Encryption Configuration Quick Guide


This quick guide gives a brief summary of the commands needed without going into the details and backgrounds. See the full encryption configuration guide for more details.

Master-Key-Based Encryption


  • The recommended type of encryption.

  • Best to activate on new instances with no data.

  • If you have existing data, use the occ encryption:encrypt-all command. Depending on the amount of existing data and the location, this operation can take a long time.

Activate Master Key-Based Encryption

sudo -u www-data occ maintenance:singleuser --on
sudo -u www-data occ app:enable encryption
sudo -u www-data occ encryption:enable
sudo -u www-data occ encryption:select-encryption-type masterkey -y
sudo -u www-data occ encryption:encrypt-all --yes
sudo -u www-data occ maintenance:singleuser --off

View the Encryption Status

sudo -u www-data occ encryption:status

Decrypt Encrypted Files

Depending on the amount of existing data, this operation can take a long time.

sudo -u www-data occ maintenance:singleuser --on
sudo -u www-data occ encryption:decrypt-all
sudo -u www-data occ maintenance:singleuser --off

Deactivate Master-Key-Based Encryption

sudo -u www-data occ encryption:disable

# ignore the "already disabled" message
sudo -u www-data occ app:disable encryption

If the master key has been compromised or exposed, you can replace it. You will need the current master key for it.

sudo -u www-data occ encryption:recreate-master-key

Clean up Your Database

Access your ownCloud database and remove the remaining entries that have not been automatically removed with this command:

DELETE FROM oc_appconfig WHERE appid='encryption';

Clean up Your Storage

The removal of remaining encryption keys is a manual process. You have to delete all encryption keys on the storage by running the following command. Modify the path to your data directory according to your installation. The find command limits the search to exactly one directory below the user level and for security reasons prompts before each deletion:

find /var/www/owncloud/data/ -mindepth 2 -maxdepth 2 -type d -name "files_encryption" -exec rm -R -i {} +