Unstable encryption with "occ encryption:encrypt-all"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Unstable encryption with "occ encryption:encrypt-all"

Bjoern Voigt
In a testing project I try to enable encryption for a small Owncloud server.

The Owncloud server is version 9.0.3. The server contains 20 users with
around 4000 files all together. Most files are shared with multiple
users. I copied files and database to a new installation for testing. I
verified, that absolute paths, secrets, salts etc. where setup correctly
in the Owncloud copy.

Since I had a lot of trouble with "Can not decrypt this file, probably
this is a shared file. Please ask the file owner to reshare the file
with you. " messages after enabling encryption and testing users
one-by-one, I started again with automatic encryption process "occ
encryption:encrypt-all" on Owncloud command line.

Encryption process was working some hours, but now I it stops very often
with errors.

Currently it stops with the message

  [OCP\Lock\LockedException]                        
  "files/f30b197da4af15a81b43e1f80d574302" is locked

I also saw "out of memory" errors and "bad signature" errors.

I tried to recover the errors by manually deleting conflicting files in
filesystem and in the Owncloud MySQL tables. But doing this again and
again would cost me days or weeks.

Are there any hints for successful automatic encryption of an existing
Owncloud installation?

This was my process:
1) ./occ app:enable encryption
2) ./occ encryption:list-modules
3) ./occ encryption:enable
4) Login as admin in Owncloud web and encryption recovery generation
5) ./occ encryption:encrypt-all
6) recovering from errors
7) starting again from 5)

My second question:
Could someone explain, what
./occ encryption:enable-master-key
exactly does and why it can be useful. The help text

"Enable the master key. Only available for fresh installations with no
existing encrypted data! There is also no way to disable it again."

and the documentation
(https://doc.owncloud.org/server/8.2/admin_manual/configuration_files/encryption_configuration.html)

"Create a new master key. Use this when you have a single-sign on
infrastructure. Use this only on fresh installations with no existing
data, or on systems where encryption has not already been enabled. It is
not possible to disable it:"

are not very precise. Why it should help in single-sign on
infrastructures. And why Owncloud creates additional keys even after
enabling the master key? Does a master key help me as an administrator,
if users forgot their passwords?

Greetings,
Björn
_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: Unstable encryption with "occ encryption:encrypt-all"

Victor Dubiniuk-2
Hi Björn,

1. After enabling encryption all users need to login at least once to
generate encryption keys. Because a user encryption key is protected by
the password of this user.
I'm not 100% sure but I think this might be the case.

2. The master key is a key that allows to decrypt user data for
administrator in case of emergency. Otherwise user that forgot his
password will loose all the files.

Hope this helps,
Victor

On 07/06/2016 10:20 PM, Bjoern Voigt wrote:

> In a testing project I try to enable encryption for a small Owncloud server.
>
> The Owncloud server is version 9.0.3. The server contains 20 users with
> around 4000 files all together. Most files are shared with multiple
> users. I copied files and database to a new installation for testing. I
> verified, that absolute paths, secrets, salts etc. where setup correctly
> in the Owncloud copy.
>
> Since I had a lot of trouble with "Can not decrypt this file, probably
> this is a shared file. Please ask the file owner to reshare the file
> with you. " messages after enabling encryption and testing users
> one-by-one, I started again with automatic encryption process "occ
> encryption:encrypt-all" on Owncloud command line.
>
> Encryption process was working some hours, but now I it stops very often
> with errors.
>
> Currently it stops with the message
>
>    [OCP\Lock\LockedException]
>    "files/f30b197da4af15a81b43e1f80d574302" is locked
>
> I also saw "out of memory" errors and "bad signature" errors.
>
> I tried to recover the errors by manually deleting conflicting files in
> filesystem and in the Owncloud MySQL tables. But doing this again and
> again would cost me days or weeks.
>
> Are there any hints for successful automatic encryption of an existing
> Owncloud installation?
>
> This was my process:
> 1) ./occ app:enable encryption
> 2) ./occ encryption:list-modules
> 3) ./occ encryption:enable
> 4) Login as admin in Owncloud web and encryption recovery generation
> 5) ./occ encryption:encrypt-all
> 6) recovering from errors
> 7) starting again from 5)
>
> My second question:
> Could someone explain, what
> ./occ encryption:enable-master-key
> exactly does and why it can be useful. The help text
>
> "Enable the master key. Only available for fresh installations with no
> existing encrypted data! There is also no way to disable it again."
>
> and the documentation
> (https://doc.owncloud.org/server/8.2/admin_manual/configuration_files/encryption_configuration.html)
>
> "Create a new master key. Use this when you have a single-sign on
> infrastructure. Use this only on fresh installations with no existing
> data, or on systems where encryption has not already been enabled. It is
> not possible to disable it:"
>
> are not very precise. Why it should help in single-sign on
> infrastructures. And why Owncloud creates additional keys even after
> enabling the master key? Does a master key help me as an administrator,
> if users forgot their passwords?
>
> Greetings,
> Björn
> _______________________________________________
> User mailing list
> [hidden email]
> http://mailman.owncloud.org/mailman/listinfo/user


_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: Unstable encryption with "occ encryption:encrypt-all"

Bjoern Voigt
Victor Dubiniuk wrote:
> 1. After enabling encryption all users need to login at least once to
> generate encryption keys. Because a user encryption key is protected
> by the password of this user.
> I'm not 100% sure but I think this might be the case.
 "occ encryption:encrypt-all" automatically creates encryption keys for
all users:

    ./occ encryption:encrypt-all


    You are about to start to encrypt all files stored in your ownCloud.
    It will depend on the encryption module you use which files get
    encrypted.
    Depending on the number and size of your files this can take some time
    Please make sure that no user access his files during this process!

    Do you really want to continue? (y/n)

    Encrypt all files with the Default encryption module
    ====================================================


    Create key-pair for every user
    ------------------------------

    This module will encrypt all files in the users files folder initially.
    Already existing versions and files in the trash bin will not be
    encrypted.


     %message%
     Create key-pair for user1
     Create key-pair for user2
    [...]

At the end of this process, Owncloud writes a message with the user
passwords used for encryption. Of course this causes the problem, that
the encryption password must be distributed to the users.

    +-----------+----------------------+
    | Username  | Private key password |
    +-----------+----------------------+
    | user1     | password1            |
    | user2     | password2            |
    | ...       | ...                  |
    +-----------+----------------------+

Unfortunately I saw such an summary in a small test, but not in my
bigger test. Maybe the summary would come later, but as I wrote, the
process often stops with errors.

> 2. The master key is a key that allows to decrypt user data for
> administrator in case of emergency. Otherwise user that forgot his
> password will loose all the files.
May be. But what is the difference between the encryption recovery key
(in Owncloud web) and the master key?

Greetings,
Björn

_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: Unstable encryption with "occ encryption:encrypt-all"

Vincent Petry
Hello Björn,

You might want to wait for 9.0.4 later to redo your test run. Or have a
try with the daily stable9 build (upcoming 9.0.4):
https://download.owncloud.org/community/daily/owncloud-daily-stable9.tar.bz2

It was found that for long running processes like cron jobs or OCC
commands the memory wasn't properly freed between users. Or let's say
things were cached and not removed from the cache when not needed any
more, which leads to out of memory errors. These problems were fixed on
stable9.

Regarding the case about LockedException I'm not sure it's fixed, let us
know if you see it happening on stable9. If they do, please raise a bug
report. It is important to find out how the shares were configured for
the file for which the locked exception is occurring.

And about the master key mode, what Victor said is not 100% correct. In
regular encryption mode every user have their own private/public key
pairs, and the private key is protected by the user's password. It is
more secure. However in "master key mode" there is only on key (or
keypair) and all files are encrypted using the same keys. The master key
mode is less secure but allows more flexibility like adding users to
group for which there is already a group share, which is not possible
currently in the regular mode.

Hope this helps.

Cheers,

Vincent

On 06.07.2016 23:11, Bjoern Voigt wrote:

> Victor Dubiniuk wrote:
>> 1. After enabling encryption all users need to login at least once to
>> generate encryption keys. Because a user encryption key is protected
>> by the password of this user.
>> I'm not 100% sure but I think this might be the case.
>  "occ encryption:encrypt-all" automatically creates encryption keys for
> all users:
>
>     ./occ encryption:encrypt-all
>
>
>     You are about to start to encrypt all files stored in your ownCloud.
>     It will depend on the encryption module you use which files get
>     encrypted.
>     Depending on the number and size of your files this can take some time
>     Please make sure that no user access his files during this process!
>
>     Do you really want to continue? (y/n)
>
>     Encrypt all files with the Default encryption module
>     ====================================================
>
>
>     Create key-pair for every user
>     ------------------------------
>
>     This module will encrypt all files in the users files folder initially.
>     Already existing versions and files in the trash bin will not be
>     encrypted.
>
>
>      %message%
>      Create key-pair for user1
>      Create key-pair for user2
>     [...]
>
> At the end of this process, Owncloud writes a message with the user
> passwords used for encryption. Of course this causes the problem, that
> the encryption password must be distributed to the users.
>
>     +-----------+----------------------+
>     | Username  | Private key password |
>     +-----------+----------------------+
>     | user1     | password1            |
>     | user2     | password2            |
>     | ...       | ...                  |
>     +-----------+----------------------+
>
> Unfortunately I saw such an summary in a small test, but not in my
> bigger test. Maybe the summary would come later, but as I wrote, the
> process often stops with errors.
>
>> 2. The master key is a key that allows to decrypt user data for
>> administrator in case of emergency. Otherwise user that forgot his
>> password will loose all the files.
> May be. But what is the difference between the encryption recovery key
> (in Owncloud web) and the master key?
>
> Greetings,
> Björn
>
> _______________________________________________
> User mailing list
> [hidden email]
> http://mailman.owncloud.org/mailman/listinfo/user


_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Unstable encryption with "occ encryption:encrypt-all"

Bjoern Voigt
Vincent Petry wrote:

> You might want to wait for 9.0.4 later to redo your test run. Or have a
> try with the daily stable9 build (upcoming 9.0.4):
> https://download.owncloud.org/community/daily/owncloud-daily-stable9.tar.bz2
>
> It was found that for long running processes like cron jobs or OCC
> commands the memory wasn't properly freed between users. Or let's say
> things were cached and not removed from the cache when not needed any
> more, which leads to out of memory errors. These problems were fixed on
> stable9.
>
> Regarding the case about LockedException I'm not sure it's fixed, let us
> know if you see it happening on stable9. If they do, please raise a bug
> report. It is important to find out how the shares were configured for
> the file for which the locked exception is occurring.
>
> And about the master key mode, what Victor said is not 100% correct. In
> regular encryption mode every user have their own private/public key
> pairs, and the private key is protected by the user's password. It is
> more secure. However in "master key mode" there is only on key (or
> keypair) and all files are encrypted using the same keys. The master key
> mode is less secure but allows more flexibility like adding users to
> group for which there is already a group share, which is not possible
> currently in the regular mode.
Thank you Vincent for the tips.

I restarted the encryption test with the suggested 9.0.4 stable9 build.

This time I prepared the Owncloud snapshot from the production Owncloud
instance more carefully:

 1. Waited for a time, where no users logged in
 2. Checked, that the Owncloud cron job was successful
 3. Put Owncloud in single user mode:
    ./occ maintenance:singleuser --on
 4. mysqldump of tables and data
 5. Replaced absolute paths in mysqldump
 6. Copied data directory from Owncloud production to Owncloud test
 7. Created MySQL database from MySQL dumps
 8. Setup Owncloud 9.0.4 stable9
 9. Copied config/config.php and .htaccess files
10. Upgrade to 9.0.4 with ./occ upgrade
11. Manual checks as admin user and user1 in browser
12. Everything was OK

Now I started the encryption process on the Owncloud test instance.

I found 3 main problems here:

 1. Master key creation was delayed until encryption itself was started.
    For me it's also unclear why a separate key pair was created for
    each user anyway (see logs).
 2. The created encryption passwords for each user were not shown. I
    think they were shown after the encryption process. But this is too
    late in case of errors or interrupts. All users except the admin
    user were authenticated with user_external app. Files for users are
    probably lost (in this test only fortunately).
 3.  The encryption process stops after some minutes with locking errors.

Here is my protocol for encryption. I changed some private names
(usernames and filenames) here.

    $ ./occ maintenance:repair
    ownCloud is in maintenance mode - no app have been loaded
     - Repair mime types
     - Repair legacy storages
     - Clear asset cache after upgrade
         - Asset pipeline disabled -> nothing to do
     - Generate ETags for file where no ETag is present.
         - ETags have been fixed for 0 files/folders.
     - Clean tags and favorites
         - 0 tags for delete files have been removed.
         - 0 tag entries for deleted tags have been removed.
         - 0 tags with no entries have been removed.
     - Drop old database tables
     - Drop old background jobs
     - Remove getetag entries in properties table
         - Removed 0 unneeded "{DAV:}getetag" entries from properties table.
     - Repair outdated OCS IDs
     - Repair invalid shares
     - Fix permissions so avatars can be stored again
     - Manually copies the third-party folder changes since 9.0.0 due to
    a bug in the updater.
         - Third-party files seem already to have been copied. No repair
    necessary.
         - Rechecking code integrity not necessary.

    $  ./occ encryption:status
      - enabled: false
      - defaultModule:
    $ ./occ app:enable encryption
    encryption enabled
    $  ./occ encryption:status
      - enabled: false
      - defaultModule: OC_DEFAULT_MODULE
    $ ./occ encryption:list-modules
      - OC_DEFAULT_MODULE: Default encryption module [default*]
    $ ./occ encryption:enable-master-key
    Warning: Only available for fresh installations with no existing
    encrypted data! There is also no way to disable it again. Do you
    want to continue? (y/n) y
    Master key successfully enabled.
    $ ./occ encryption:enable
    Encryption enabled

    Default module: OC_DEFAULT_MODULE
    $ ./occ encryption:status
      - enabled: true
      - defaultModule: OC_DEFAULT_MODULE
    $ ./occ encryption:enable-master-key
    Master key already enabled
    $ nice ionice -c idle ./occ encryption:encrypt-all 2>&1 |tee -a
    /tmp/owncloud-test-encryptall-daily9.log


    You are about to start to encrypt all files stored in your ownCloud.
    It will depend on the encryption module you use which files get
    encrypted.
    Depending on the number and size of your files this can take some time
    Please make sure that no user access his files during this process!

    Do you really want to continue? (y/n) y

    Encrypt all files with the Default encryption module
    ====================================================


    Create key-pair for every user
    ------------------------------

    This module will encrypt all files in the users files folder initially.
    Already existing versions and files in the trash bin will not be
    encrypted.

    Create key-pair for admin
    Create key-pair for user1
    Create key-pair for user10

    Start to encrypt users files
    ----------------------------


    encrypt files for user admin (1 of 25):
    /admin/files/ownCloudUserManual.pdf
    encrypt files for user admin (1 of 25): /admin/files/Photos/Paris.jpg
    encrypt files for user admin (1 of 25): /admin/files/Photos/San
    Francisco.jpg
    encrypt files for user admin (1 of 25): /admin/files/Photos/Squirrel.jpg
    encrypt files for user admin (1 of 25):
    /admin/files/Documents/Example.odt
    encrypt files for user admin (1 of 25):
    /admin/files/directory1/atext.txt
    [...]
    encrypt files for user bv (11 of 25): /user10/files/afile1.docx
    encrypt files for user bv (11 of 25):
    /user10/files/ownCloudUserManual.pdf
    encrypt files for user bv (11 of 25):
    /user10/files/20150726_somefile.pptx

      [OCP\Lock\LockedException]
      "20150726_somefile.pptx.encrypted.1468013830" is locked



      [OCP\Lock\LockedException]
      "files/2d52352508a914dfa005933d31df1ad1" is locked

Any ideas how I can fix the problems?

Greetings,
Björn

_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: Unstable encryption with "occ encryption:encrypt-all"

Bjoern Voigt
Bjoern Voigt wrote:

> I found 3 main problems here:
>
>  1. Master key creation was delayed until encryption itself was started.
>     For me it's also unclear why a separate key pair was created for
>     each user anyway (see logs).
>  2. The created encryption passwords for each user were not shown. I
>     think they were shown after the encryption process. But this is too
>     late in case of errors or interrupts. All users except the admin
>     user were authenticated with user_external app. Files for users are
>     probably lost (in this test only fortunately).
>  3.  The encryption process stops after some minutes with locking errors.
For problem 2 I probably found a solution. The password output comes too
late, if the encryption process stops with an error.

The original code for Owncloud 9.0.4 daily9 looks like this:

apps/encryption/lib/crypto/encryptall.php:

        public function encryptAll(InputInterface $input,
OutputInterface $output) {

                $this->input = $input;
                $this->output = $output;

                $headline = 'Encrypt all files with the ' .
Encryption::DISPLAY_NAME;
                $this->output->writeln("\n");
                $this->output->writeln($headline);
                $this->output->writeln(str_pad('', strlen($headline), '='));

                //create private/public keys for each user and store the
private key password
                $this->output->writeln("\n");
                $this->output->writeln('Create key-pair for every user');
                $this->output->writeln('------------------------------');
                $this->output->writeln('');
                $this->output->writeln('This module will encrypt all
files in the users files folder initially.');
                $this->output->writeln('Already existing versions and
files in the trash bin will not be encrypted.');
                $this->output->writeln('');
                $this->createKeyPairs();

                //setup users file system and encrypt all files one by
one (take should encrypt setting of storage into account)
                $this->output->writeln("\n");
                $this->output->writeln('Start to encrypt users files');
                $this->output->writeln('----------------------------');
                $this->output->writeln('');
                $this->encryptAllUsersFiles();
                //send-out or display password list and write it to a file
                $this->output->writeln("\n");
                $this->output->writeln('Generated encryption key
passwords');
               
$this->output->writeln('----------------------------------');
                $this->output->writeln('');
                $this->outputPasswords();
                $this->output->writeln("\n");
        }
I can chance to order of the sections "Start to encrypt users files" and
"Generated encryption key passwords".

I will write a bug report about this.

What is the best strategy for Owncloud bug reports?

  * Bug report only
  * Bug report and pull request
  * which branch?

Greetings,
Björn

_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: Unstable encryption with "occ encryption:encrypt-all"

Vincent Petry
Hi Björn,

A bug report would be nice.
If you have a PR that goes with it, then you can also submit one.

I'm not sure about the solution and why yet but best would be to discuss
this in the bug report instead.

Thanks,

Vincent


On 11.07.2016 22:18, Bjoern Voigt wrote:

> Bjoern Voigt wrote:
>> I found 3 main problems here:
>>
>>  1. Master key creation was delayed until encryption itself was started.
>>     For me it's also unclear why a separate key pair was created for
>>     each user anyway (see logs).
>>  2. The created encryption passwords for each user were not shown. I
>>     think they were shown after the encryption process. But this is too
>>     late in case of errors or interrupts. All users except the admin
>>     user were authenticated with user_external app. Files for users are
>>     probably lost (in this test only fortunately).
>>  3.  The encryption process stops after some minutes with locking errors.
> For problem 2 I probably found a solution. The password output comes too
> late, if the encryption process stops with an error.
>
> The original code for Owncloud 9.0.4 daily9 looks like this:
>
> apps/encryption/lib/crypto/encryptall.php:
>
>         public function encryptAll(InputInterface $input,
> OutputInterface $output) {
>
>                 $this->input = $input;
>                 $this->output = $output;
>
>                 $headline = 'Encrypt all files with the ' .
> Encryption::DISPLAY_NAME;
>                 $this->output->writeln("\n");
>                 $this->output->writeln($headline);
>                 $this->output->writeln(str_pad('', strlen($headline), '='));
>
>                 //create private/public keys for each user and store the
> private key password
>                 $this->output->writeln("\n");
>                 $this->output->writeln('Create key-pair for every user');
>                 $this->output->writeln('------------------------------');
>                 $this->output->writeln('');
>                 $this->output->writeln('This module will encrypt all
> files in the users files folder initially.');
>                 $this->output->writeln('Already existing versions and
> files in the trash bin will not be encrypted.');
>                 $this->output->writeln('');
>                 $this->createKeyPairs();
>
>                 //setup users file system and encrypt all files one by
> one (take should encrypt setting of storage into account)
>                 $this->output->writeln("\n");
>                 $this->output->writeln('Start to encrypt users files');
>                 $this->output->writeln('----------------------------');
>                 $this->output->writeln('');
>                 $this->encryptAllUsersFiles();
>                 //send-out or display password list and write it to a file
>                 $this->output->writeln("\n");
>                 $this->output->writeln('Generated encryption key
> passwords');
>                
> $this->output->writeln('----------------------------------');
>                 $this->output->writeln('');
>                 $this->outputPasswords();
>                 $this->output->writeln("\n");
>         }
> I can chance to order of the sections "Start to encrypt users files" and
> "Generated encryption key passwords".
>
> I will write a bug report about this.
>
> What is the best strategy for Owncloud bug reports?
>
>   * Bug report only
>   * Bug report and pull request
>   * which branch?
>
> Greetings,
> Björn
>
> _______________________________________________
> User mailing list
> [hidden email]
> http://mailman.owncloud.org/mailman/listinfo/user


_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user

signature.asc (188 bytes) Download Attachment