command. Depending on the amount of existing data, this operation can take a long time.

Activate Master Key-Based Encryption

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ encryption:enable
sudo -u www-data php occ encryption:select-encryption-type masterkey -y
sudo -u www-data php occ encryption:encrypt-all
sudo -u www-data php occ maintenance:singleuser --off

View the Encryption Status

sudo -u www-data php occ encryption:status

Decrypt Encrypted Files

Depending on the amount of existing data, this operation can take a long time.

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ encryption:decrypt-all
sudo -u www-data php occ maintenance:singleuser --off

Deactivate Master Key-based Encryption

sudo -u www-data php occ encryption:disable
# ignore the "already disabled" message
sudo -u www-data php occ app:disable encryption

If the master key has been compromised or exposed, you can recreate it. You will need the current master key for it.

sudo -u www-data php occ encryption:recreate-master-key

User-Specific Key-based Encryption

Activate User-Specific Key-based Encryption

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ encryption:enable
sudo -u www-data php occ encryption:select-encryption-type user-keys
sudo -u www-data php occ encryption:encrypt-all
sudo -u www-data php occ maintenance:singleuser --off

After User-specific encryption is enabled, users must log out and log back in to trigger the automatic personal encryption key generation process.

Set a Recovery Key

  • Go to the "Encryption" section of your Admin page.

  • Set a recovery key password.

  • Ask the users to opt-in to the recovery key.

If a user decides not to opt-in to the recovery key and forgets or loses their password, the user’s data cannot be decrypted. This leads to permanent data loss.

They need to:

  • Go to Settings  Personal  Encryption

  • Enable the Recovery Key

View the Encryption Status

sudo -u www-data php occ encryption:status

Decrypt Encrypted Files

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ encryption:decrypt-all
#enter **Recovery Key** for **each user**

# Recovery Key is a password set by the admin
sudo -u www-data php occ maintenance:singleuser --off

Deactivate User-Specific Key-based Encryption

sudo -u www-data php occ encryption:disable

# ignore the "already disabled" message
sudo -u www-data php occ app:disable encryption