503 Encryption not ready: multikeydecrypt with share key failed

CamZie commented 6 years ago

Steps to reproduce

enable encryption
upload and download files

Expected behaviour

Nextcloud should allow downloading of files without any errors.

Actual behaviour

Cannot download some files. User is receiving errors that the server is temporarily unavailable (503) or that the server is in maintenance.

Server configuration

Operating system: Debian 8.10

Web server: NGINX 1.12

Database: MariaDB 10.0

PHP version: PHP 5.6

Nextcloud version: 12.0.2

Updated from an older Nextcloud/ownCloud or fresh install: Updated from an older Nextcloud version.

Signing status:

Signing status

``` No errors have been found. ```

List of activated apps:

App list

``` Enabled: - activity: 2.5.2 - admin_audit: 1.2.0 - bookmarks: 0.10.1 - bruteforcesettings: 1.0.3 - calendar: 1.5.7 - comments: 1.2.0 - contacts: 2.0.1 - dav: 1.3.0 - encryption: 1.6.0 - federatedfilesharing: 1.2.0 - files: 1.7.2 - files_pdfviewer: 1.1.1 - files_sharing: 1.4.0 - files_texteditor: 2.4.1 - files_trashbin: 1.2.0 - files_versions: 1.5.0 - files_videoplayer: 1.1.0 - firstrunwizard: 2.1 - gallery: 17.0.0 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - mail: 0.7.9 - nextcloud_announcements: 1.1 - notes: 2.3.2 - notifications: 2.0.0 - oauth2: 1.0.5 - password_policy: 1.2.2 - provisioning_api: 1.2.0 - qownnotesapi: 17.5.0 - serverinfo: 1.2.0 - sharebymail: 1.2.0 - systemtags: 1.2.0 - tasks: 0.9.5 - theming: 1.3.0 - twofactor_backupcodes: 1.1.1 - updatenotification: 1.2.0 - workflowengine: 1.2.0 Disabled: - federation - files_external - survey_client - user_external - user_ldap ```

Nextcloud configuration:

Config report

``` "system": { "instanceid": "ocpom4ncgfhghkwru", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "***REMOVED SENSITIVE VALUE***" ], "datadirectory": "\/mnt\/***REMOVED SENSITIVE VALUE***\/data", "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "12.0.2.0", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "localhost", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "logtimezone": "Europe\/Zurich", "installed": true, "theme": "***REMOVED SENSITIVE VALUE***", "enable_previews": true, "memcache.local": "\\OC\\Memcache\\APCu", "enable_avatars": false, "logdateformat": "Y-m-d_H:i:s", "updatechecker": false, "log_type": "errorlog", "logfile": "", "loglevel": 2, "customclient_desktop": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "trashbin_retention_obligation": "auto,90", "activity_expire_days": 90, "preview_max_scale_factor": 1, "preview_max_filesize_image": 10, "skeletondir": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "no-reply", "mail_smtpmode": "php", "mail_smtpauthtype": "LOGIN", "mail_domain": "***REMOVED SENSITIVE VALUE***"} ```

Are you using encryption: yes

Client configuration

Browser: Operating system: Nextcloud-iOS/2.19.2

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log

``` 2018/02/10 04:14:07 [error] 32243#32243: *2115256 FastCGI sent in stderr: "PHP message: [owncloud] [webdav][4] Exception: {"Exception":"Sabre\\DAV\\Exception\\ServiceUnavailable","Message":"Encryption not ready: multikeydecrypt with share key failed:error:0906D06C:PEM routines:PEM_read_bio:no start line","Code":0,"Trace":"#0 \/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/CorePlugin.php(85): OCA\\DAV\\Connector\\Sabre\\File->get()\n#1 [internal function]: Sabre\\DAV \\CorePlugin->httpGet(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#2 \/var\ /www\/nextcloud\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\n#3 \/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(479): Sabre\\Event \\EventEmitter->emit('method:GET', Array)\n#4 \/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV \/Server.php(254): Sabre\\DAV\\Server->invokeMethod(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#5 \/var\/www\/nextcloud\/apps\/dav\/appinfo\/v1\/webdav.php(71): Sabre\\DAV\\Server->exec()\n#6 \/var\/www\/nextclo" while reading response header from upstream, client: ***REMOVED SENSITIVE VALUE***, server: ***REMOVED SENSITIVE VALUE***, request: "GET /remote.php/webdav/Photos/2018/01/18-01-19%2018-37-42%200433.jpg HTTP/2.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "***REMOVED SENSITIVE VALUE***" ```

espressoelf commented 4 years ago

I had a similar problem when I tried to sync from the server (17.0.1) to desktop (2.6.1stable-Win64 (build 20191105). The serverlogs said multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error and Encryption not ready: multikeydecrypt with share key failed:error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed but also something about {"reqId":"IliU9KMskc6JQB3MLhMV","level":3,"time":"2019-12-18T14:37:15+00:00","remoteAddr":"...","user":"zh","app":"no app in context","method":"GET","url":"\/remote.php\/dav\/files\/zh\/SofortUpload\/Camera\/2019\/12\/20191217_095312.jpg","message":"Couldn't re-calculate unencrypted size for files\/SofortUpload\/Camera\/2019\/12\/20191217_095312.jpg","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.6.1stable-Win64 (build 20191105) (Nextcloud)","version":"17.0.1.1"}

I was able to sync again by logging out and back in in the desktop app.

acheronstyix commented 4 years ago

I have the same problem with NC 18.0.3. I've enabled server side encryption and sometimes, some files can't be sync from NC desktop to NC server. It happens randomly.

One workaround is to rename the file to another name and rename it to its first name to unblock the synchronization.

None of these files are share from NC.

FlorentCoppint commented 4 years ago

No news about this issue since February 2018 ?

I got the problem with Nextcloud 18 and up-to-date client, only with files intensively modified client-side.

I use S3 as primary storage.

lectergta commented 4 years ago

Same problem here. This is crazy, why does this error still occur for over 2 years and there is no solution yet. I hope s.o. could help us here...

geo-mathijs commented 4 years ago

I just encountered this problem on all my files uploaded before today, which came in as quite the shock to say the least. After much digging I've been able to discover the issue that caused the error for me. Apparently, my master private key had been replaced during (or after?) a minor upgrade process (according to the timestamps), which made it that all new files were able to work just fine but the encrypted files that were created using the "old" master private key were now corrupted.

I have no clue as to why my master private key got replaced, but I'm happy I had a backup that was able to restore my old version. I imagine the same issue could happen on any of the private keys, not just the master one which could explain why this may also happen on a select number of files.

All I can really say is that this error seems to pop up when decrypting the key files, and not the files themselves. If able, try finding older versions of the encryption keys for the corrupted files and hopefully that is enough to at least restore them. A good overview of all the file paths can be found on the wiki. I would be interested in hearing what caused the key replacement, but looking at the history of this issue that is unlikely.

lectergta commented 4 years ago

Thank you so much mnelemans! You saved my Life. I replaced the current key files with the ones in my backup. Now I can access all files again! Thx a lot.

juliusknorr commented 4 years ago

The documentation states pretty clearly that without a backup of your keys all data might be lost, so proper backups are really mandatory if you consider enabling encryption. However there might of course also be other occurrences where the private key might get corrupted, so a backup is really worth as the docs state :wink:

You should regularly backup all encryption keys to prevent permanent data loss. The encryption keys are stored in the following directories:

data/<user>/files_encryption Users' private keys and all other keys necessary to decrypt the users' files data/files_encryption private keys and all other keys necessary to decrypt the files stored on a system wide external storage

Of course this should not happen though Nextcloud, so any help tracing down the issue is welcome. If anyone is seeing this issue, please try to check the modification time of your master key and see if there is maybe some relation to an update or request from your webserver access log.

FlorentCoppint commented 4 years ago

In the case of S3 as primary storage, what are the path of keys to backup ? I don't think there's user's key but only global keys in files_encryption path

juliusknorr commented 4 years ago

If this happened immediately initial setup of encryption https://github.com/nextcloud/server/pull/22018 should help with this.

juliusknorr commented 4 years ago

In the case of S3 as primary storage, what are the path of keys to backup ? I don't think there's user's key but only global keys in files_encryption path

For object storage files are stored by file id which you would need to fetch from the filecache table first.

tusharsharma27 commented 4 years ago

Is this issue resolved? I got the same issue in a fine running Owncloud 10 server. None of my users are able to access the default owncloud_manual.pdf file which is shared once the account is created. I have got the older keys also but not sure when did the actual key changed as there are lot of files which were uploaded after the key change. It is a random error for which there does not seem to be an explanation made by anyone. Even the original uploader of the files is not able the see the files.

tusharsharma27 commented 4 years ago

Any update guys? I have made a replica of the server and can give access to anyone over remote. I want people to understand this issue. I have master key enabled. A newly created user was able to check all the file after first login but after a random time, while the user did not make much activity, now he is not able to see the files which he uploaded and never shared. This is quite a serious issue. Please help. Inbox me at tushar.sharma.9@gmail.com

ataraxus commented 3 years ago

Stumbled upon this today. Very confusing and terrible to explain to our customer

linoskoczek commented 3 years ago

I had similar problem after I moved my NextCloud instance with encrypted data to another machine (actually, I moved it to to dockerized environment). I could see my files, but I could not download it or view. In logs I could see: Sabre\DAV\Exception: Could not decrypt key after migration and a stacktrace.

For me, the solution was adding this line to config.php: 'encryption.key_storage_migrated' => false

solracsf commented 3 years ago

This problem still an issue on nextcloud 21.0.5.

{
  "reqId": "lHtzrJB3BREkL4FC45SC",
  "level": 4,
  "time": "2021-10-04T15:42:26+02:00",
  "app": "webdav",
  "method": "GET",
  "url": "/remote.php/webdav/file.pdf?downloadStartSecret=ishfmlsl2g",
  "message": {
    "Exception": "Sabre\\DAV\\Exception\\ServiceUnavailable",
    "Message": "Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error",
    "Code": 0,
    "Trace": [
      {
        "file": "/apps/dav/lib/Connector/Sabre/File.php",
        "line": 436,
        "function": "convertToSabreException",
        "class": "OCA\\DAV\\Connector\\Sabre\\File",
        "type": "->",
        "args": [
          {
            "__class__": "OCA\\Encryption\\Exceptions\\MultiKeyDecryptException"
          }
        ]
      },
      {
        "file": "/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
        "line": 85,
        "function": "get",
        "class": "OCA\\DAV\\Connector\\Sabre\\File",
        "type": "->",
        "args": []
      },
      {
        "file": "/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
        "line": 89,
        "function": "httpGet",
        "class": "Sabre\\DAV\\CorePlugin",
        "type": "->",
        "args": [
          {
            "__class__": "Sabre\\HTTP\\Request"
          },
          {
            "__class__": "Sabre\\HTTP\\Response"
          }
        ]
      },
      {
        "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 472,
        "function": "emit",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          "method:GET",
          [
            {
              "__class__": "Sabre\\HTTP\\Request"
            },
            {
              "__class__": "Sabre\\HTTP\\Response"
            }
          ]
        ]
      },
      {
        "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 253,
        "function": "invokeMethod",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          {
            "__class__": "Sabre\\HTTP\\Request"
          },
          {
            "__class__": "Sabre\\HTTP\\Response"
          }
        ]
      },
      {
        "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 321,
        "function": "start",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/apps/dav/appinfo/v1/webdav.php",
        "line": 84,
        "function": "exec",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/remote.php",
        "line": 167,
        "args": [
          "/apps/dav/appinfo/v1/webdav.php"
        ],
        "function": "require_once"
      }
    ],
    "File": "/apps/dav/lib/Connector/Sabre/File.php",
    "Line": 668,
    "Previous": {
      "Exception": "OCA\\Encryption\\Exceptions\\MultiKeyDecryptException",
      "Message": "multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error",
      "Code": 0,
      "Trace": [
        {
          "file": "/apps/encryption/lib/KeyManager.php",
          "line": 480,
          "function": "multiKeyDecrypt",
          "class": "OCA\\Encryption\\Crypto\\Crypt",
          "type": "->",
          "args": [
            "*** sensitive parameters replaced ***"
          ]
        },
        {
          "file": "/apps/encryption/lib/Crypto/Encryption.php",
          "line": 202,
          "function": "getFileKey",
          "class": "OCA\\Encryption\\KeyManager",
          "type": "->",
          "args": [
            "/user/files/file.pdf",
            "master_cff6a6fb"
          ]
        },
        {
          "file": "/lib/private/Files/Stream/Encryption.php",
          "line": 287,
          "function": "begin",
          "class": "OCA\\Encryption\\Crypto\\Encryption",
          "type": "->",
          "args": [
            "/user/files/file.pdf",
            "user",
            "r",
            {
              "oc_encryption_module": "OC_DEFAULT_MODULE",
              "cipher": "AES-256-CTR",
              "signed": "true"
            },
            []
          ]
        },
        {
          "function": "stream_open",
          "class": "OC\\Files\\Stream\\Encryption",
          "type": "->",
          "args": [
            "ocencryption://",
            "r",
            0,
            null
          ]
        },
        {
          "file": "/lib/private/Files/Stream/Encryption.php",
          "line": 214,
          "function": "fopen",
          "args": [
            "ocencryption://",
            "r",
            false,
            null
          ]
        },
        {
          "file": "/lib/private/Files/Stream/Encryption.php",
          "line": 189,
          "function": "wrapSource",
          "class": "OC\\Files\\Stream\\Encryption",
          "type": "::",
          "args": [
            null,
            null,
            "ocencryption",
            "OC\\Files\\Stream\\Encryption",
            "r"
          ]
        },
        {
          "file": "/lib/private/Files/Storage/Wrapper/Encryption.php",
          "line": 471,
          "function": "wrap",
          "class": "OC\\Files\\Stream\\Encryption",
          "type": "::",
          "args": [
            null,
            "files/file.pdf",
            "/user/files/file.pdf",
            {
              "oc_encryption_module": "OC_DEFAULT_MODULE",
              "cipher": "AES-256-CTR",
              "signed": "true"
            },
            "user",
            {
              "__class__": "OCA\\Encryption\\Crypto\\Encryption"
            },
            {
              "cache": null,
              "scanner": null,
              "watcher": null,
              "propagator": null,
              "updater": null,
              "__class__": "OC\\Files\\Storage\\Wrapper\\Quota"
            },
            {
              "cache": null,
              "scanner": null,
              "watcher": null,
              "propagator": null,
              "updater": null,
              "__class__": "OC\\Files\\Storage\\Wrapper\\Encryption"
            },
            {
              "__class__": "OC\\Encryption\\Util"
            },
            {
              "__class__": "OC\\Encryption\\File"
            },
            "r",
            507240,
            369893,
            8192,
            true
          ]
        },
        {
          "file": "/lib/private/Files/Storage/Wrapper/Wrapper.php",
          "line": 302,
          "function": "fopen",
          "class": "OC\\Files\\Storage\\Wrapper\\Encryption",
          "type": "->",
          "args": [
            "files/file.pdf",
            "r"
          ]
        },
        {
          "file": "/apps/files_accesscontrol/lib/StorageWrapper.php",
          "line": 236,
          "function": "fopen",
          "class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
          "type": "->",
          "args": [
            "files/file.pdf",
            "r"
          ]
        },
        {
          "file": "/lib/private/Files/View.php",
          "line": 1170,
          "function": "fopen",
          "class": "OCA\\FilesAccessControl\\StorageWrapper",
          "type": "->",
          "args": [
            "files/file.pdf",
            "r"
          ]
        },
        {
          "file": "/lib/private/Files/View.php",
          "line": 1006,
          "function": "basicOperation",
          "class": "OC\\Files\\View",
          "type": "->",
          "args": [
            "fopen",
            "/file.pdf",
            [
              "read"
            ],
            "r"
          ]
        },
        {
          "file": "/apps/dav/lib/Connector/Sabre/File.php",
          "line": 434,
          "function": "fopen",
          "class": "OC\\Files\\View",
          "type": "->",
          "args": [
            "file.pdf",
            "r"
          ]
        },
        {
          "file": "/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
          "line": 85,
          "function": "get",
          "class": "OCA\\DAV\\Connector\\Sabre\\File",
          "type": "->",
          "args": []
        },
        {
          "file": "/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
          "line": 89,
          "function": "httpGet",
          "class": "Sabre\\DAV\\CorePlugin",
          "type": "->",
          "args": [
            {
              "__class__": "Sabre\\HTTP\\Request"
            },
            {
              "__class__": "Sabre\\HTTP\\Response"
            }
          ]
        },
        {
          "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
          "line": 472,
          "function": "emit",
          "class": "Sabre\\DAV\\Server",
          "type": "->",
          "args": [
            "method:GET",
            [
              {
                "__class__": "Sabre\\HTTP\\Request"
              },
              {
                "__class__": "Sabre\\HTTP\\Response"
              }
            ]
          ]
        },
        {
          "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
          "line": 253,
          "function": "invokeMethod",
          "class": "Sabre\\DAV\\Server",
          "type": "->",
          "args": [
            {
              "__class__": "Sabre\\HTTP\\Request"
            },
            {
              "__class__": "Sabre\\HTTP\\Response"
            }
          ]
        },
        {
          "file": "/3rdparty/sabre/dav/lib/DAV/Server.php",
          "line": 321,
          "function": "start",
          "class": "Sabre\\DAV\\Server",
          "type": "->",
          "args": []
        },
        {
          "file": "/apps/dav/appinfo/v1/webdav.php",
          "line": 84,
          "function": "exec",
          "class": "Sabre\\DAV\\Server",
          "type": "->",
          "args": []
        },
        {
          "file": "/remote.php",
          "line": 167,
          "args": [
            "/apps/dav/appinfo/v1/webdav.php"
          ],
          "function": "require_once"
        }
      ],
      "File": "/apps/encryption/lib/Crypto/Crypt.php",
      "Line": 683,
      "Hint": "multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error"
    },
    "CustomMessage": "--"
  },
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36",
  "version": "21.0.5.1"
}

PVince81 commented 3 years ago

you can fix files with "bad signature" using this new command: https://docs.nextcloud.com/server/latest/admin_manual/issues/general_troubleshooting.html#problems-when-downloading-or-decrypting-files

CamZie commented 2 years ago

you can fix files with "bad signature" using this new command: https://docs.nextcloud.com/server/latest/admin_manual/issues/general_troubleshooting.html#problems-when-downloading-or-decrypting-files

Thanks for the command. We tried the solution you mentioned but we received the following error:

Repairing only works with master key encryption.

It looks like it will only work for encryption with master key but not with user key encryption that we are currently using.

santo74 commented 2 years ago

I also experienced this error with a Nextcloud installation on Cloudron, which was recently updated from v23.0.2 to v23.0.3.

The exact error was:

Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error

Some important things to note:

my Nextcloud is running in a docker container (since it's hosted on Cloudron).
After the initial installation I mounted an external storage over sshfs and modified the Nextcloud config to use a folder on that storage as the data directory.

What I noticed:

After the update I noticed that 3 of the 4 key files on the external storage had a recent timestamp from around the time the update took place, more specifically:

the master privateKey
the pubShare privateKey
the pubShare publicKey

When I looked in the original data directory of the Cloudron app I noticed all 4 keys had an older timestamp from october 22.

How I solved the issue:

I simply copied the keys for the original data directory of the Cloudron app to the external storage location:

cp /app/data/files_encryption/OC_DEFAULT_MODULE/* /mnt/sshfs/files_encryption/OC_DEFAULT_MODULE/

Now everything worked again

So for some reason some of the keys were changed, probably as a result of the update to v23.0.3.

I hope this can help other people with the same issue.

branov commented 2 years ago

Hello everyone, is there any update regarding this issue or a possible fix? A few days ago I have discovered the same problem with downloading some files. After a little investigation, I have found the same error as mentioned here. I have no idea when this problem happened for the first time on my installation. I do backups of all keys for up to 14 days but probably the problem occurs long before, if is root of the problem related to the NC update (currently I run 24.0.2 and previously I had 23.0.3.2 but probably the problem was already in there). I have now about 100GB of unavailable data in my NC due to the error "multikeydecrypt with share key failed". Is there a way how to get my data back or should I jump off the roof right now?

PVince81 commented 2 years ago

that error message usually means that the encryption file keys are not found

if the files are located on an external storage, it is likely that you had the keys stored in the wrong location due to a bug (see next message)

if you have a single user you should be able to copy the keys from data/$userid/files_encryption/... to data/files_encryption/keys/...

if you need quick access you can try to locally revert https://github.com/nextcloud/server/pull/32705

PVince81 commented 2 years ago

the bug was as follows:

Setup v21.0.7
occ app:enable encryption && occ encryption:enable && occ app:enable files_external
Setup an external storage of type "Local" and mount it to "/encrypted"
Upload a file into "/encrypted/test.pdf"
Check filesystem: the key appears in data/files_encryption/keys/
Upgrade to v22.2.8
Download the file "/encrypted/test.pdf" => BOOM
Upload a new file "/encrypted/test-after.pdf"
Check filesystem and see that the key now appears in "data/admin/files_encrypted/keys/..."

This means that with v22.2.8 the encryption code is looking for the keys in the user's home instead of the global folder.

branov commented 2 years ago

I do not use external storage. I have mounted a mount point in /mnt/userdata. I have tried now to copy all keys from data/$userid/files_encryption/ to data/files_encryption/keys/ but the issue persist. Here is the full error message:

Sabre\DAV\Exception\ServiceUnavailable: Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
    /web/apps/dav/lib/Connector/Sabre/File.php - line 482:
    OCA\DAV\Connector\Sabre\File->convertToSabreException(OCA\Encrypti ... {})
    /web/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 85:
    OCA\DAV\Connector\Sabre\File->get()
    /web/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89:
    Sabre\DAV\CorePlugin->httpGet(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 472:
    Sabre\DAV\Server->emit("method:GET", [ Sabre\HTTP ... }])
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 253:
    Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 321:
    Sabre\DAV\Server->start()
    /web/apps/dav/lib/Server.php - line 352:
    Sabre\DAV\Server->exec()
    /web/apps/dav/appinfo/v2/remote.php - line 35:
    OCA\DAV\Server->exec()
    /web/remote.php - line 166:
    require_once("/web/apps/d ... p")
Caused by OCA\Encryption\Exceptions\MultiKeyDecryptException: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
    /web/apps/encryption/lib/KeyManager.php - line 479:
    OCA\Encryption\Crypto\Crypt->multiKeyDecrypt("*** sensiti ... *")
    /web/apps/encryption/lib/Crypto/Encryption.php - line 203:
    OCA\Encryption\KeyManager->getFileKey("/admin/file ... g", "master_9dc9bf3d")
    /web/lib/private/Files/Stream/Encryption.php - line 286:
    OCA\Encryption\Crypto\Encryption->begin("/admin/file ... g", "admin", "r", { oc_encrypt ... "}, [])
    <<closure>>
    OC\Files\Stream\Encryption->stream_open("ocencryption://", "r", 0, null)
    /web/lib/private/Files/Stream/Encryption.php - line 213:
    fopen("ocencryption://", "r", false, null)
    /web/lib/private/Files/Stream/Encryption.php - line 188:
    OC\Files\Stream\Encryption::wrapSource(null, null, "ocencryption", "OC\\Files\\Stream\\Encryption", "r")
    /web/lib/private/Files/Storage/Wrapper/Encryption.php - line 460:
    OC\Files\Stream\Encryption::wrap(null, "files/BACKU ... g", "/admin/file ... g", { oc_encrypt ... "}, "admin", OCA\Encrypti ... {}, OC\Files\Sto ... l}, OC\Files\Sto ... l}, OC\Encryption\Util {}, OC\Encryption\File {}, "r", 1735728, 1280458, 8192, true)
    /web/lib/private/Files/Storage/Wrapper/Wrapper.php - line 301:
    OC\Files\Storage\Wrapper\Encryption->fopen("files/BACKU ... g", "r")
    /web/apps/files_accesscontrol/lib/StorageWrapper.php - line 236:
    OC\Files\Storage\Wrapper\Wrapper->fopen("files/BACKU ... g", "r")
    /web/apps/ransomware_protection/lib/StorageWrapper.php - line 317:
    OCA\FilesAccessControl\StorageWrapper->fopen("files/BACKU ... g", "r")
    /web/lib/private/Files/View.php - line 1175:
    OCA\RansomwareProtection\StorageWrapper->fopen("files/BACKU ... g", "r")
    /web/lib/private/Files/View.php - line 1010:
    OC\Files\View->basicOperation("fopen", "/BACKUP/Fot ... g", [ "read"], "r")
    /web/apps/dav/lib/Connector/Sabre/File.php - line 480:
    OC\Files\View->fopen("BACKUP/Fotk ... g", "r")
    /web/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 85:
    OCA\DAV\Connector\Sabre\File->get()
    /web/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89:
    Sabre\DAV\CorePlugin->httpGet(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 472:
    Sabre\DAV\Server->emit("method:GET", [ Sabre\HTTP ... }])
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 253:
    Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
    /web/3rdparty/sabre/dav/lib/DAV/Server.php - line 321:
    Sabre\DAV\Server->start()
    /web/apps/dav/lib/Server.php - line 352:
    Sabre\DAV\Server->exec()
    /web/apps/dav/appinfo/v2/remote.php - line 35:
    OCA\DAV\Server->exec()
    /web/remote.php - line 166:
    require_once("/web/apps/d ... p")

I am pretty desperate already 😔

branov commented 2 years ago

No body? Are my data gone? Really?

ghost commented 2 years ago

No body? Are my data gone? Really?

Unfortunately, I think so. Just like many others here.

I also can't understand the hype around Nextcloud at all. A basic feature (for a cloud product) that has been advertised for years, but is still in alpha status and has bugs that have not been fixed for years.

quiknick commented 2 years ago

So I got hit with this too upgrading to 24.0.5.1. I was worried for a second, but found a way to resolve, but will take some time... The solution is to decrypt all files, then turn off encryption until issue is resolved. I will caveat that this may not resolve your data restoration even if nextcloud thinks it was successful in decrypting all files, they will be decrypted leaving the file with AES256 hash as content. Hopefully you have backups of the data. Good luck!

run this to decrypt all files from /var/www/nextcloud directory or wherever nextcloud is installed sudo -u www-data php occ encryption:decrypt-all

You are about to start to decrypt all files stored in your Nextcloud.
It will depend on the encryption module and your setup if this is possible.
Depending on the number and size of your files this can take some time
Please make sure that no user access his files during this process!

Do you really want to continue? (y/n) y
prepare encryption modules...
 done.

 Fetch list of users... finished 
 [============================]

 starting to decrypt files... finished 
 [============================]

Then let's disable encryption sudo -u www-data php occ encryption:disable

Lastly verify encryption is disabled sudo -u www-data php occ encryption:status

  - enabled: false
  - defaultModule: OC_DEFAULT_MODULE

branov commented 2 years ago

decrypt-all does not working in my case.

maltris commented 2 years ago

Hitting the same bug, setting up a new nextcloud. At first, I thought this is a config problem on my side, but reading this issue ... well, first I thought its a joke, but it seems its not.

Kabbone commented 1 year ago

I also got the multikeydecrypt error and was already out of ideas, but then I found something in the german forum https://help.nextcloud.com/t/openssl3-problem-nach-update/151985/2

Came down to the openssl settings, then everything worked again, so I thought I add it here even only the comments from 2022 could be possibly affected by this.

PVince81 commented 1 year ago

would be good to add the openSSL legacy thing to the docs: https://docs.nextcloud.com/server/latest/admin_manual/issues/general_troubleshooting.html#problems-when-downloading-or-decrypting-files

cotti commented 1 year ago

@Kabbone

Thank you and chris_nc. That did it for me. What a moment to not remain updating...

MrCybertux commented 10 months ago

So I got hit with this too upgrading to 24.0.5.1. I was worried for a second, but found a way to resolve, but will take some time... The solution is to decrypt all files, then turn off encryption until issue is resolved. I will caveat that this may not resolve your data restoration even if nextcloud thinks it was successful in decrypting all files, they will be decrypted leaving the file with AES256 hash as content. Hopefully you have backups of the data. Good luck!

run this to decrypt all files from /var/www/nextcloud directory or wherever nextcloud is installed sudo -u www-data php occ encryption:decrypt-all
You are about to start to decrypt all files stored in your Nextcloud.
It will depend on the encryption module and your setup if this is possible.
Depending on the number and size of your files this can take some time
Please make sure that no user access his files during this process!

Do you really want to continue? (y/n) y
prepare encryption modules...
 done.

 Fetch list of users... finished 
 [============================]

 starting to decrypt files... finished 
 [============================]
Then let's disable encryption sudo -u www-data php occ encryption:disable

Lastly verify encryption is disabled sudo -u www-data php occ encryption:status
  - enabled: false
  - defaultModule: OC_DEFAULT_MODULE

I have a dockerized setup and tried this approach but got the following message:

root@SIS-NXC-DOCKER:~# docker exec -u www-data nxc_nc_app_1 php occ encryption:decrypt-all
Disable server side encryption... done.

You are about to start to decrypt all files stored in your Nextcloud.
It will depend on the encryption module and your setup if this is possible.
Depending on the number and size of your files this can take some time
Please make sure that no user access his files during this process!

Do you really want to continue? (y/n) Enable server side encryption... done.
aborted

But I do not get the option to press any key it aborts without any interaction from my side. Where can I find information on why this is happening?

EDIT: I found the solution myself: https://github.com/nextcloud/server/issues/9894

asheroto commented 10 months ago

That's more of a workaround. 😊 No encryption can be a security risk depending in the environment.

Nextcloud seems to have some fundamental unaddressed bugs with encryption. 🤔

nextcloud / server