Encryption Configuration Quick Guide

Introduction

This quick guide gives a brief summary of the commands needed without going into the details and backgrounds. See the full encryption configuration guide for more details.

Master-Key-Based Encryption

Overview

  • The recommended type of encryption.

  • Best to activate on new instances with no data.

  • If you have existing data, use the occ encryption:encrypt-all command. Depending on the amount of existing data and the location, this operation can take a long time.

Activate Master Key-Based Encryption

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ app:enable encryption
sudo -u www-data php occ encryption:enable
sudo -u www-data php occ encryption:select-encryption-type masterkey -y
sudo -u www-data php occ encryption:encrypt-all --yes
sudo -u www-data php occ maintenance:singleuser --off

View the Encryption Status

sudo -u www-data php occ encryption:status

Decrypt Encrypted Files

Depending on the amount of existing data, this operation can take a long time.

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ encryption:decrypt-all
sudo -u www-data php occ maintenance:singleuser --off

Deactivate Master-Key-Based Encryption

sudo -u www-data php occ encryption:disable
# ignore the "already disabled" message
sudo -u www-data php occ app:disable encryption

If the master key has been compromised or exposed, you can replace it. You will need the current master key for it.

sudo -u www-data php occ encryption:recreate-master-key

User-Key-Based Encryption

User-Key encryption has been depreciated with ownCloud release 10.7

Activate User-Key-Based Encryption

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ app:enable encryption
sudo -u www-data php occ encryption:enable
sudo -u www-data php occ encryption:select-encryption-type user-keys
sudo -u www-data php occ encryption:encrypt-all --yes
sudo -u www-data php occ maintenance:singleuser --off

After User-specific encryption is enabled, users must log out and log back in to trigger the automatic personal encryption key generation process.

Set a Recovery Key

  • Go to Settings  Admin  Encryption.

  • Set a recovery key password.

  • Ask the users to opt-in to the recovery key.

If a user decides not to opt-in to the recovery key and forgets or loses their password, the user’s data cannot be decrypted. This leads to permanent data loss.

They need to:

  • Go to Settings  Personal  Encryption

  • Enable the Recovery Key

View the Encryption Status

sudo -u www-data php occ encryption:status

Decrypt Encrypted Files

If you have an ownCloud instance with only a few users, you can use the following example to decrypt the files. Note that you have to enter the password for each user manually. The admin must ensure all users have enabled the recovery password option in their personal settings page.

sudo -u www-data php occ maintenance:singleuser --on
sudo -u www-data php occ encryption:decrypt-all
#Choose the "Recovery key" Option
#Enter **Recovery Key** for **each user**

# Recovery Key is a password set by the admin
sudo -u www-data php occ maintenance:singleuser --off

If you have a large instance with many users, use this to decrypt the files:

  • Set the environment variable with e.g. export OC_RECOVERY_PASSWORD=1111, then run this set of commands and replace "1111" with your actual Recovery Key:

export OC_RECOVERY_PASSWORD=1111
sudo -u www-data php occ maintenance:singleuser --on
sudo -E -u www-data php occ encryption:decrypt-all -m recovery -c yes
sudo -u www-data php occ maintenance:singleuser --off

Deactivate User-Specific Key-based Encryption

sudo -u www-data php occ encryption:disable

# ignore the "already disabled" message
sudo -u www-data php occ app:disable encryption

Clean up Your Database

Access your ownCloud database and remove the remaining entries that have not been automatically removed with this command:

DELETE FROM oc_appconfig WHERE appid='encryption';

Clean up Your Storage

The removal of remaining encryption keys is a manual process. You have to delete all encryption keys on the storage by running the following command. Modify the path to your data directory according to your installation. The find command limits the search to exactly one directory below the user level and for security reasons prompts before each deletion:

find /var/www/owncloud/data/ -mindepth 2 -maxdepth 2 -type d -name "files_encryption" -exec rm -R -i {} +