[Bug]: de-crypting then re-encrypting (SSE) triggers `conflict between new type (mixed) and old type (boolean)`

[bhollingsworth-lab]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I have been testing out a few items on a VPS one of which is using Nexcloud for data syncing. One of the items on my list is having the files stored in an encrypted state while at rest on the server. After a fresh install of Nextcloud, using the setup-nextcloud.php script, I connected to my nextcloud database and everything looked fine. I then enabled the default encryption app, turned on server-side encryption, logged out and back in to set the key and then ran the occ encryption:encrypt all. This ran on the files in a default installation and I ran a cat of the ReadMe.md and Example.md and both files were encrypted and then looked at the same files in the web interface and both files displayed the text correctly so the encryption appears to be working properly. I wanted to test the decryption of all files and ran the occ encryption:decrypt-all and after this was complete I ran a cat on the same two files and both displayed in the clear as well as displayed properly in the web interface. At this point all looked good.

I then ran the occ encryption:encrypt-all again and received the error that encryption was not enabled. I am not sure if this is what it supposed to happen but I can understand the argument that if you decrypt everything, you no longer want encryption on the files but I am not sure that should be the correct workflow. Regardless, the next step is the actual error I am reporting. I then went back into the web interface turned on server-side encryption again, logged out and logged back in and the encryption flag was off. I repeated the steps and the same result. After some searching, I ran the occ encryption:status and occ encryption:enable and I received the error message:

In AppConfig.php line 873: conflict between new type (mixed) and old type (boolean) .

I did some searching and with the help of some AI, I found that in the database, table oc_appconfig table, there was an entry:
appid configkey configvalue
core encryption_enabled 0

If I delete this item and run the occ encryption:enable, the error does not occur and I can encrypt the files again.

I did this same process yesterday without the AI help to find the issue in the database so this appears to be replicatable.

Steps to reproduce

1. Clean install of Nextcloud server
2. Enable default encryption application
3. Turn on server-side encryption
4. Run occ encryption:encrypt-all
5. Confirm encryption
6. Run occ encryption:decrypt-all
7. Confrim decryption
8. Run occ encryption:encrypt-all again - error should be displayed
9. Look in database table occ_appconfig for the core/encryption_enabled/0 entry and delete this entry
10. Run occ encryption:enable - should turn on server-side encryption with persistence
11. Run occ encryption:encrypt-all - should run without issue.

Expected behavior

What I expected to happen is that when I ran the occ encryption:decrypt-all that it would decrypt the files but not turn off the server-side encryption. Additionally, I would have expected to be able to turn the encryption back on without having to find and delete entries in the database.

Nextcloud Server version

33

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.4

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

"system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "myFQDN"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "33.0.0.16",
        "overwrite.cli.url": "https:\/\/myFQDN",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "maintenance_window_start": 1,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "default_phone_region": "CA",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "defaultapp": ""
    }
}

List of activated Apps

Enabled:
  - activity: 6.0.0-dev.0
  - bruteforcesettings: 6.0.0-dev.0
  - circles: 33.0.0
  - cloud_federation_api: 1.17.0
  - comments: 1.23.0
  - contactsinteraction: 1.14.1
  - dashboard: 7.13.0
  - dav: 1.36.0
  - encryption: 2.21.0
  - federatedfilesharing: 1.23.0
  - federation: 1.23.0
  - files: 2.5.0
  - files_downloadlimit: 5.1.0-dev.0
  - files_pdfviewer: 6.0.0-dev.0
  - files_reminders: 1.6.0
  - files_sharing: 1.25.2
  - files_trashbin: 1.23.0
  - files_versions: 1.26.0
  - firstrunwizard: 6.0.0-dev.0
  - logreader: 6.0.0
  - lookup_server_connector: 1.21.0
  - nextcloud_announcements: 5.0.0
  - notifications: 6.0.0
  - oauth2: 1.21.0
  - password_policy: 5.0.0-dev.0
  - photos: 6.0.0-dev.0
  - privacy: 5.0.0-dev.0
  - profile: 1.2.0
  - provisioning_api: 1.23.0
  - recommendations: 6.0.0-dev.0
  - related_resources: 4.0.0-dev.0
  - serverinfo: 5.0.0-dev.0
  - settings: 1.16.0
  - sharebymail: 1.23.0
  - support: 5.0.0
  - survey_client: 5.0.0-dev.0
  - systemtags: 1.23.0
  - text: 7.0.0-dev.3
  - theming: 2.8.0
  - twofactor_backupcodes: 1.22.0
  - twofactor_totp: 15.0.0-dev.0
  - updatenotification: 1.23.0
  - user_status: 1.13.0
  - viewer: 6.0.0-dev.0
  - weather_status: 1.13.0
  - webhook_listeners: 1.5.0
  - workflowengine: 2.15.0
Disabled:
  - admin_audit: 1.23.0
  - app_api: 33.0.0 (installed 33.0.0)
  - files_external: 1.25.1
  - suspicious_login: 11.0.0-dev.0
  - twofactor_nextcloud_notification: 7.0.0
  - user_ldap: 1.24.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

There is no entry in the log for this error.

Additional info

No response

[joshtrichards]

In AppConfig.php line 873: conflict between new type (mixed) and old type (boolean).

Looks like we still need to do some clean-up across the SSE code to switch fully over to the newer IAppConfig API and clean--up the config value typing¹.

Coincidentally, I just pushed a revised draft of the chapter on this very topic in the Developer Manual yesterday²... maybe someone reading want to use this as a test case to validate the revised advice/instructions. ;-)

If I delete this item and run the occ encryption:enable, the error does not occur and I can encrypt the files again.

Makes sense.

Thanks for reporting!

Footnotes

1. https://github.com/search?q=repo%3Anextcloud%2Fserver%20encryption_enabled&type=code ↩

2. https://github.com/nextcloud/documentation/blob/ef3b238a4e91ec8c1534ec09c7300542d24fd1f2/developer_manual/digging_deeper/config/appconfig.rst#typed-config-values ↩