Encryption Configuration Quick Guide

Introduction

This quick guide gives a brief summary of the commands needed without going into the details and backgrounds. See the full encryption configuration guide for more details.

Master-Key-Based Encryption

Overview

  • Master key is default when enabled on new instances.

  • If you have existing data, use the occ encryption:encrypt-all command. Depending on the amount of existing data and the location, this operation can take a long time.

Activate Master Key-Based Encryption

sudo -u www-data ./occ maintenance:singleuser --on
sudo -u www-data ./occ app:enable encryption
sudo -u www-data ./occ encryption:enable
sudo -u www-data ./occ encryption:encrypt-all --yes
sudo -u www-data ./occ maintenance:singleuser --off

View the Encryption Status

sudo -u www-data ./occ encryption:status

Decrypt Encrypted Files

Depending on the amount of existing data, this operation can take a long time.

sudo -u www-data ./occ maintenance:singleuser --on
sudo -u www-data ./occ encryption:decrypt-all
sudo -u www-data ./occ maintenance:singleuser --off

Deactivate Master-Key-Based Encryption

sudo -u www-data ./occ encryption:disable

# ignore the "already disabled" message
sudo -u www-data ./occ app:disable encryption

If the master key has been compromised or exposed, you can replace it. You will need the current master key for it.

sudo -u www-data ./occ encryption:recreate-master-key

Clean up Your Database

Access your ownCloud database and remove the remaining entries that have not been automatically removed with this command:

DELETE FROM oc_appconfig WHERE appid='encryption';

Clean up Your Storage

The removal of remaining encryption keys is a manual process. You have to delete all encryption keys on the storage by running the following command. Modify the path to your data directory according to your installation. The find command limits the search to exactly one directory below the user level and for security reasons prompts before each deletion:

find /var/www/owncloud/data/ -mindepth 2 -maxdepth 2 -type d -name "files_encryption" -exec rm -R -i {} +