End-to-end encryption does not work

[RainerKlute]

I set up the following scenario with Nextcloud 13 and just re-tested with Nextcloud 14.0.0.19. It still fails.

I have an Android smartphone with Nextcloud app 3.2.4. It is synchronized to a Nextcloud 14.0.0 server. I also have a Linux computer which is synchronized with the same server via the Nextcloud desktop sync client 2.3.3-5.1 from the Opensuse repository.

I tried to send a file from the smartphone to the desktop computer. I also tried to send a file from the desktop computer to the smartphone. Both attempts failed. Here's what I did in detail:

1. On the smartphone, I created a new folder and marked it as encrypted. Fine.
2. The folder gets synchronized to the Nextcloud server. Fine.
3. The folder gets also synchronized to my Linux machine and appears in my local directory. Fine.
4. On the smartphone, I tried to upload a file to the encrypted folder. However, that failed.
   1. There is no immediate error message.
   2. However, the file is now shown in the folder on the phone.
   3. The file does not appear on the server.
   4. Under Uploads, the app lists the file as a failed upload. The filename is null, and the error message is "Unbekannter Fehler" ("unknown error").
5. On the Linux computer, I copied a file to the encrypted folder.
6. The file gets synchronized to the server. Fine.
7. Having a look in the server's files directory, it turns out that the file is stored there unencrypted! MAJOR FAILURE
8. The file does not get synchronized to the smartphone. The encrypted folder is sometimes shown as empty, sometimes an entry for the file from the Linux computer appears.
9. Displaying that file on the smartphone or downloading it to the phone always fails. The message is "Herunterladen fehlgeschlagen. Die Datei steht auf dem Server nicht mehr zur Verfügung." ("Download failed. The file is no longer available on the server.")

Server configuration

Operating system: Linux (openSUSE, Kernel 4.4.143-65-default)

Web server: Apache 2.4.23

Database: mysql (mariadb) 10.0.35

PHP version: 7.2.9

Nextcloud version: 14.0.0.9

Updated from an older Nextcloud/ownCloud or fresh install: Upgraded from Nextcloud 13

Where did you install Nextcloud from:

Signing status:

Signing status

Integrity checker has been disabled. Integrity cannot be verified.

List of activated apps:

App list

Enabled:
  - accessibility: 1.0.1
  - activity: 2.7.0
  - admin_audit: 1.4.0
  - bookmarks: 0.13.0
  - calendar: 1.6.2
  - cloud_federation_api: 0.0.1
  - comments: 1.4.0
  - contacts: 2.1.6
  - dav: 1.6.0
  - deck: 0.4.1
  - encryption: 2.2.0
  - end_to_end_encryption: 1.0.5
  - federatedfilesharing: 1.4.0
  - federation: 1.4.0
  - files: 1.9.0
  - files_accesscontrol: 1.4.0
  - files_external: 1.5.0
  - files_pdfviewer: 1.3.2
  - files_sharing: 1.6.2
  - files_texteditor: 2.6.0
  - files_trashbin: 1.4.1
  - files_versions: 1.7.1
  - files_videoplayer: 1.3.0
  - firstrunwizard: 2.3.0
  - gallery: 18.1.0
  - groupfolders: 1.3.3
  - logreader: 2.0.0
  - lookup_server_connector: 1.2.0
  - mail: 0.10.0
  - mindmaps: 0.1.0
  - nextcloud_announcements: 1.3.0
  - notes: 2.4.1
  - notifications: 2.2.1
  - oauth2: 1.2.1
  - password_policy: 1.4.0
  - polls: 0.8.3
  - provisioning_api: 1.4.0
  - serverinfo: 1.4.0
  - sharebymail: 1.4.0
  - spreed: 4.0.0
  - support: 1.0.0
  - survey_client: 1.2.0
  - systemtags: 1.4.0
  - tasks: 0.9.7
  - theming: 1.5.0
  - twofactor_backupcodes: 1.3.1
  - updatenotification: 1.4.1
  - workflowengine: 1.4.0
Disabled:
  - admin_notifications
  - files_linkeditor
  - user_external
  - user_ldap

Nextcloud configuration:

Config report

{                                                                                                                        
    "system": {                                                                                                          
        "instanceid": "***REMOVED SENSITIVE VALUE***",                                                                   
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",                                                                 
        "secret": "***REMOVED SENSITIVE VALUE***",                                                                       
        "trusted_domains": [                                                                                             
            "cloud.feg-dortmund.de"                                                                                      
        ],                                                                                                               
        "datadirectory": "***REMOVED SENSITIVE VALUE***",                                                                
        "overwrite.cli.url": "https:\/\/cloud.feg-dortmund.de",                                                          
        "dbtype": "mysql",                                                                                               
        "version": "14.0.0.19",                                                                                          
        "dbname": "***REMOVED SENSITIVE VALUE***",                                                                       
        "dbhost": "***REMOVED SENSITIVE VALUE***",                                                                       
        "dbtableprefix": "oc_",                                                                                          
        "dbuser": "***REMOVED SENSITIVE VALUE***",                                                                       
        "dbpassword": "***REMOVED SENSITIVE VALUE***",                                                                   
        "installed": true,                                                                                               
        "loglevel": 3,                                                                                                   
        "default_language": "de",                                                                                        
        "check_for_working_webdav": true,                                                                                
        "check_for_working_htaccess": true,                                                                              
        "appstore.experimental.enabled": true,                                                                           
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",                                                            
        "mail_smtpmode": "sendmail",                                                                                     
        "mail_domain": "***REMOVED SENSITIVE VALUE***",                                                                  
        "maintenance": false,                                                                                            
        "memcache.locking": "\\OC\\Memcache\\Redis",                                                                     
        "redis": {                                                                                                       
            "host": "***REMOVED SENSITIVE VALUE***",                                                                     
            "port": 6379,                                                                                                
            "timeout": 0                                                                                                 
        },                                                                                                               
        "integrity.check.disabled": true,                                                                                
        "updater.release.channel": "stable",                                                                             
        "mail_smtpauthtype": "LOGIN"                                                                                     
    }                                                                                                                    
}

Are you using external storage, if yes which one: None

Are you using encryption: Yes

Are you using an external user-backend, if yes which one: None

LDAP config

There are no commands defined in the "ldap" namespace.                                                                 

Client configuration

Browser: see above

Operating system: see above

Logs

Web server error log

Web server error log

—

Nextcloud log (data/nextcloud.log)

Nextcloud log

—

Browser log

Browser log

—

[nextcloud-bot]

GitMate.io thinks possibly related issues are #6685 (External storage encryption not working), #7284 (Encryption/Decryption not working on versioned files), #10141 (Allow app to specify it doesn't work with user key server side encryption), #5143 (Group sharing not working with encryption for newly added users), and #4965 (Moving shared folders doesn't work as expected).

[MorrisJobke]

cc @nextcloud/encryption

[loxK]

I think they gave up on that feature. Nextcloud now have the habit to announce awesome features and then give them up.

[skjnldsv]

Upcoming release fixes lots of things. Please check other existing issues and wait for nc20