-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: 🪲 Server side encryption does not encrypt files with S3 primary storage, related error messages on encrypt-all and scan:legacy-format 😢 #41992
Comments
Other software infophp -m
php configuration
MySQL is configured per the recommended settings. Log infoThe first set of log messages only appear when running The second set of log messages only appear when running Security & setup warningsNone SummaryHonestly I'm not doing anything fancy. 😊 You can quickly replicate the problem for yourself if you simply perform the steps to reproduce. You can sign up with Wasabi for free in 5 minutes. It's usage-based billing. I installed a clean install of Nextcloud, php 8.2, Redis, MySQL, APCu, Apache. No service errors nor log errors from any of those where applicable. As a side note, I was never able to get E2EE + SSE + S3 working. Only SSE + S3. But now that has seemed to stop as well unless manually engaged. :-/ I am hopeful for a resolution. I appreciate your time on this, thank you! 😁 LogsAlsoI also donate my time to many open source projects so I understand that time is valuable. So I really appreciate your help on this! I might be able to submit a PR but am unfamiliar with the inner-workings of Nextcloud from a developer standpoint. 😊 |
I personally don't recommend using Nextcloud Encyption module with S3. |
Thanks, I will try that as a workaround. The disadvantage with that, of course, is that the files are transmitted unencrypted (encrypted in the connection, but unencrypted in memory). Although the S3 provider only stores the key in memory, it could be possible for bad actors within the S3 provider itself to intercept files or the key. This is of course highly unlikely but in theory possible, so is not the preferred method. This should work for now though until Nextcloud resolves the encryption issues with S3. It seems that it is encrypting data but only when initiated manually through the Going to leave the ticket open since the issue itself is not resolved yet. |
Just tried this. Sadly another Nextcloud bug. Can we just use this issue to track the encryption issues? Seems to be all related to each other.
Log errors for that: Steps to reproduce: Should be the same as AWS: This is sad that it doesn't work on a new installation. :-( Let me know if I should create another ticket. All of these issues seem to be related. |
Oops, so when using SSE after having used encryption on Nextcloud, you have to keep the Default Encryption Module, but disable encryption. Otherwise you'll get that error. Ideally the documentation should mention this, and instead of just saying Thanks, will try this for now but hoping for a resolution on the main encryption method. 😊 |
Possibly related to #41704. In reinstalling Nextcloud today (again), I found that error on a new installation. |
Bug description
Preface
This issue is well reported and discussed around GitHub and the Nextcloud Community forum, but the closest Issue is #33371 but @szaimen said to open a new bug report for ongoing issues which is why I'm creating a new issue for this. I'm hoping this issue gets solved. It seems like Nextcloud has a lot of issues with encryption, especially with S3. Many of these issues were reported months or years ago. 😊
Maybe most people do not use S3 as their primary storage, I'm not sure? S3 is an inexpensive way to store lots of data, especially with providers like Wasabi because it's only $6/TB/month. Hoping that someone takes ownership of this situation, even if that just means preventing new installs from using it or adding something to the manual. 😊
Remaining optimistic!
Background
Using Wasabi as an S3-compataible provider for primary storage in Nextcloud.
After upgrading from Nextcloud 26 or 27, I started receiving errors related to encryption (#8349) and thought I was able to solve it by disabling encryption and re-enabling it, but unfortunately most files remained unencrypted. After hours of troubleshooting, I decided to just start over from scratch.
So I installed a clean Nextcloud instance with a new database, new Redis, everything. But as soon as I set up S3 and enabled server side encryption, I ran into trouble. Files will sync and upload to the S3 provider but are not encrypted, unless they are very small. For example, text files will upload and encrypt, but even an 8 MB zip file will not encrypt. Same result in web client and in Windows client.
Because there are many similar issues, and even with a fresh install issues exists, it seems that there are still some unresolved issues within the codebase when it comes to this type of setup: S3 + server side encryption.
Troubleshooting
After performing the Steps to reproduce and then experiencing the issue, I troubleshooted by running these commands, testing with file uploads after each command:
The logs only appear when running or after running the
occ
commands. If I do not run the commands, I do not see anything in the log files. The uploads complete as expected without any logging, but the files are not encrypted.Steps I have tried to resolve:
sudo -u www-data php occ encryption:decrypt-all
sudo -u www-data php occ encryption:status
sudo -u www-data php occ encryption:disable
sudo -u www-data php occ files:scan --all
Encrypt the home storage
option in Settings > Securitysudo -u www-data php occ encryption:disable
Encrypt the home storage
option in Settings > Securitysudo -u www-data php occ encryption:status
occ encryption:scan:legacy-format
sudo -u www-data php occ encryption:migrate-key-storage-format
sudo -u www-data php occ encryption:encrypt-all
After running that, all of the files are encrypted.... but no new files become encrypted.
Similar issues
Related issues that I have read, implementing fixes and pieces from each:
Server Side Encryption Does Not Encrypt Files When Using S3-Compatible Primary Storage #33371
Encryption not working with S3 object storage as primary storage #11826
Server-side encryption is incompatible with using an object store as a primary data store #22077
Nextcloud update cause encryption files not opened anymore or being encrypted. #2206
Enabled encryption and disabled it again and now it throws me an error in the interface and the logs
Similar family of issues that originally lead me to reinstall Nextcloud:
Encrypt:scan:legacy-format finds files which doesn’t have a proper header in files_version and files_trashbin
Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files #8546
Nextcloud Encryption breaks with OpenSSL 3.x due to legacy RC4 usage #32003
Fix encrypted version to 0 when finding unencrypted file #28373
occ encryption:scan:legacy-format
Nextcloud 20 The old server-side-encryption format is enabled #22478
Many people are simply disabling the "Default Encryption Module" but that is not a solution because it disables encryption by doing that.
One of the issues recommended to implement these:
But I had no luck with those.
Steps to reproduce
Default Encryption Module
in AppsServer Side Encryption
andEncrypt the Home Storage
(should be default I believe)Expected behavior
Expected behavior is for files to automatically encrypt when uploaded.
Installation method
Community Manual installation with Archive
Nextcloud Server version
27
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Enabled
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
No response
The text was updated successfully, but these errors were encountered: