'Encryption App is enabled, but your keys are not initialized. Please log-out and log-in again.'

[justin-sleep]

I noticed with the Nextcloud 12 beta that I had a "stay logged in" button again, despite my instance having encryption enabled. Figuring there must have been a change to preserve my keys without needing to log in every session, I clicked it and logged in. When I opened my instance roughly 12 hours later, I saw this notification:

It doesn't seem to actually prevent me from interacting with most of my files and data, however, so I'm a bit confused. However, when opening Notes, this screen appears:

I'm also not sure what's going on with the logo stacking on that page; on my login page it doesn't have the smaller logo overlaid on the larger one.

Steps to reproduce

1. Have encryption enabled prior to the Nextcloud 12 beta 2 update
2. Update your Nextcloud instance
3. Log in, checking the "stay logged in" box

Expected behaviour

Either this button shouldn't be exposed on instances with encryption enabled (which was the previous solution) or if private keys can be otherwise locally stored, the warning message should not be shown.

Actual behaviour

Users are prompted with 'Encryption App is enabled, but your keys are not initialized. Please log-out and log-in again.'

Server configuration

Operating system:
Gentoo Linux

Web server:
Nginx

Database:
PostgreSQL

PHP version:
7.1.4

Nextcloud version: (see Nextcloud admin page)
12.0 beta 2

Updated from an older Nextcloud/ownCloud or fresh install:
Updated from Nextcloud 11

Where did you install Nextcloud from:
The built-in updater

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.5.2
  - admin_audit: 1.2.0
  - bruteforcesettings: 1.0.2
  - calendar: 1.5.2
  - comments: 1.2.0
  - contacts: 1.5.3
  - dav: 1.3.0
  - encryption: 1.6.0
  - external: 2.0.1
  - federatedfilesharing: 1.2.0
  - federation: 1.2.0
  - files: 1.7.2
  - files_accesscontrol: 1.2.3
  - files_automatedtagging: 1.2.2
  - files_external: 1.3.0
  - files_pdfviewer: 1.1.1
  - files_retention: 1.1.2
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_trashbin: 1.2.0
  - files_versions: 1.5.0
  - files_videoplayer: 1.1.0
  - firstrunwizard: 2.1
  - gallery: 17.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - mail: 0.6.4
  - news: 11.0.0
  - nextcloud_announcements: 1.1
  - notes: 2.2.0
  - notifications: 2.0.0
  - password_policy: 1.2.2
  - provisioning_api: 1.2.0
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - survey_client: 1.0.0
  - systemtags: 1.2.0
  - tasks: 0.9.5
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.0
  - twofactor_totp: 1.3.0
  - updatenotification: 1.2.0
  - workflowengine: 1.2.0
Disabled:
  - user_external
  - user_ldap

Nextcloud configuration:

Config report

{
    "system": {
        "instanceid": "ocyeqibezn89",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "quarterfull.com"
        ],
        "datadirectory": "\/var\/cloud",
        "overwrite.cli.url": "http:\/\/quarterfull.com\/cloud",
        "dbtype": "pgsql",
        "version": "12.0.0.18",
        "dbname": "owncloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "appstore.experimental.enabled": true,
        "mail_from_address": "cloud",
        "mail_smtpmode": "smtp",
        "mail_domain": "quarterfull.com",
        "theme": "",
        "loglevel": 0,
        "maintenance": false,
        "trashbin_retention_obligation": "auto",
        "forcessl": true,
        "defaultapp": "files",
        "enable_avatars": true,
        "mail_smtphost": "arca.quarterfull.com",
        "mail_smtpport": "25",
        "mail_smtptimeout": 10,
        "mail_smtpauthtype": "LOGIN",
        "htaccess.RewriteBase": "\/cloud",
        "updater.server.url": "https:\/\/updates.nextcloud.org\/updater_server\/",
        "updater.release.channel": "beta",
        "debug": true,
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: yes

Are you using an external user-backend, if yes which one: no

Client configuration

Browser:
Chromium

Operating system:
Gentoo Linux

[MorrisJobke]

cc @ChristophWurst @schiessle

[ChristophWurst]

I noticed with the Nextcloud 12 beta that I had a "stay logged in" button again, despite my instance having encryption enabled. Figuring there must have been a change to preserve my keys without needing to log in every session, I clicked it and logged in.

Right. We encrypt and save the password now: #2044.

[ChristophWurst]

I can confirm the warning showing up as soon as the original session is replaced by the remembered one.

My reproduction steps were

• Enable encryption on current master
• See warning
• Log out
• Log in, clicking the 'remember me' checkbox
• Close the browser
• Open the browser
• See that I'm still logged in, with the warning on top

[ChristophWurst]

I think the issue here is that the encryption app relies on the post_login hook proving the credentials. We publish credentials on a remembered login too, but with a different identifier:

server/lib/private/User/Session.php

Line 795 in 9ad57ca

$this->manager->emit('\OC\User', 'postRememberedLogin', [$user]);

[ChristophWurst]

Possible fixes:

1. Listen to both hooks
2. Rename postRememberedLogin

[ChristophWurst]

On a second thought, the encryption app could just use the login credential store. That should™️ fix the issue.

[ChristophWurst]

cc @nextcloud/encryption if someone could give me some pointers I can try to fix it. As far as I can see, the current implementation initializes keys right when the user logs in. With the credential store we could delay this and only decrypt on demand (because we can retrieve the password at any time). Not sure where to add that though.