Delete E2EE keys for fresh start #9083
Comments
|
To circumvent case 1, we on android store the keys only after the user noted down the passphrase. If you really want to reset E2E, there is currently only a manual way:
|
|
@unteem this is not possible, by design, as it would allow posing as a user by a hacker. As all other accounts the user shared with will trust the user key on first use, they will reject any new identity from that user. So even if you created a new set of keys with a new passphrase, it would be useless. If you lose your passphrase and device, you have to create a new account. There is no real way back. The work-around by @tobiasKaminsky will be OK until we implement sharing: your user account will never be able to share with a user it shared with before, so we won't implement a feature to 'reset E2EE'. Of course, we could, at some point in the future, go the Signal way of just adding new identities with TOFU but I think it is a security risk - users click away the warning that another user has a new digital identity and can thus easily be duped into sharing files with a hacker. This is the whole thing E2EE is designed to protect from... The case of the iOS app crashing after creating an identity is a different issue, but that should be solved the right way: the app should always be able to show the passphrase. This is explicitly called for in the design, and the fact that that is not yet implemented means the app isn't yet ready to be really used with E2EE. |
|
Reseting E2E keys is a feature that will be needed from time to time because, you know, shit happens and users usually forget passwords and everything else. I would expect that reseting E2E keys will cause users to lose access to the encrypted files, but nothing more. |
|
@ediazcomellas yes, we discussed this, and I entirely understand. The problem is that without a trusted separate key generation mechanism (a HSM or hardware security module) this creates a security breach. So, either have a HSM, or you will need to create a new account when the keys get lost. In discussion with our customers I found out they were fine with this - of course, those who need it don't mind using a HSM and those who don't need it are happy to shortcut calls to their service desk by just telling people: "We can't do anything. Don't lose the keys, or we can only create a new account for you." The TU Berlin for example prefers to say "nothing we can do" over having a reset option, because that will increase the number of calls and the amount of work as users will be less careful. Your situation might be different - and a HSM might be required. We have not yet implemented this. If you need this in the short term, you can contact our sales team... |
|
@jospoortvliet I'm afraid this approach just isn't feasible with external authentication (LDAP, AD, ...). There ought to be an administrative command to do just that. Having to create a new LDAP / AD object isn't an alternative. Somewhat off topic:
This is a very hostile mindset, straight out of the '80s. IMO this sentiment reflects very badly on our line of business. It has no place near service desks and it should absolutely not affect software projects that care about UX and usability in any way, shape, or form. |
|
Nextcloud client crashed during end to end setup of one of my clients. Now he is unable to setup encryption because you cannot initiate a fresh start. This is really a missing feature @jospoortvliet. There would not be a problem if you could reset the end to end encryption and wipe previous keys. |
|
Another scenario I discovered the hard way is. If you install the Nextcloud desktop client on Linux it does not provide an option to write down the passphrase but it does create a key. If you go to Windows (or any other client) it prompts to enter a passphrase which I never got. Now I probably need to delete all those accounts and recreate them again starting at Windows this time. |
You don't have to delete the accounts. Just reset the E2EE app, and then either wait until it's stable or try it again. Here's how to reset it: https://github.com/nextcloud/end_to_end_encryption/releases/tag/v1.5.2-beta1 |
|
@KopfKrieg this is not a viable solution for most people, this would delete the keys for all users, also ones that already use the E2EE solution with success. |
Well, it's possible to only delete the keys for certain users as I've shown in my blog (right now only available in German): https://kopfkrieg.org/2019/05/28/nextcloud-reset-e2ee/ Edit: Found the original link: nextcloud/end_to_end_encryption#32 (comment)
That would be a good feature. |
I also made the stupid mistake of enabling and then disabling end-to-end encryption without properly saving the passphrase. |
IIRC NextcloudPi uses a directory below /var/www. The Hope that helps :) |
|
I don't understand that this is still closed. It should be possible to reset the keys from the interface. |
|
Copy that. E2EE screwed up (again) today as it always does from time to time. Using E2EE is just so frustrating... 99 days working perfect, day 100 everything is broken. Complete reset necessary. Update: seems like desktop client (v3.8.0) screwed up E2EE. |
|
I enabled this yesterday but decided to postpone for tomorrow because I was getting too sleepy. There was an easy option to disable/disconnect/whatever. Today I figure out it is "too late". Every user that tries to use it and screws something up will need new company wide account. |
|
this is already implemented in recent releases |
What is the clean way for a fresh restart when a user lost his passphrase and device?
We are not trying to recover any data, we just want the user to be able to reuse the E2EE module.
Steps to reproduce
We have 2 cases:
Expected behaviour
We want them to be able to reinitialise the E2EE. No data or passphrase to recover, just a fresh new start
The text was updated successfully, but these errors were encountered: