Encryption Module: moving keys will brake Nextcloud

[ghost]

Ubuntu 16.0.3 LTS X64 on ARM64 (oDroidC2)
Nextcloud 12.0.3 (plain/new installation from scratch)
PHP 7.1.10
MariaDB 10.0.31
Redis-Server 3.0.6
web-user: www-data
web-root: /var/www/nextcloud
data-dir: /var/nc_data

The encryption was configured properly on my test environement for all users:

When trying to move the keys as described in Nextclouds Admin-Documentation here the server will crash:
mkdir /etc/keys
chown -R root:www-data /etc/keys
chmod -R 0770 /etc/keys
sudo -u www-data php occ encryption:change-key-storage-root ../../../etc/keys/

No entries were generated while moving the keys. If trying to open Nextcloud the following entries are thrown:

root@ncbox:/var/www/nextcloud# cat /var/nc_data/nextcloud.log
{"reqId":"fO3t18YMOqNVYFhKJ85E","level":3,"time":"2017-10-05T08:50:05+02:00","re2.168.2.125","user":"--","app":"index","method":"GET","url":"/","message":"Exceeption":"OC\\ServiceUnavailableException","Message":"Key Storage is not e":0,"Trace":"#0 \/var\/www\/nextcloud\/apps\/encryption\/appinf28): OC\\Encryption\\Manager->isReady()\n#1 \/var\/www\/nextcloud\/e\/legacy\/app.php(209): require_once('\/var\/www\/nextcl...')\n#2 \\/nextcloud\/lib\/private\/legacy\/app.php(149): OC_App::requireAppFile)\n#3 \/var\/www\/nextcloud\/lib\/private\/legacy\/app.php(124): pp('encryption')\n#4 \/var\/www\/nextcloud\/lib\/base.php(992): OC_Aprray)\n#5 \/var\/www\/nextcloud\/index.php(48): OC::handleRequest()\n#File":"\/var\/www\/nextcloud\/lib\/private\/Encryption\/Manager.":114}","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/fox/56.0","version":"12.0.3.3"}
root@ncbox:/var/www/nextcloud#

Running any occ the following errors appear:

An unhandled exception has been thrown:
OC\ServiceUnavailableException: Key Storage is not ready in /var/www/nextcloud/lib/private/Encryption/Manager.php:114
Stack trace:
#0 /var/www/nextcloud/apps/encryption/appinfo/app.php(28): OC\Encryption\Manager->isReady()
#1 /var/www/nextcloud/lib/private/legacy/app.php(209): require_once('/var/www/nextcl...')
#2 /var/www/nextcloud/lib/private/legacy/app.php(149): OC_App::requireAppFile('encryption')
#3 /var/www/nextcloud/lib/private/legacy/app.php(124): OC_App::loadApp('encryption')
#4 /var/www/nextcloud/lib/private/Console/Application.php(104): OC_App::loadApps()
#5 /var/www/nextcloud/console.php(99): OC\Console\Application->loadCommands(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#6 /var/www/nextcloud/occ(11): require_once('/var/www/nextcl...')

Although moving the keys was mentioned as "successfull" the keys remain in the user location instead of "/etc/keys:":

What went wrong and what would help to repair this instance?
Cheers, Carsten

[ghost]

root@ncbox:/usr/local/src# sudo -u www-data php /var/www/nextcloud/occ app:list
Enabled:

• admin_audit: 1.2.0
• bruteforcesettings: 1.0.2
• dav: 1.3.0
• encryption: 1.6.0
• federatedfilesharing: 1.2.0
• files: 1.7.2
• files_pdfviewer: 1.1.1
• files_sharing: 1.4.0
• files_texteditor: 2.4.1
• files_trashbin: 1.2.0
• files_videoplayer: 1.1.0
• gallery: 17.0.0
• logreader: 2.0.0
• lookup_server_connector: 1.0.0
• nextcloud_announcements: 1.1
• notifications: 2.0.0
• oauth2: 1.0.5
• password_policy: 1.2.2
• provisioning_api: 1.2.0
• sharebymail: 1.2.0
• theming: 1.3.0
• twofactor_backupcodes: 1.1.1
• twofactor_totp: 1.3.1
• updatenotification: 1.2.0
• workflowengine: 1.2.0
  Disabled:
• activity
• comments
• federation
• files_external
• files_versions
• firstrunwizard
• serverinfo
• survey_client
• systemtags
• user_external
• user_ldap

root@ncbox:/usr/local/src# sudo -u www-data php /var/www/nextcloud/occ config:list
{
"system": {
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"REMOVED SENSITIVE VALUE"
],
"datadirectory": "/var/nc_data",
"overwrite.cli.url": "https://REMOVED SENSITIVE VALUE",
"dbtype": "mysql",
"version": "12.0.3.3",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"htaccess.RewriteBase": "/",
"overwriteprotocol": "https",
"loglevel": 1,
"logtimezone": "Europe/Berlin",
"logfile": "/var/nc_data/nextcloud.log",
"log_rotate_size": 104857600,
"cron_log": true,
"filesystem_check_changes": 1,
"quota_include_external_storage": false,
"knowledgebaseenabled": false,
"memcache.local": "\OC\Memcache\APCu",
"filelocking.enabled": "true",
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "/var/run/redis/redis.sock",
"port": 0,
"timeout": 0
},
"maintenance": false,
"theme": "",
"enable_previews": true,
"enabledPreviewProviders": [
"OC\Preview\PNG",
"OC\Preview\JPEG",
"OC\Preview\GIF",
"OC\Preview\BMP",
"OC\Preview\XBitmap",
"OC\Preview\Movie",
"OC\Preview\PDF",
"OC\Preview\MP3",
"OC\Preview\TXT",
"OC\Preview\MarkDown"
],
"preview_max_x": 1024,
"preview_max_y": 768,
"preview_max_scale_factor": 1,
"defaultapp": "apporder",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtpsecure": "tls",
"mail_smtpauth": 1,
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpport": "587",
"mail_smtpname": "REMOVED SENSITIVE VALUE",
"mail_smtppassword": "REMOVED SENSITIVE VALUE",
"skeletondirectory": ""
},
"apps": {
"activity": {
"enabled": "no",
"installed_version": "2.5.2",
"types": "filesystem"
},
"admin_audit": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "logging"
},
"backgroundjob": {
"lastjob": "4"
},
"bruteForce": {
"whitelist_1": "192.168.2.0/24"
},
"bruteforcesettings": {
"enabled": "yes",
"installed_version": "1.0.2",
"types": ""
},
"comments": {
"enabled": "no",
"installed_version": "1.2.0",
"types": "logging"
},
"core": {
"backgroundjobs_mode": "cron",
"default_encryption_module": "OC_DEFAULT_MODULE",
"encryption_enabled": "yes",
"installed.bundles": "["CoreBundle"]",
"installedat": "1507189358.7448",
"lastcron": "1507189506",
"lastupdatedat": "1507189358.7686",
"oc.integritycheck.checker": "[]",
"public_files": "files_sharing/public.php",
"public_webdav": "dav/appinfo/v1/publicwebdav.php",
"scss.variables": "e970dd9b7a2e6fe0c8a9feb579cb464f",
"vendor": "nextcloud"
},
"dav": {
"enabled": "yes",
"installed_version": "1.3.0",
"types": "filesystem"
},
"encryption": {
"enabled": "yes",
"installed_version": "1.6.0",
"masterKeyId": "master_a16096ab",
"publicShareKeyId": "pubShare_a16096ab",
"recoveryAdminEnabled": "1",
"recoveryKeyId": "recoveryKey_a16096ab",
"types": "filesystem"
},
"federatedfilesharing": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": ""
},
"federation": {
"enabled": "no",
"installed_version": "1.2.0",
"types": "authentication"
},
"files": {
"cronjob_scan_files": "500",
"enabled": "yes",
"installed_version": "1.7.2",
"types": "filesystem"
},
"files_pdfviewer": {
"enabled": "yes",
"installed_version": "1.1.1",
"ocsid": "166049",
"types": ""
},
"files_sharing": {
"enabled": "yes",
"installed_version": "1.4.0",
"types": "filesystem"
},
"files_texteditor": {
"enabled": "yes",
"installed_version": "2.4.1",
"ocsid": "166051",
"types": ""
},
"files_trashbin": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "filesystem"
},
"files_versions": {
"enabled": "no",
"installed_version": "1.5.0",
"types": "filesystem"
},
"files_videoplayer": {
"enabled": "yes",
"installed_version": "1.1.0",
"types": ""
},
"firstrunwizard": {
"enabled": "no",
"installed_version": "2.1",
"types": "logging"
},
"gallery": {
"enabled": "yes",
"installed_version": "17.0.0",
"types": ""
},
"logreader": {
"enabled": "yes",
"installed_version": "2.0.0",
"ocsid": "170871",
"types": ""
},
"lookup_server_connector": {
"enabled": "yes",
"installed_version": "1.0.0",
"types": "authentication"
},
"nextcloud_announcements": {
"enabled": "yes",
"installed_version": "1.1",
"pub_date": "Sat, 10 Dec 2016 00:00:00 +0100",
"types": "logging"
},
"notifications": {
"enabled": "yes",
"installed_version": "2.0.0",
"types": "logging"
},
"oauth2": {
"enabled": "yes",
"installed_version": "1.0.5",
"types": "authentication"
},
"password_policy": {
"enabled": "yes",
"installed_version": "1.2.2",
"types": ""
},
"provisioning_api": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "prevent_group_restriction"
},
"serverinfo": {
"enabled": "no",
"installed_version": "1.2.0",
"types": ""
},
"sharebymail": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "filesystem"
},
"survey_client": {
"enabled": "no",
"installed_version": "1.0.0",
"types": ""
},
"systemtags": {
"enabled": "no",
"installed_version": "1.2.0",
"types": "logging"
},
"theming": {
"enabled": "yes",
"installed_version": "1.3.0",
"types": "logging"
},
"twofactor_backupcodes": {
"enabled": "yes",
"installed_version": "1.1.1",
"types": ""
},
"twofactor_totp": {
"enabled": "yes",
"installed_version": "1.3.1",
"types": ""
},
"updatenotification": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": ""
},
"workflowengine": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "filesystem"
}
}
}

[nickvergessen]

@schiessle

[schiessle]

The folder must be somewhere in your data folder, either physically or as a mount. Otherwise Nextcloud will not be able to access it.

I fixed the documentation: nextcloud/documentation#570

[ghost]

Unfortunately, that doesn't solve it neither!
My data dir: /var/nc_data
All keys should be migrated to /var_nc_data/keys

[ghost]

do you need further information?

[ghost]

please re-open this issue, it isn‘t fixed.

[nickvergessen]

Can you check whether there is a .oc_key_storage file in that new directory?

[nickvergessen]

And also make sure that the owner of the files is www-data, not root.

[ghost]

Hi, the ownership was set as written in the documentation.
In detail: all file permissions are set to www-data:www-data except the new key-folder that was set to "root:www-data" as written in the documentation.
In both scenarios, as well with root:www-data as with www-data:www-data permissions the error occurs and the systems crashed.

Even on another system, so it is reproducable on two systems. There is no data in the new key-folder:

Looking forward to your response...thank you.
Carsten

[ghost]

that is my permissions.sh for this testenvironment:

#!/bin/bash
service nginx stop
find /var/www/ -type f -print0 | xargs -0 chmod 0640
find /var/www/ -type d -print0 | xargs -0 chmod 0750
chown -R www-data:www-data /var/www/
chown -R www-data:www-data /upload_tmp/
chown -R www-data:www-data /var/nc_data/
chown -R www-data:www-data /nc_data/
chmod 0644 /var/www/nextcloud/.htaccess
chmod 0644 /var/www/nextcloud/.user.ini
#chown -R root:www-data /nc_data/keys
chown -R www-data:www-data /nc_data/keys
chmod -R 0770 /nc_data/keys
service nginx restart
exit 0

[nickvergessen]

Can you specify the full path instead of a relative one please when moving the directory?
I think that should fix the issue.

Okay apparently it has to be relative, sorry

[ghost]

no, the full path wasn't accepted!

[nickvergessen]

There was a wrong handling of the return, I fixed that, but now it throws an exception instead of falsely continuing: #6805

To make your instance temporarily work again, execute the following query:

DELETE FROM `oc_appconfig`
WHERE `appid` = 'core'
AND `configkey` = 'encryption_key_storage_root';

[ghost]

Thanks for your assistance!