[Owncloud] Encryption

[Frank Karlitschek]

On 22.05.2012, at 11:33, Dirk Kastens <dirk.kastens at uni-osnabrueck.de> wrote:

> Hi,
> 
> someone recently posted, that OC4 uses the user's password as a key for file encryption.
> 
> I just tested it, and it's true. This means: as soon as someone changes his password, he cannot access his files anymore!!!!!! This is a real bad joke, IMO!!!!!
> 
> I don't know if this also applies to local users. I logged in with an ldap account, uploaded a test file, logged out, changed my ldap password, logged in again - and the file was unreadable!!!! I switched back to the old password and could read the file again.
> 
> This really can't be true. If you are forced to change your password by some password policy, and you are not allowed to use the old password again, you will loose all your files.
> 
> Dirk
> 



Hi Dirk,

ownCloud updates the encrypted key, which is used to encrypt the files, every-time a user or admin changes the password. So password change is possible. 
But this only works for local accounts at the moment and doesn´t work with ldap users because we don´t get notification if a password is changed remotely. The only solution to solve this is to store the password locally and compare it with the ldap login password at the moment the user logs in and update the encrypted key. This would be a huge security problem obviously.

Because of that encryption and ldap are both switched off by default currently. We don´t recommend that admins turn on both at the same time because of the reason you just mentioned. I will add a warning to the code about that.

Sorry for the trouble. We try to improve the encryption significantly in the next version and we hope to find a solution for ldap users.



Frank