Skip to content

fix(encryption): Refactor EncryptionWrapper with HomeMountPoint support #60001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cuppett wants to merge 3 commits into
base: master
Choose a base branch
from
+43 −25
Open

fix(encryption): Refactor EncryptionWrapper with HomeMountPoint support #60001

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dbe5d10
fix(encryption): Refactor EncryptionWrapper with HomeMountPoint support
cuppett Apr 29, 2026
27eb155
fix(encryption): Inject IAppConfig for encryptHomeStorage value
cuppett May 1, 2026
fe30cba
fix(encryption): Resolve IAppConfig lazily to prevent early IDBConnec…
cuppett May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 43 additions & 25 deletions lib/private/Encryption/EncryptionWrapper.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
namespace OC\Encryption;

use OC\Files\Filesystem;
use OC\Files\Mount\HomeMountPoint;
use OC\Files\Storage\Wrapper\Encryption;
use OC\Files\View;
use OC\Memcache\ArrayCache;
Expand All @@ -16,6 +17,7 @@
use OCP\Files\Mount\IMountPoint;
use OCP\Files\Storage\IDisableEncryptionStorage;
use OCP\Files\Storage\IStorage;
use OCP\IAppConfig;
use OCP\IConfig;
use OCP\IGroupManager;
use OCP\IUserManager;
Expand Down Expand Up @@ -57,32 +59,48 @@ public function wrapStorage(string $mountPoint, IStorage $storage, IMountPoint $
'mount' => $mount
];

if ($force || (!$storage->instanceOfStorage(IDisableEncryptionStorage::class) && $mountPoint !== '/')) {
$user = Server::get(IUserSession::class)->getUser();
$mountManager = Filesystem::getMountManager();
$uid = $user ? $user->getUID() : null;
$fileHelper = Server::get(IFile::class);
$keyStorage = Server::get(EncryptionKeysStorage::class);
// Only evaluate other conditions if not forced
if (!$force) {
// If a disabled storage medium, return basic storage
if ($storage->instanceOfStorage(IDisableEncryptionStorage::class)) {
return $storage;
}

$util = new Util(
new View(),
Server::get(IUserManager::class),
Server::get(IGroupManager::class),
Server::get(IConfig::class)
);
return new Encryption(
$parameters,
$this->manager,
$util,
$this->logger,
$fileHelper,
$uid,
$keyStorage,
$mountManager,
$this->arrayCache
);
} else {
return $storage;
// Root mount point handling: skip encryption wrapper
if ($mountPoint === '/') {
return $storage;
}

// Skip encryption for home mounts if encryptHomeStorage is disabled
if ($mount instanceof HomeMountPoint
&& !Server::get(IAppConfig::class)->getValueBool('encryption', 'encryptHomeStorage', true)) {
return $storage;
}
Comment on lines +75 to +78
Copy link
Copy Markdown
Contributor

@come-nc come-nc May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means the encryption wrapper will not be around home storages anymore.

At the very least it will be an issue when the option was set to true and is then set to false, because existing encrypted files will not be decrypted.

Can you detail what this is attempting to fix?

Copy link
Copy Markdown
Contributor Author

@cuppett cuppett May 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original code didn't have any consideration of the "encryptHomeStorage" flag. If specified, I would expect that would be the desire, "dont use encryption". The default, if unspecified, is true here which would just keep encryption going subject to the larger encryption enabled setting.

It can be removed to keep only the original logic?

I have some additional S3 tests I didn't pull over from #57279 (yet), so I want to run some tests of those in isolation against both this and #60070. Because the original, ultimate goal of the larger PR was to validate, prove and guarantee that nextcloud-side encryption of S3 buckets works robustly against remote S3 for myriad sizes. If those two tests are dependent on either of these fixes, then I can add the tests to the PR, or add back this check with those tests versus dividing along those lines.

}

// Apply encryption wrapper
$user = Server::get(IUserSession::class)->getUser();
$mountManager = Filesystem::getMountManager();
$uid = $user ? $user->getUID() : null;
$fileHelper = Server::get(IFile::class);
$keyStorage = Server::get(EncryptionKeysStorage::class);

$util = new Util(
new View(),
Server::get(IUserManager::class),
Server::get(IGroupManager::class),
Server::get(IConfig::class)
);
return new Encryption(
$parameters,
$this->manager,
$util,
$this->logger,
$fileHelper,
$uid,
$keyStorage,
$mountManager,
$this->arrayCache
);
}
}
Loading