503 Encryption not ready: multikeydecrypt with share key failed

[CamZie]

Steps to reproduce

1. enable encryption
2. upload and download files

Expected behaviour

Nextcloud should allow downloading of files without any errors.

Actual behaviour

Cannot download some files. User is receiving errors that the server is temporarily unavailable (503) or that the server is in maintenance.

Server configuration

Operating system: Debian 8.10

Web server: NGINX 1.12

Database: MariaDB 10.0

PHP version: PHP 5.6

Nextcloud version: 12.0.2

Updated from an older Nextcloud/ownCloud or fresh install: Updated from an older Nextcloud version.

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.5.2
  - admin_audit: 1.2.0
  - bookmarks: 0.10.1
  - bruteforcesettings: 1.0.3
  - calendar: 1.5.7
  - comments: 1.2.0
  - contacts: 2.0.1
  - dav: 1.3.0
  - encryption: 1.6.0
  - federatedfilesharing: 1.2.0
  - files: 1.7.2
  - files_pdfviewer: 1.1.1
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_trashbin: 1.2.0
  - files_versions: 1.5.0
  - files_videoplayer: 1.1.0
  - firstrunwizard: 2.1
  - gallery: 17.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - mail: 0.7.9
  - nextcloud_announcements: 1.1
  - notes: 2.3.2
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - password_policy: 1.2.2
  - provisioning_api: 1.2.0
  - qownnotesapi: 17.5.0
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - systemtags: 1.2.0
  - tasks: 0.9.5
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.1
  - updatenotification: 1.2.0
  - workflowengine: 1.2.0
Disabled:
  - federation
  - files_external
  - survey_client
  - user_external
  - user_ldap

Nextcloud configuration:

Config report

    "system": {
        "instanceid": "ocpom4ncgfhghkwru",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "\/mnt\/***REMOVED SENSITIVE VALUE***\/data",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "12.0.2.0",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "Europe\/Zurich",
        "installed": true,
        "theme": "***REMOVED SENSITIVE VALUE***",
        "enable_previews": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "enable_avatars": false,
        "logdateformat": "Y-m-d_H:i:s",
        "updatechecker": false,
        "log_type": "errorlog",
        "logfile": "",
        "loglevel": 2,
        "customclient_desktop": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "trashbin_retention_obligation": "auto,90",
        "activity_expire_days": 90,
        "preview_max_scale_factor": 1,
        "preview_max_filesize_image": 10,
        "skeletondir": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "no-reply",
        "mail_smtpmode": "php",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***"}

Are you using encryption: yes

Client configuration

Browser:
Operating system: Nextcloud-iOS/2.19.2

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log

2018/02/10 04:14:07 [error] 32243#32243: *2115256 FastCGI sent in stderr: "PHP message: [owncloud]
[webdav][4] Exception: {"Exception":"Sabre\\DAV\\Exception\\ServiceUnavailable","Message":"Encryption
 not ready: multikeydecrypt with share key failed:error:0906D06C:PEM routines:PEM_read_bio:no start 
line","Code":0,"Trace":"#0 \/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/CorePlugin.php(85): 
OCA\\DAV\\Connector\\Sabre\\File->get()\n#1 [internal function]: Sabre\\DAV
\\CorePlugin->httpGet(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#2 \/var\
/www\/nextcloud\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php(105): call_user_func_array(Array, 
Array)\n#3 \/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(479): Sabre\\Event
\\EventEmitter->emit('method:GET', Array)\n#4 \/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV
\/Server.php(254): Sabre\\DAV\\Server->invokeMethod(Object(Sabre\\HTTP\\Request), 
Object(Sabre\\HTTP\\Response))\n#5 \/var\/www\/nextcloud\/apps\/dav\/appinfo\/v1\/webdav.php(71): 
Sabre\\DAV\\Server->exec()\n#6 \/var\/www\/nextclo" while reading response header from upstream, client: 
***REMOVED SENSITIVE VALUE***, server: ***REMOVED SENSITIVE VALUE***, request: "GET 
/remote.php/webdav/Photos/2018/01/18-01-19%2018-37-42%200433.jpg HTTP/2.0", upstream: 
"fastcgi://unix:/var/run/php5-fpm.sock:", host: "***REMOVED SENSITIVE VALUE***"

[albertogscotti]

Same problem on 13.0.2.
Happens on sharing encrypted directories / files.
Also: php occ encryption:migrate throws a lot of errors "An unhandled exception has been thrown:
ArgumentCountError: Too few arguments to function OCA\Encryption\Migration::__construct()"

[berho]

I have the same problem on 13.0.2!
A lot of files can not be syncronized over dav. This Version of NextCloud is not stable to use in a productive environment!!

How can I get back my files??

[m33m33]

Same problem here on 13.0.4 stable release.
Server side encryption activated = impossible to share files.
<!> This encryption feature should be disabled on the stable/production releases <!>

[RandieM]

@Escubaer, when it comes to programming, I tend not to believe in "random" events. The described problem is triggered by something, which I am currently unable to identify. This also seems to be the case for @CamZie, according to his/her latest comment.

Besides, you do have a point when you say:

It is also maked as a feature whereas for you guys it sounds like a strong bug ...

I believe that this issue has been assigned the wrong label, as it is certainly not a feature, but a bug /cc @tflidd

[tflidd]

I believe that this issue has been assigned the wrong label, as it is certainly not a feature, but a bug /cc @tflidd

It just says that this topic is related to the server-side-encryption. There are different tags for feature requests ;-)

But regarding the number of users reporting this problem, it is probably more than just a single coincidence. I will put a bug-label to it.

[berho]

I had this wired error once more today and I tested around but can't get any clue why that happens:

Upload from: ------------> Server Thumbnail Creation --------> Download to Windows Client
----------------------------(View and download with Browser)----------------------------------

iOS App ----------------------------> OK --------------------------------> Fail
iOS send To NextCloud--------------> OK --------------------------------> Fail
Browser (FF on W7) ------------------> OK -------------------------------> Fail
Windows Client ----------------------> OK -------------------------------> (uploaded)

Error in Logfile always:
Sabre\DAV\Exception\ServiceUnavailable: Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
/htdocs/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 88: OCA\DAV\Connector\Sabre\File->get()
[internal function] Sabre\DAV\CorePlugin->httpGet(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))

[CamZie]

Yet another user has this problem and they keep receiving this error when trying to access their files. multikeydecrypt with share key failed:error:0906D06C:PEM routines:PEM_read_bio:no start line

Any news on this as it is getting more and more critical?

[m33m33]

Issue still present on 13.0.5.

As a workaround, is it safe to follow https://docs.nextcloud.com/server/13/admin_manual/configuration_files/encryption_configuration.html and decrypt files with occ ?

No, or I may do something wrong...

After using : php occ encryption:decrypt-all user1

The files are still encrypted on the storage, and users get a "bad signature" on all files. Better have a good backup.

In nextcloud.log :
"Exception: {"Exception":"OCP\\Encryption\\Exceptions\\GenericEncryptionException","Message":"Bad Signature","Code":0,"Trace":"#0 \/mnt\/sd0d\/usr\/pkg\/share\/nextcloud\/apps\/encryption\/lib\/Crypto\/Crypt.php(465)

A decrypted file "About.txt":
file data/user1/files/Documents/About.txt
data/user1/files/Documents/About.txt: data ===> should be "text"

First few lines of About.txt:
"
HBEGIN:oc_encryption_module:OC_DEFAULT_MODULE:cipher:AES-256-CTR:signed:true:HEND----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
"
Still encrypted...

[RandieM]

It seems that his behaviour is sometimes triggered by a password change, although I do have users in the same installation that have never changed their password, yet they experience this problem.

Any help would be greatly appreciated, as an increasing number of my users are permanently losing access to their files!

[m33m33]

A clue about this issue: it seems related to public link shared files only:

A. I share a file with a user of my nextcloud instance: the user can open the file.
B. I share a file with a public link (url): the link is unusable and throws the multikeydecrypt error message.

[RandieM]

@m33m33, thanks for posting. Initially, I also thought that this was the case, but, in my experience, it does not only happen with shared files.

[CamZie]

Are there any updates or news for this issue?

Just as @RandieM and @m33m33 mentioned, I have also noticed that these are mostly triggered by a password change or shared files, but some of my users also do not have either of them but are still experiencing this problem. Any help would be greatly appreciated.

[m33m33]

Another clue about this issue: it seems image format files are not affected.

A. I share a picture (.jpg) with a public link : the destination user can open the link and the image shows in NC viewer.
B. I share a document (.pdf, .odt...) with a public link : the link is unusable and throws the multikeydecrypt error message.

[hostingnuggets]

@m33m33 The behavior you describe in your point A might be the effect of the cache: my assumption here is that image files get cached unencrypted and this picture file you shared with a public link is then accessed directly from the cache, that's why it works.

Have a look at my comment here and the answers below on the nextcloud forum: https://help.nextcloud.com/t/nextcloud-14-focus-on-security-and-compliance/36116/2

In my comment I have asked the nextcloud core team why they don't seem to care about fixing and even replying to all the server-side encryption issues...

[m33m33]

@m33m33 The behavior you describe in your point A might be the effect of the cache: my assumption here is that image files get cached unencrypted and this picture file you shared with a public link is then accessed directly from the cache, that's why it works.

You are right. I am fooled by the preview from cache, if I click on "download" the picture don't show and the multikey failure message appears :(

[schiessle]

I have the feeling that this issue mixes many potential different problems together. E.g. the original issue says that the user gets a "503 Nextcloud unavailable or in maintenance mode" which I never saw and I don't know how this could be triggered by the server side encryption. The other error messages posted here make more sense but I still struggle to find the necessary information and what all this reports have in common in order to try to reproduce it.

So my request to everyone in this issue. Can someone of you describe a step by step scenario with the latest Nextcloud version (13.0.6 or 14, because they contain some changes to make the file cache updates more robust) where they can reliable reproduce the issue?

If I have something like this I'm happy to give it another try and see if I can reproduce it.

[tusharsharma27]

Any update guys? I have made a replica of the server and can give access to anyone over remote. I want people to understand this issue. I have master key enabled. A newly created user was able to check all the file after first login but after a random time, while the user did not make much activity, now he is not able to see the files which he uploaded and never shared. This is quite a serious issue. Please help. Inbox me at tushar.sharma.9@gmail.com

[linoskoczek]

I had similar problem after I moved my NextCloud instance with encrypted data to another machine (actually, I moved it to to dockerized environment). I could see my files, but I could not download it or view. In logs I could see: Sabre\DAV\Exception: Could not decrypt key after migration and a stacktrace.

For me, the solution was adding this line to config.php:
'encryption.key_storage_migrated' => false

[solracsf]

This problem still an issue on nextcloud 21.0.5.

{
  "reqId": "lHtzrJB3BREkL4FC45SC",
  "level": 4,
  "time": "2021-10-04T15:42:26+02:00",
  "app": "webdav",
  "method": "GET",
  "url": "/remote.php/webdav/file.pdf?downloadStartSecret=ishfmlsl2g",
  "message": {
    "Exception": "Sabre\\DAV\\Exception\\ServiceUnavailable",
    "Message": "Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error",
    "Code": 0,
    "Trace": [
      {
        "file": "/apps/dav/lib/Connector/Sabre/File.php",
        "line": 436,
        "function": "convertToSabreException",
        "class": "OCA\\DAV\\Connector\\Sabre\\File",
        "type": "->",
        "args": [
          {
            "__class__": "OCA\\Encryption\\Exceptions\\MultiKeyDecryptException"
          }
        ]
      },
      {
        "file": "/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
        "line": 85,
        "function": "get",
        "class": "OCA\\DAV\\Connector\\Sabre\\File",
        "type": "->",
        "args": []
      },
      {
        "file": "/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
        "line": 89,
        "function": "httpGet",
        "class": "Sabre\\DAV\\CorePlugin",
        "type": "->",
        "args": [
          {
            "__class__": "Sabre\\HTTP\\Request"
          },
          {
            "__class__": "Sabre\\HTTP\\Response"
          }
        ]
      },
      {
        "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 472,
        "function": "emit",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          "method:GET",
          [
            {
              "__class__": "Sabre\\HTTP\\Request"
            },
            {
              "__class__": "Sabre\\HTTP\\Response"
            }
          ]
        ]
      },
      {
        "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 253,
        "function": "invokeMethod",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          {
            "__class__": "Sabre\\HTTP\\Request"
          },
          {
            "__class__": "Sabre\\HTTP\\Response"
          }
        ]
      },
      {
        "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 321,
        "function": "start",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/apps/dav/appinfo/v1/webdav.php",
        "line": 84,
        "function": "exec",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/remote.php",
        "line": 167,
        "args": [
          "/apps/dav/appinfo/v1/webdav.php"
        ],
        "function": "require_once"
      }
    ],
    "File": "/apps/dav/lib/Connector/Sabre/File.php",
    "Line": 668,
    "Previous": {
      "Exception": "OCA\\Encryption\\Exceptions\\MultiKeyDecryptException",
      "Message": "multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error",
      "Code": 0,
      "Trace": [
        {
          "file": "/apps/encryption/lib/KeyManager.php",
          "line": 480,
          "function": "multiKeyDecrypt",
          "class": "OCA\\Encryption\\Crypto\\Crypt",
          "type": "->",
          "args": [
            "*** sensitive parameters replaced ***"
          ]
        },
        {
          "file": "/apps/encryption/lib/Crypto/Encryption.php",
          "line": 202,
          "function": "getFileKey",
          "class": "OCA\\Encryption\\KeyManager",
          "type": "->",
          "args": [
            "/user/files/file.pdf",
            "master_cff6a6fb"
          ]
        },
        {
          "file": "/lib/private/Files/Stream/Encryption.php",
          "line": 287,
          "function": "begin",
          "class": "OCA\\Encryption\\Crypto\\Encryption",
          "type": "->",
          "args": [
            "/user/files/file.pdf",
            "user",
            "r",
            {
              "oc_encryption_module": "OC_DEFAULT_MODULE",
              "cipher": "AES-256-CTR",
              "signed": "true"
            },
            []
          ]
        },
        {
          "function": "stream_open",
          "class": "OC\\Files\\Stream\\Encryption",
          "type": "->",
          "args": [
            "ocencryption://",
            "r",
            0,
            null
          ]
        },
        {
          "file": "/lib/private/Files/Stream/Encryption.php",
          "line": 214,
          "function": "fopen",
          "args": [
            "ocencryption://",
            "r",
            false,
            null
          ]
        },
        {
          "file": "/lib/private/Files/Stream/Encryption.php",
          "line": 189,
          "function": "wrapSource",
          "class": "OC\\Files\\Stream\\Encryption",
          "type": "::",
          "args": [
            null,
            null,
            "ocencryption",
            "OC\\Files\\Stream\\Encryption",
            "r"
          ]
        },
        {
          "file": "/lib/private/Files/Storage/Wrapper/Encryption.php",
          "line": 471,
          "function": "wrap",
          "class": "OC\\Files\\Stream\\Encryption",
          "type": "::",
          "args": [
            null,
            "files/file.pdf",
            "/user/files/file.pdf",
            {
              "oc_encryption_module": "OC_DEFAULT_MODULE",
              "cipher": "AES-256-CTR",
              "signed": "true"
            },
            "user",
            {
              "__class__": "OCA\\Encryption\\Crypto\\Encryption"
            },
            {
              "cache": null,
              "scanner": null,
              "watcher": null,
              "propagator": null,
              "updater": null,
              "__class__": "OC\\Files\\Storage\\Wrapper\\Quota"
            },
            {
              "cache": null,
              "scanner": null,
              "watcher": null,
              "propagator": null,
              "updater": null,
              "__class__": "OC\\Files\\Storage\\Wrapper\\Encryption"
            },
            {
              "__class__": "OC\\Encryption\\Util"
            },
            {
              "__class__": "OC\\Encryption\\File"
            },
            "r",
            507240,
            369893,
            8192,
            true
          ]
        },
        {
          "file": "/lib/private/Files/Storage/Wrapper/Wrapper.php",
          "line": 302,
          "function": "fopen",
          "class": "OC\\Files\\Storage\\Wrapper\\Encryption",
          "type": "->",
          "args": [
            "files/file.pdf",
            "r"
          ]
        },
        {
          "file": "/apps/files_accesscontrol/lib/StorageWrapper.php",
          "line": 236,
          "function": "fopen",
          "class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
          "type": "->",
          "args": [
            "files/file.pdf",
            "r"
          ]
        },
        {
          "file": "/lib/private/Files/View.php",
          "line": 1170,
          "function": "fopen",
          "class": "OCA\\FilesAccessControl\\StorageWrapper",
          "type": "->",
          "args": [
            "files/file.pdf",
            "r"
          ]
        },
        {
          "file": "/lib/private/Files/View.php",
          "line": 1006,
          "function": "basicOperation",
          "class": "OC\\Files\\View",
          "type": "->",
          "args": [
            "fopen",
            "/file.pdf",
            [
              "read"
            ],
            "r"
          ]
        },
        {
          "file": "/apps/dav/lib/Connector/Sabre/File.php",
          "line": 434,
          "function": "fopen",
          "class": "OC\\Files\\View",
          "type": "->",
          "args": [
            "file.pdf",
            "r"
          ]
        },
        {
          "file": "/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
          "line": 85,
          "function": "get",
          "class": "OCA\\DAV\\Connector\\Sabre\\File",
          "type": "->",
          "args": []
        },
        {
          "file": "/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
          "line": 89,
          "function": "httpGet",
          "class": "Sabre\\DAV\\CorePlugin",
          "type": "->",
          "args": [
            {
              "__class__": "Sabre\\HTTP\\Request"
            },
            {
              "__class__": "Sabre\\HTTP\\Response"
            }
          ]
        },
        {
          "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
          "line": 472,
          "function": "emit",
          "class": "Sabre\\DAV\\Server",
          "type": "->",
          "args": [
            "method:GET",
            [
              {
                "__class__": "Sabre\\HTTP\\Request"
              },
              {
                "__class__": "Sabre\\HTTP\\Response"
              }
            ]
          ]
        },
        {
          "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
          "line": 253,
          "function": "invokeMethod",
          "class": "Sabre\\DAV\\Server",
          "type": "->",
          "args": [
            {
              "__class__": "Sabre\\HTTP\\Request"
            },
            {
              "__class__": "Sabre\\HTTP\\Response"
            }
          ]
        },
        {
          "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
          "line": 321,
          "function": "start",
          "class": "Sabre\\DAV\\Server",
          "type": "->",
          "args": []
        },
        {
          "file": "/apps/dav/appinfo/v1/webdav.php",
          "line": 84,
          "function": "exec",
          "class": "Sabre\\DAV\\Server",
          "type": "->",
          "args": []
        },
        {
          "file": "/remote.php",
          "line": 167,
          "args": [
            "/apps/dav/appinfo/v1/webdav.php"
          ],
          "function": "require_once"
        }
      ],
      "File": "/apps/encryption/lib/Crypto/Crypt.php",
      "Line": 683,
      "Hint": "multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error"
    },
    "CustomMessage": "--"
  },
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36",
  "version": "21.0.5.1"
}

[PVince81]

you can fix files with "bad signature" using this new command: https://docs.nextcloud.com/server/latest/admin_manual/issues/general_troubleshooting.html#problems-when-downloading-or-decrypting-files

[CamZie]

you can fix files with "bad signature" using this new command: https://docs.nextcloud.com/server/latest/admin_manual/issues/general_troubleshooting.html#problems-when-downloading-or-decrypting-files

Thanks for the command. We tried the solution you mentioned but we received the following error:

Repairing only works with master key encryption.

It looks like it will only work for encryption with master key but not with user key encryption that we are currently using.

[santo74]

I also experienced this error with a Nextcloud installation on Cloudron, which was recently updated from v23.0.2 to v23.0.3.

The exact error was:

Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error

Some important things to note:

• my Nextcloud is running in a docker container (since it's hosted on Cloudron).
• After the initial installation I mounted an external storage over sshfs and modified the Nextcloud config to use a folder on that storage as the data directory.

What I noticed:

After the update I noticed that 3 of the 4 key files on the external storage had a recent timestamp from around the time the update took place, more specifically:

• the master privateKey
• the pubShare privateKey
• the pubShare publicKey

When I looked in the original data directory of the Cloudron app I noticed all 4 keys had an older timestamp from october 22.

How I solved the issue:

I simply copied the keys for the original data directory of the Cloudron app to the external storage location:

cp /app/data/files_encryption/OC_DEFAULT_MODULE/* /mnt/sshfs/files_encryption/OC_DEFAULT_MODULE/

Now everything worked again

So for some reason some of the keys were changed, probably as a result of the update to v23.0.3.

I hope this can help other people with the same issue.

[branov]

Hello everyone, is there any update regarding this issue or a possible fix? A few days ago I have discovered the same problem with downloading some files. After a little investigation, I have found the same error as mentioned here. I have no idea when this problem happened for the first time on my installation. I do backups of all keys for up to 14 days but probably the problem occurs long before, if is root of the problem related to the NC update (currently I run 24.0.2 and previously I had 23.0.3.2 but probably the problem was already in there). I have now about 100GB of unavailable data in my NC due to the error "multikeydecrypt with share key failed". Is there a way how to get my data back or should I jump off the roof right now?

[PVince81]

that error message usually means that the encryption file keys are not found

if the files are located on an external storage, it is likely that you had the keys stored in the wrong location due to a bug (see next message)

if you have a single user you should be able to copy the keys from data/$userid/files_encryption/... to data/files_encryption/keys/...

if you need quick access you can try to locally revert #32705

[PVince81]

the bug was as follows:

1. Setup v21.0.7
2. occ app:enable encryption && occ encryption:enable && occ app:enable files_external
3. Setup an external storage of type "Local" and mount it to "/encrypted"
4. Upload a file into "/encrypted/test.pdf"
5. Check filesystem: the key appears in data/files_encryption/keys/
6. Upgrade to v22.2.8
7. Download the file "/encrypted/test.pdf" => BOOM
8. Upload a new file "/encrypted/test-after.pdf"
9. Check filesystem and see that the key now appears in "data/admin/files_encrypted/keys/..."

This means that with v22.2.8 the encryption code is looking for the keys in the user's home instead of the global folder.

[branov]

I do not use external storage. I have mounted a mount point in /mnt/userdata. I have tried now to copy all keys from data/$userid/files_encryption/ to data/files_encryption/keys/ but the issue persist. Here is the full error message:

Sabre\DAV\Exception\ServiceUnavailable: Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
    /web/apps/dav/lib/Connector/Sabre/File.php - line 482:
    OCA\DAV\Connector\Sabre\File->convertToSabreException(OCA\Encrypti ... {})
    /web/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 85:
    OCA\DAV\Connector\Sabre\File->get()
    /web/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89:
    Sabre\DAV\CorePlugin->httpGet(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 472:
    Sabre\DAV\Server->emit("method:GET", [ Sabre\HTTP ... }])
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 253:
    Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 321:
    Sabre\DAV\Server->start()
    /web/apps/dav/lib/Server.php - line 352:
    Sabre\DAV\Server->exec()
    /web/apps/dav/appinfo/v2/remote.php - line 35:
    OCA\DAV\Server->exec()
    /web/remote.php - line 166:
    require_once("/web/apps/d ... p")
Caused by OCA\Encryption\Exceptions\MultiKeyDecryptException: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
    /web/apps/encryption/lib/KeyManager.php - line 479:
    OCA\Encryption\Crypto\Crypt->multiKeyDecrypt("*** sensiti ... *")
    /web/apps/encryption/lib/Crypto/Encryption.php - line 203:
    OCA\Encryption\KeyManager->getFileKey("/admin/file ... g", "master_9dc9bf3d")
    /web/lib/private/Files/Stream/Encryption.php - line 286:
    OCA\Encryption\Crypto\Encryption->begin("/admin/file ... g", "admin", "r", { oc_encrypt ... "}, [])
    <<closure>>
    OC\Files\Stream\Encryption->stream_open("ocencryption://", "r", 0, null)
    /web/lib/private/Files/Stream/Encryption.php - line 213:
    fopen("ocencryption://", "r", false, null)
    /web/lib/private/Files/Stream/Encryption.php - line 188:
    OC\Files\Stream\Encryption::wrapSource(null, null, "ocencryption", "OC\\Files\\Stream\\Encryption", "r")
    /web/lib/private/Files/Storage/Wrapper/Encryption.php - line 460:
    OC\Files\Stream\Encryption::wrap(null, "files/BACKU ... g", "/admin/file ... g", { oc_encrypt ... "}, "admin", OCA\Encrypti ... {}, OC\Files\Sto ... l}, OC\Files\Sto ... l}, OC\Encryption\Util {}, OC\Encryption\File {}, "r", 1735728, 1280458, 8192, true)
    /web/lib/private/Files/Storage/Wrapper/Wrapper.php - line 301:
    OC\Files\Storage\Wrapper\Encryption->fopen("files/BACKU ... g", "r")
    /web/apps/files_accesscontrol/lib/StorageWrapper.php - line 236:
    OC\Files\Storage\Wrapper\Wrapper->fopen("files/BACKU ... g", "r")
    /web/apps/ransomware_protection/lib/StorageWrapper.php - line 317:
    OCA\FilesAccessControl\StorageWrapper->fopen("files/BACKU ... g", "r")
    /web/lib/private/Files/View.php - line 1175:
    OCA\RansomwareProtection\StorageWrapper->fopen("files/BACKU ... g", "r")
    /web/lib/private/Files/View.php - line 1010:
    OC\Files\View->basicOperation("fopen", "/BACKUP/Fot ... g", [ "read"], "r")
    /web/apps/dav/lib/Connector/Sabre/File.php - line 480:
    OC\Files\View->fopen("BACKUP/Fotk ... g", "r")
    /web/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 85:
    OCA\DAV\Connector\Sabre\File->get()
    /web/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89:
    Sabre\DAV\CorePlugin->httpGet(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 472:
    Sabre\DAV\Server->emit("method:GET", [ Sabre\HTTP ... }])
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 253:
    Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 321:
    Sabre\DAV\Server->start()
    /web/apps/dav/lib/Server.php - line 352:
    Sabre\DAV\Server->exec()
    /web/apps/dav/appinfo/v2/remote.php - line 35:
    OCA\DAV\Server->exec()
    /web/remote.php - line 166:
    require_once("/web/apps/d ... p")

I am pretty desperate already 😔

[branov]

No body? Are my data gone? Really?

[ghost]

No body? Are my data gone? Really?

Unfortunately, I think so. Just like many others here.

I also can't understand the hype around Nextcloud at all. A basic feature (for a cloud product) that has been advertised for years, but is still in alpha status and has bugs that have not been fixed for years.

[quiknick]

So I got hit with this too upgrading to 24.0.5.1. I was worried for a second, but found a way to resolve, but will take some time...
The solution is to decrypt all files, then turn off encryption until issue is resolved. I will caveat that this may not resolve your data restoration even if nextcloud thinks it was successful in decrypting all files, they will be decrypted leaving the file with AES256 hash as content. Hopefully you have backups of the data. Good luck!

run this to decrypt all files from /var/www/nextcloud directory or wherever nextcloud is installed
sudo -u www-data php occ encryption:decrypt-all

You are about to start to decrypt all files stored in your Nextcloud.
It will depend on the encryption module and your setup if this is possible.
Depending on the number and size of your files this can take some time
Please make sure that no user access his files during this process!

Do you really want to continue? (y/n) y
prepare encryption modules...
 done.

 Fetch list of users... finished 
 [============================]

 starting to decrypt files... finished 
 [============================]

Then let's disable encryption
sudo -u www-data php occ encryption:disable

Lastly verify encryption is disabled
sudo -u www-data php occ encryption:status

  - enabled: false
  - defaultModule: OC_DEFAULT_MODULE

[branov]

decrypt-all does not working in my case.

[maltris]

Hitting the same bug, setting up a new nextcloud. At first, I thought this is a config problem on my side, but reading this issue ... well, first I thought its a joke, but it seems its not.

[Kabbone]

I also got the multikeydecrypt error and was already out of ideas, but then I found something in the german forum
https://help.nextcloud.com/t/openssl3-problem-nach-update/151985/2

Came down to the openssl settings, then everything worked again, so I thought I add it here even only the comments from 2022 could be possibly affected by this.

[PVince81]

would be good to add the openSSL legacy thing to the docs: https://docs.nextcloud.com/server/latest/admin_manual/issues/general_troubleshooting.html#problems-when-downloading-or-decrypting-files

[cotti]

@Kabbone

Thank you and chris_nc. That did it for me. What a moment to not remain updating...

[MrCybertux]

So I got hit with this too upgrading to 24.0.5.1. I was worried for a second, but found a way to resolve, but will take some time... The solution is to decrypt all files, then turn off encryption until issue is resolved. I will caveat that this may not resolve your data restoration even if nextcloud thinks it was successful in decrypting all files, they will be decrypted leaving the file with AES256 hash as content. Hopefully you have backups of the data. Good luck!

run this to decrypt all files from /var/www/nextcloud directory or wherever nextcloud is installed sudo -u www-data php occ encryption:decrypt-all

You are about to start to decrypt all files stored in your Nextcloud.
It will depend on the encryption module and your setup if this is possible.
Depending on the number and size of your files this can take some time
Please make sure that no user access his files during this process!

Do you really want to continue? (y/n) y
prepare encryption modules...
 done.

 Fetch list of users... finished 
 [============================]

 starting to decrypt files... finished 
 [============================]

Then let's disable encryption sudo -u www-data php occ encryption:disable

Lastly verify encryption is disabled sudo -u www-data php occ encryption:status

  - enabled: false
  - defaultModule: OC_DEFAULT_MODULE

I have a dockerized setup and tried this approach but got the following message:

root@SIS-NXC-DOCKER:~# docker exec -u www-data nxc_nc_app_1 php occ encryption:decrypt-all
Disable server side encryption... done.


You are about to start to decrypt all files stored in your Nextcloud.
It will depend on the encryption module and your setup if this is possible.
Depending on the number and size of your files this can take some time
Please make sure that no user access his files during this process!

Do you really want to continue? (y/n) Enable server side encryption... done.
aborted

But I do not get the option to press any key it aborts without any interaction from my side.
Where can I find information on why this is happening?

EDIT:
I found the solution myself:
#9894

[asheroto]

That's more of a workaround. 😊 No encryption can be a security risk depending in the environment.

Nextcloud seems to have some fundamental unaddressed bugs with encryption. 🤔

[joshtrichards]

Housekeeping item

This Issue is a collection of situations with similar (or, in some cases, the same) basic error messages. Unfortunately, this does not mean the same underlying cause(s) in all cases. Another big factor here is that the OP's original matter in 2018 was quite likely different than those reporting in >=late 2020 (with Nc v21) and, again, with those >=2022 (Nc v25).

Some of these the bug scenarios mentioned in this issue have since addressed (some of the refs below link to specific examples). Others were things such as the OpenSSL v1 -> v3 transition of various Linux distros (which deprecated then in-use ciphers by default, which at one point broke things).

Refs:

• 503 Encryption not ready: multikeydecrypt with share key failed #8349 (comment)
• [Bug] Nextcloud Encryption breaks with OpenSSL 3.x due to legacy RC4 usage #32003
• 503 Encryption not ready: multikeydecrypt with share key failed #8349 (comment)
• Use a PHP implementation of openssl_seal that allows to use modern ciphers #36173
• b3037de
• Getting rid of openssl_seal and rc4 in server side encryption #37243
• 503 Encryption not ready: multikeydecrypt with share key failed #8349 (comment)

What I suggest we do at this point: If you encounter a problem today in a supported release of Nextcloud Server, report it along with as many details as possible (stack trace, history of the deployment, type of encryption in use, history of the encrypted file/folders in question, distro in-use, etc.).

This is not one of those situations where saying "me too" is helpful. You may see a similar error but not be encountering it for the same reason.

Unfortunately:

• in some cases there may be manual steps required to remedy, even if the original bug is fixed (and the documentation is definitely lacking in this area)
• I cannot help each of you one-on-one. In part due to availability, but also because I don't have all the answers. (I will, however, do my best to organize any new reports and cross-reference them to find patterns - and where possible identify underlying root causes for remediation¹)

From there my hope is we can nudge things forward to determine if:

• additional fixes are still required in some situations
• additional documentation is needed to remedy various legacy scenarios
• follow-up via the help forum is more appropriate
• etc.

I get this is not ideal, but neither is keeping this Issue open as-is. It's too cluttered and aged through too many code changes.

For the above reasons, plus this Issue not seeing any new traffic in nearly a year, I'm going to close it out. My goal is to shift the matters described above to a more actionable stage of reporting. And, in turn, to be able to analyze any Server-Side Encryption related bugs that would otherwise end up lost in this Issue.

P.S. I'm here in my capacity as volunteer on the open source side of this project. If you need engineering support or an SLA, I suggest working directly with Nextcloud GmbH for that (and through the appropriate channels such as https://portal.nextcloud.com).

Footnotes

1. If you are able to assist by digging into bug reports or contributing to the community facing documentation, please do so. As a hint about how to start, all encryption related bug reports and enhancement ideas (as well as those for any other major functionality area within Nextcloud Server) are generally well-labeled within this repository. ↩