Encryption Configuration Quick Guide

Table of Contents

Introduction
Master-Key-Based Encryption
Clean up Your Database
Clean up Your Storage

Introduction

This quick guide gives a brief summary of the commands needed without going into the details and backgrounds. See the full encryption configuration guide for more details.

Master-Key-Based Encryption

Overview

Master key is default when enabled on new instances.
If you have existing data, use the occ encryption:encrypt-all command. Depending on the amount of existing data and the location, this operation can take a long time.

Activate Master Key-Based Encryption

docker compose exec owncloud occ maintenance:singleuser --on
docker compose exec owncloud occ app:enable encryption
docker compose exec owncloud occ encryption:enable
docker compose exec owncloud occ encryption:encrypt-all --yes
docker compose exec owncloud occ maintenance:singleuser --off

View the Encryption Status

docker compose exec owncloud occ encryption:status

Decrypt Encrypted Files

Depending on the amount of existing data, this operation can take a long time.

docker compose exec owncloud occ maintenance:singleuser --on
docker compose exec owncloud occ encryption:decrypt-all
docker compose exec owncloud occ maintenance:singleuser --off

Deactivate Master-Key-Based Encryption

docker compose exec owncloud occ encryption:disable

# ignore the "already disabled" message
docker compose exec owncloud occ app:disable encryption

If the master key has been compromised or exposed, you can replace it. You will need the current master key for it.

docker compose exec owncloud occ encryption:recreate-master-key

Clean up Your Database

Access your ownCloud database and remove the remaining entries that have not been automatically removed with this command:

DELETE FROM oc_appconfig WHERE appid='encryption';

Clean up Your Storage

The removal of remaining encryption keys is a manual process. You have to delete all encryption keys on the storage by running the following command. Modify the path to your data directory according to your installation. The find command limits the search to exactly one directory below the user level and for security reasons prompts before each deletion. Replace the <mount-point> placeholder with the correct value, as defined in your Docker Compose file.

find <mount-point>/files/ -mindepth 2 -maxdepth 2 -type d -name "files_encryption" -exec rm -R -i {} +