Restore individual encrypted files in OwnCloud and Nextcloud

I setup a Nextcloud server a few months back.  I immediately enabled and configured encryption.  I also keep daily file backups using rsync to a backup server.  This backup does, of course, backup the encrypted versions of my files.  Ever since setting this up, I’ve been trying to find a way to be able to restore an individual file from my backup, but until now I haven’t found a decent working solution.  It seems, though, that I may have finally uncovered such a solution.

This guide assumes that you already have a running OwnCloud or Nextcloud server with the encryption module enabled.  You also need to have backups of your files including the encryption keys for the files.  The encryption module actually creates individual keys for every file, so you need to be sure you are backing these up as well.  And, finally, you will need to have phpMyAdmin or access to the MySQL database.

For this guide, I’ll use the following information as an example.  You’ll need to replace these values for your own setup:

  • Nextcloud web root: /var/www/html/nextcloud
  • Nextcloud data root: /data/nextcloud
  • Database name: nextcloud
  • Webserver user: apache
  • Deleted file name: MyFile.txt
  • Original folder: /data/nextcloud/josh/files/MyFile.txt
  • File encryption keys folder: /data/nextcloud/josh/files_encryption/keys/MyFile.txt (This is a directory, not a file)

First, restore the file back to it’s original location.  Then restore the encryption keys back to the original location.

Now, you need to get Nextcloud to scan the filesystem in order to re-index the restored file.  By simply restoring the file, Nextcloud is unaware of it’s existence.  To do this, you need to run the occ script included with Nextcloud.  This script must be run as your webserver’s user account which is usually ‘apache’ or ‘httpd’.

[root@nextcloud]# cd /var/www/sites/html/nextcloud
[root@nextcloud]# sudo -u apache /bin/php ./occ files:scan josh

Now, I’ve been able to get this far before.  At this point, you will be able to see the file in your Nextcloud folder.  However, the file will not be readable.  I now have figured out that Nextcloud is indexing the file as unencrypted, even though the key is present for it.  There is a very easy fix which is to make a change to the record in the database.

  1. Open up you phpMyAdmin site and login with an account that has access to the Nextcloud database.
  2. Expand the nextcloud database on the left hand side.
  3. Scroll down and find the oc_filecache table and click on it to select the table.
  4. Click on the Search tab at the top of the page.  In the ‘name’ field, enter the entire file name (ie. MyFile.txt).  This is case sensitive, so you must enter it exactly as it is named.
  5. Change the operator from “LIKE” to “=”.
  6. Click the Go button at the bottom of the page.
  7. You should now see two rows returned (unless you have files with duplicated names).  Look in the path column and you will see the full path to the file.  One row will be for the actual file and the other will be for the associated encryption key. Click on the Edit link for the row pertaining to the actual file (ie. /data/nextcloud/josh/files/MyFile.txt).
  8. Locate the ‘encrypted’ field and change the value from 0 to 1.
  9. Click Go.

You should now be able to refresh your Nextcloud site to see the file and view it.  However, the sync client in Windows will, for some reason, not pick up the file.  I have found a weird way of getting the client to refresh, though.  I have only performed this on Windows, but it may work on Linux and Mac clients as well.

  1. Open the Nextcloud sync client.
  2. Click on the General tab.
  3. Click on Edit Ignored Files button.
  4. Don’t make any changes, but click on the OK button.  This causes the Sync client to re-scan all files and folders and it should pick up the newly restored file.

Now, you can rest easy knowing that you have the ability to successfully restore an individual encrypted file from backups.  As always, I thank you for reading.  Please leave comments, questions, or suggestions below.

Leave a Reply