Migrating User Key Encryption to Master Key Encryption

Why Should I Move Away From User Key-based Encryption?

User key-based encryption is planned to be removed from ownCloud in the near future. While it is a bit more secure than a central encryption approach, User key-based encryption has some disadvantages. It blocks some additional functions such as the integration of an online editor like LibreOffice or OnlyOffice into ownCloud and can cause problems when sharing files with groups. Therefore Master-key-based encryption is now the recommended setup for all new installations.

The decryption workflow described here works for both MySQL and SQLite based databases. It will only work when users have enabled the password recovery. Moreover, an admin recovery password needs to be activated and available for the ownCloud administrator.

If you need to migrate from User Key-based to Master Key-based encryption, there are several steps that you need to follow to ensure a smooth and complete transition:

Disable User Key-based Encryption

The first part of the migration process is to decrypt all files and to disable encryption in ownCloud, which requires three commands to be executed. These commands are: occ encryption:decrypt-all and occ encryption:disable, and occ app:disable.

You can see an example of calling the commands listed below, configured to require no user interaction.

sudo -u www-data php occ encryption:decrypt-all --continue=yes && \
  sudo -u www-data php occ encryption:disable --no-interaction && \
  sudo -u www-data php occ app:disable --no-interaction encryption
The decryption of the files by the ownCloud administrator requires the current passwords of all users! This only works when users have enabled password recovery and if an admin recovery password is available.

Remove the Encryption Records from the ownCloud Database

Once your ownCloud files are unencrypted, and encryption has been disabled, you need to remove the encryption records from the database. There is, currently, no occ command to handle this, so it has to be done manually. Specifically, you need to remove all records from the oc_appconfig table where the appid column is set to encryption.

In the examples below you can see how to do this using the SQLite database. If you are not using SQLite, please use the commands specific to your database vendor.

The example code assumes that the path to the SQLite database is <YOUR/OWNCLOUD/ROOT/DIRECTORY>data/owncloud.database.
sudo sqlite3 data/owncloud.database
sqlite> delete from oc_appconfig where appid='encryption';
sqlite> select * from oc_appconfig where appid='encryption';

Same for mysql:

SELECT * FROM `oc_appconfig` WHERE `appid` LIKE 'encryption'

Remove the files_encryption Directory

With the database updated, next, the files_encryption directory needs to be removed. Below is an example of how to do so, to save you time.

find ./data* -name files_encryption -exec rm -rvf {} \;

Encrypt the Filesystem Using Master Key-based Encryption

Now, your ownCloud files can be encrypted using Master Key-based encryption. This requires the following steps:

  1. The encryption app needs to be enabled

  2. Encryption needs to be enabled

  3. The encryption type needs to be set to master key

  4. The ownCloud filesystem can be re-encrypted.

The following example shows how to do this.

sudo -u www-data php occ app:enable encryption && \
  sudo -u www-data php occ encryption:enable && \
  sudo -u www-data php occ encryption:select-encryption-type masterkey -y && \
  sudo -u www-data php occ encryption:encrypt-all --yes

Verify the Encrypted Files

With the files encrypted using Master Key-based encryption, you should now verify that everything worked properly. To do so, run a SELECT query in your database which returns all files from the oc_appconfig table where the appid column is set to encryption. You should see a number of records, as in the output of the example below.

sudo sqlite3 data/owncloud.database
sqlite> select * from oc_appconfig where appid='encryption';
encryption|recoveryKeyId|recoveryKey_73facda6
encryption|publicShareKeyId|pubShare_73facda6
encryption|masterKeyId|master_73facda6
encryption|installed_version|1.3.1
encryption|types|filesystem
encryption|enabled|yes
encryption|useMasterKey|1

Disable Single User Mode

With encryption migrated from User Key-based encryption to Master Key-based, disable single user mode, if you enabled it before beginning the migration.

sudo -u www-data php occ maintenance:singleuser --off