Encryption Configuration Quick Guide

Encryption Types

ownCloud provides two encryption types:

Master Key

There is only one key (or key pair) and all files are encrypted using that key pair. This is highly recommended for new instances to avoid restrictions in functionality of user key encryption.

User-Specific Key

Every user has their own private/public key pairs; the private key is protected by the user’s password. This will be removed in future a release.

Master Key

  • The recommended type of encryption.

  • Best to activate on new instances with no data.

  • If you have existing data, use encrypt all command. Depending on the amount of existing data, this operation can take a long time.

Activation

occ maintenance:singleuser --on
occ app:enable encryption
occ encryption:enable
occ encryption:select-encryption-type masterkey -y
occ encryption:encrypt-all
occ maintenance:singleuser --off

Status

occ encryption:status

Decryption

Depending on the amount of existing data, this operation can take a long time.

occ maintenance:singleuser --on
occ encryption:decrypt-all
occ maintenance:singleuser --off

Deactivation

occ encryption:disable
# ignore the "already disabled" message
occ app:disable encryption

If the master key has been compromised or exposed, you can recreate it. You will need the current master key for it.

occ encryption:recreate-master-key

User-Specific Key

Activation

occ maintenance:singleuser --on
occ app:enable encryption
occ encryption:enable
occ encryption:select-encryption-type user-keys
occ encryption:encrypt-all
occ maintenance:singleuser --off

After User-specific encryption is enabled, users must log out and log back in to trigger the automatic personal encryption key generation process.

Recovery Key

  • Go to the "Encryption" section of your Admin page.

  • Set a recovery key password.

  • Ask the users to opt-in to the recovery key.

If a user decides not to opt-in to the recovery key and forgets or loses their password, the user’s data cannot be decrypted. This leads to permanent data loss.

They need to:

  • Go to the "Personal" page

  • Enable the recovery key

Status

occ encryption:status

Decrypt

occ maintenance:singleuser --on
occ encryption:decrypt-all
#enter **Recovery Key** for **each user**
# Recovery Key is a password set by the admin
occ maintenance:singleuser --off

Deactivation

occ encryption:disable
# ignore the "already disabled" message
occ app:disable encryption