Encryption errors after upgrade to v23.0.3

guyds

After Nextcloud was automatically upgraded from v23.0.2 to v23.0.3 we started getting issues with up- and downloading of files and even opening of files in the browser.
We're using server-side encryption and a Hetzner storage box over sshfs for the data dir.
Further investigation learned that there was an issue with the encryption/decryption on the server.

The exact error we got was:

Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error

Apparently some of the keys were changed in our data dir (the mounted external storage). Luckily we found older, correct keys in the original data dir of the cloudron app (i.e. inside yellowtent).
After replacing the keys on the mounted storage with the older keys from the original data dir everything started working again.

Since there are a lot of encryption related tickets in the Nextcloud repository I mentioned my issue and resolution as a response on one of the still open, relevant issues: https://github.com/nextcloud/server/issues/8349.

But I'm also reporting it here in case it's related to the cloudron packaging and/or someone else here is experiencing similar issues.

msbt

@guyds hey, thanks for sharing that, I have the exact same setup and I'm trying to troubleshoot that very same issue since yesterday and I'm close to start from scratch because I'm too far down the try and error road. Can you elaborate which keys/files you replaced? Ah I see the solution in your GH post, that won't work here, since I moved all the original data to the storagebox

Best, M

guyds

@msbt Hey, yes I was lucky that I kept the original data.
But if you have backups - which I hope you do - you can probably recover the correct keys from those backups
Thing is that you should only restore the keys and nothing else from the backups, otherwise you might get more trouble than you currently have

msbt

@guyds I'm already in the restoring process and will disable encryption in the future, since this kind of encryption isn't secure anyways if someone would have access to the storage... Thanks again for your insights!

guyds

@msbt no worries, I'm glad I for once can share my own solution to this great community
Most of the time it's the other way araound

Anyway, you have a point that Nextcloud's server-side encryption probably isn't worth it and therefore I'm also experimenting with Seafile, which has the possibility of client-side encrypted libraries. And in my (short) experience so far it is much much faster.
But unfortunately Seafile isn't currently available on Cloudron.