nextcloud
[Bug]: Password change by admin not working with encryption: `Can not decrypt the recovery key. Maybe you provided the wrong password. Try again.`
⚠️ This issue respects the following points: ⚠️
- [x] This is a bug, not a question or a configuration/webserver/proxy issue.
- [x] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [x] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [x] I agree to follow Nextcloud's Code of Conduct.
Bug description
I'm currently facing an issue where I can't change the password of any other user. I have the server-side encryption module enabled with a master key. Password recovery works fine when a user uses the "forgot password" feature — there's no data loss after a reset. However, resetting a password through the admin console no longer works for me, even though it used to work previously some versions ago.
Message when changing the password:
Es ist ein Fehler bei der Anfrage aufgetreten. Es kann nicht fortgefahren werden. Can not decrypt the recovery key. Maybe you provided the wrong password. Try again.
master key status:
sudo -u nextcloud php8.3 occ encryption:enable-master-key Master key already enabled
Key Status: /mnt/data/nextcloud/files_encryption/OC_DEFAULT_MODULE/
Steps to reproduce
- Create a new user or use existing user
- change password using admin console
- see error
Expected behavior
The password reset should change the user password.
Nextcloud Server version
31
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.3
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Updated from a MINOR version (ex. 32.0.1 to 32.0.2)
Are you using the Nextcloud Server Encryption module?
Encryption is Enabled
What user-backends are you using?
- [x] Default user-backend (database)
- [ ] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
Configuration report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": {
"1": "cloud.DOMAIN.de",
"2": "DOMAIN.de",
"3": "cloud-local.DOMAIN.de"
},
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "https:\/\/cloud.DOMAIN.de\/",
"dbtype": "mysql",
"maintenance_window_start": 1,
"version": "31.0.4.1",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "3306",
"dbtableprefix": "oc_",
"default_language": "de",
"default_locale": "de_DE",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"sentry.dsn": "***REMOVED SENSITIVE VALUE***",
"sentry.public-dsn": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"theme": "",
"default_phone_region": "AT",
"loglevel": 3,
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpsecure": "tls",
"mail_smtpport": "587",
"simpleSignUpLink.shown": false,
"mail_sendmailmode": "smtp",
"defaultapp": "files",
"mysql.utf8mb4": true,
"memcache.local": "\\OC\\Memcache\\APCu",
"updater.release.channel": "stable",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtpstreamoptions": {
"ssl": {
"allow_self_signed": true,
"verify_peer": false,
"verify_peer_name": false
}
},
"encryption.legacy_format_support": false,
"mail_smtpauthtype": "LOGIN",
"filelocking.enabled": true,
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379,
"timeout": 0,
"password": "***REMOVED SENSITIVE VALUE***"
},
"app_install_overwrite": [
"secrets"
],
"forbidden_filename_basenames": [
"con",
"prn",
"aux",
"nul",
"com0",
"com1",
"com2",
"com3",
"com4",
"com5",
"com6",
"com7",
"com8",
"com9",
"com\u00b9",
"com\u00b2",
"com\u00b3",
"lpt0",
"lpt1",
"lpt2",
"lpt3",
"lpt4",
"lpt5",
"lpt6",
"lpt7",
"lpt8",
"lpt9",
"lpt\u00b9",
"lpt\u00b2",
"lpt\u00b3"
],
"forbidden_filename_characters": [
"<",
">",
":",
"\"",
"|",
"?",
"*",
"\\",
"\/"
],
"forbidden_filename_extensions": [
" ",
".",
".filepart",
".part"
]
}
}
List of activated Apps
Enabled:
- activity: 4.0.0
- admin_audit: 1.21.0
- app_api: 5.0.2
- bruteforcesettings: 4.0.0
- checksum: 1.2.6
- circles: 31.0.0
- cloud_federation_api: 1.14.0
- comments: 1.21.0
- contacts: 7.0.6
- contactsinteraction: 1.12.0
- cookbook: 0.11.3
- dav: 1.33.0
- encryption: 2.19.0
- federatedfilesharing: 1.21.0
- federation: 1.21.0
- files: 2.3.1
- files_downloadlimit: 4.0.0
- files_pdfviewer: 4.0.0
- files_reminders: 1.4.0
- files_sharing: 1.23.1
- files_trashbin: 1.21.0
- files_versions: 1.24.0
- firstrunwizard: 4.0.0
- imageconverter: 2.0.5
- keeweb: 0.6.21
- logreader: 4.0.0
- lookup_server_connector: 1.19.0
- nextcloud_announcements: 3.0.0
- notifications: 4.0.0
- oauth2: 1.19.1
- password_policy: 3.0.0
- photos: 4.0.0-dev.1
- privacy: 3.0.0
- profile: 1.0.0
- provisioning_api: 1.21.0
- quota_warning: 1.21.0
- related_resources: 2.0.0
- serverinfo: 3.0.0
- settings: 1.14.0
- sharebymail: 1.21.0
- support: 3.0.0
- suspicious_login: 9.0.1
- systemtags: 1.21.1
- tasks: 0.16.1
- text: 5.0.0
- theming: 2.6.1
- twofactor_backupcodes: 1.20.0
- twofactor_totp: 13.0.0-dev.0
- updatenotification: 1.21.0
- user_status: 1.11.0
- viewer: 4.0.0
- weather_status: 1.11.0
- webhook_listeners: 1.2.0
- workflowengine: 2.13.0
Disabled:
- dashboard: 7.11.0 (installed 7.0.0)
- files_external: 1.23.0 (installed 1.9.0)
- recommendations: 4.0.0 (installed 0.6.0)
- survey_client: 3.0.0 (installed 1.6.0)
- twofactor_nextcloud_notification: 5.0.0
- user_ldap: 1.22.0
Nextcloud Signing status
No errors have been found.
Nextcloud Logs
no log entries when changing the password
Additional info
No response
I just tried to find the part in the code and changed the exception wrapper line. This is the initial exception:
ServerNotAvailableException Legacy cipher is no longer supported!
/var/www/nextcloud/apps/encryption/lib/Crypto/Crypt.phpZeile 353
OCA\Encryption\Crypto\Crypt->getLegacyCipher()
/var/www/nextcloud/apps/encryption/lib/Services/PassphraseService.phpZeile 94
OCA\Encryption\Crypto\Crypt->decryptPrivateKey(
"*** sensitive parameters replaced ***"
)
/var/www/nextcloud/apps/encryption/lib/Listeners/UserEventsListener.phpZeile 125
OCA\Encryption\Services\PassphraseService->setPassphraseForUser(
"*** sensitive parameters replaced ***"
)
/var/www/nextcloud/apps/encryption/lib/Listeners/UserEventsListener.phpZeile 61
OCA\Encryption\Listeners\UserEventsListener->onPasswordUpdated(
"*** sensitive parameters replaced ***"
)
/var/www/nextcloud/lib/private/EventDispatcher/ServiceEventListener.phpZeile 68
OCA\Encryption\Listeners\UserEventsListener->handle(
"*** sensitive parameters replaced ***"
)
/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.phpZeile 220
OC\EventDispatcher\ServiceEventListener->__invoke()
/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.phpZeile 56
Symfony\Component\EventDispatcher\EventDispatcher->callListeners()
/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.phpZeile 67
Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.phpZeile 79
OC\EventDispatcher\EventDispatcher->dispatch()
/var/www/nextcloud/lib/private/User/User.phpZeile 356
OC\EventDispatcher\EventDispatcher->dispatchTyped()
/var/www/nextcloud/apps/provisioning_api/lib/Controller/UsersController.phpZeile 1080
OC\User\User->setPassword()
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.phpZeile 200
OCA\Provisioning_API\Controller\UsersController->editUser()
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.phpZeile 114
OC\AppFramework\Http\Dispatcher->executeController()
/var/www/nextcloud/lib/private/AppFramework/App.phpZeile 161
OC\AppFramework\Http\Dispatcher->dispatch()
/var/www/nextcloud/lib/private/Route/Router.phpZeile 307
OC\AppFramework\App::main()
/var/www/nextcloud/ocs/v1.phpZeile 49
OC\Route\Router->match()
/var/www/nextcloud/ocs/v2.phpZeile 7
undefinedundefinedrequire_once(
"/var/www/nextcloud/ocs/v1.php"
)
Roh-Protokolleintrag
{ "reqId": "EJs5aw0C4hfxWWf8Mej8", "level": 3, "time": "2025-04-21T09:46:25+00:00", "remoteAddr": "192.168.0.xx", "user": "xxxx", "app": "no app in context", "method": "PUT", "url": "/ocs/v2.php/cloud/users/test", "message": "Legacy cipher is no longer supported!", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0", "version": "31.0.4.1", "exception": { "Exception": "OC\ServerNotAvailableException", "Message": "Legacy cipher is no longer supported!", "Code": 0, "Trace": [ { "file": "/var/www/nextcloud/apps/encryption/lib/Crypto/Crypt.php", "line": 353, "function": "getLegacyCipher", "class": "OCA\Encryption\Crypto\Crypt", "type": "->" }, { "file": "/var/www/nextcloud/apps/encryption/lib/Services/PassphraseService.php", "line": 94, "function": "decryptPrivateKey", "class": "OCA\Encryption\Crypto\Crypt", "type": "->", "args": [ "*** sensitive parameters replaced " ] }, { "file": "/var/www/nextcloud/apps/encryption/lib/Listeners/UserEventsListener.php", "line": 125, "function": "setPassphraseForUser", "class": "OCA\Encryption\Services\PassphraseService", "type": "->", "args": [ " sensitive parameters replaced " ] }, { "file": "/var/www/nextcloud/apps/encryption/lib/Listeners/UserEventsListener.php", "line": 61, "function": "onPasswordUpdated", "class": "OCA\Encryption\Listeners\UserEventsListener", "type": "->", "args": [ " sensitive parameters replaced " ] }, { "file": "/var/www/nextcloud/lib/private/EventDispatcher/ServiceEventListener.php", "line": 68, "function": "handle", "class": "OCA\Encryption\Listeners\UserEventsListener", "type": "->", "args": [ " sensitive parameters replaced ***" ] }, { "file": "/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php", "line": 220, "function": "__invoke", "class": "OC\EventDispatcher\ServiceEventListener", "type": "->" }, { "file": "/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php", "line": 56, "function": "callListeners", "class": "Symfony\Component\EventDispatcher\EventDispatcher", "type": "->" }, { "file": "/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php", "line": 67, "function": "dispatch", "class": "Symfony\Component\EventDispatcher\EventDispatcher", "type": "->" }, { "file": "/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php", "line": 79, "function": "dispatch", "class": "OC\EventDispatcher\EventDispatcher", "type": "->" }, { "file": "/var/www/nextcloud/lib/private/User/User.php", "line": 356, "function": "dispatchTyped", "class": "OC\EventDispatcher\EventDispatcher", "type": "->" }, { "file": "/var/www/nextcloud/apps/provisioning_api/lib/Controller/UsersController.php", "line": 1080, "function": "setPassword", "class": "OC\User\User", "type": "->" }, { "file": "/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php", "line": 200, "function": "editUser", "class": "OCA\Provisioning_API\Controller\UsersController", "type": "->" }, { "file": "/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php", "line": 114, "function": "executeController", "class": "OC\AppFramework\Http\Dispatcher", "type": "->" }, { "file": "/var/www/nextcloud/lib/private/AppFramework/App.php", "line": 161, "function": "dispatch", "class": "OC\AppFramework\Http\Dispatcher", "type": "->" }, { "file": "/var/www/nextcloud/lib/private/Route/Router.php", "line": 307, "function": "main", "class": "OC\AppFramework\App", "type": "::" }, { "file": "/var/www/nextcloud/ocs/v1.php", "line": 49, "function": "match", "class": "OC\Route\Router", "type": "->" }, { "file": "/var/www/nextcloud/ocs/v2.php", "line": 7, "args": [ "/var/www/nextcloud/ocs/v1.php" ], "function": "require_once" } ], "File": "/var/www/nextcloud/apps/encryption/lib/Crypto/Crypt.php", "Line": 276, "message": "Legacy cipher is no longer supported!", "exception": [], "CustomMessage": "Legacy cipher is no longer supported!" }, "id": "680613f445a8c" } ServerNotAvailableException Legacy cipher is no longer supported!
/var/www/nextcloud/apps/encryption/lib/Crypto/Crypt.phpZeile 353
OCA\Encryption\Crypto\Crypt->getLegacyCipher()
/var/www/nextcloud/apps/encryption/lib/Services/PassphraseService.phpZeile 94
OCA\Encryption\Crypto\Crypt->decryptPrivateKey(
"*** sensitive parameters replaced ***"
)
/var/www/nextcloud/apps/encryption/lib/Listeners/UserEventsListener.phpZeile 125
OCA\Encryption\Services\PassphraseService->setPassphraseForUser(
"*** sensitive parameters replaced ***"
)
/var/www/nextcloud/apps/encryption/lib/Listeners/UserEventsListener.phpZeile 61
OCA\Encryption\Listeners\UserEventsListener->onPasswordUpdated(
"*** sensitive parameters replaced ***"
)
/var/www/nextcloud/lib/private/EventDispatcher/ServiceEventListener.phpZeile 68
OCA\Encryption\Listeners\UserEventsListener->handle(
"*** sensitive parameters replaced ***"
)
/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.phpZeile 220
OC\EventDispatcher\ServiceEventListener->__invoke()
/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.phpZeile 56
Symfony\Component\EventDispatcher\EventDispatcher->callListeners()
/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.phpZeile 67
Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.phpZeile 79
OC\EventDispatcher\EventDispatcher->dispatch()
/var/www/nextcloud/lib/private/User/User.phpZeile 356
OC\EventDispatcher\EventDispatcher->dispatchTyped()
/var/www/nextcloud/apps/provisioning_api/lib/Controller/UsersController.phpZeile 1080
OC\User\User->setPassword()
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.phpZeile 200
OCA\Provisioning_API\Controller\UsersController->editUser()
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.phpZeile 114
OC\AppFramework\Http\Dispatcher->executeController()
/var/www/nextcloud/lib/private/AppFramework/App.phpZeile 161
OC\AppFramework\Http\Dispatcher->dispatch()
/var/www/nextcloud/lib/private/Route/Router.phpZeile 307
OC\AppFramework\App::main()
/var/www/nextcloud/ocs/v1.phpZeile 49
OC\Route\Router->match()
/var/www/nextcloud/ocs/v2.phpZeile 7
undefinedundefinedrequire_once(
"/var/www/nextcloud/ocs/v1.php"
)
after re-enabling the config option "encryption.legacy_format_support" it works again. But still - afaik the option should not be enabled for production servers after the encryption migration - so this still seems like an issue.
occ encryption:scan:legacy-format: All scanned files are properly encrypted. You can disable the legacy compatibility mode.
I can verify this is also present on NC 31.0.2. I spun up a backup instance from before an upgrade to the aforementioned version above.
Ran into the same thing on the docker version - when testing on a new account, the password reset from the admin account was actually successful and the user can log in and view their files despite the error being shown. However , I did not try with older accounts.
Issue is from https://github.com/nextcloud/server/pull/48332 Hooks that were not called when master key is enabled are now called in the new event listener.
