diff --git a/apps/encryption/lib/crypto/decryptall.php b/apps/encryption/lib/crypto/decryptall.php
index fa9a3e0db955f9428211f6c877c1162ca450a9a4..694aba2fb8902315f2a7a9500c54039c1d3fbc1c 100644
--- a/apps/encryption/lib/crypto/decryptall.php
+++ b/apps/encryption/lib/crypto/decryptall.php
@@ -81,35 +81,42 @@ class DecryptAll {
public function prepare(InputInterface $input, OutputInterface $output, $user) {
$question = new Question('Please enter the recovery key password: ');
- $recoveryKeyId = $this->keyManager->getRecoveryKeyId();
- if (!empty($user)) {
- $output->writeln('You can only decrypt the users files if you know');
- $output->writeln('the users password or if he activated the recovery key.');
- $output->writeln('');
- $questionUseLoginPassword = new ConfirmationQuestion(
- 'Do you want to use the users login password to decrypt all files? (y/n) ',
- false
- );
- $useLoginPassword = $this->questionHelper->ask($input, $output, $questionUseLoginPassword);
- if ($useLoginPassword) {
- $question = new Question('Please enter the user\'s login password: ');
- } else if ($this->util->isRecoveryEnabledForUser($user) === false) {
- $output->writeln('No recovery key available for user ' . $user);
- return false;
+ if($this->util->isMasterKeyEnabled()) {
+ $output->writeln('Use master key to decrypt all files');
+ $user = $this->keyManager->getMasterKeyId();
+ $password =$this->keyManager->getMasterKeyPassword();
+ } else {
+ $recoveryKeyId = $this->keyManager->getRecoveryKeyId();
+ if (!empty($user)) {
+ $output->writeln('You can only decrypt the users files if you know');
+ $output->writeln('the users password or if he activated the recovery key.');
+ $output->writeln('');
+ $questionUseLoginPassword = new ConfirmationQuestion(
+ 'Do you want to use the users login password to decrypt all files? (y/n) ',
+ false
+ );
+ $useLoginPassword = $this->questionHelper->ask($input, $output, $questionUseLoginPassword);
+ if ($useLoginPassword) {
+ $question = new Question('Please enter the user\'s login password: ');
+ } else if ($this->util->isRecoveryEnabledForUser($user) === false) {
+ $output->writeln('No recovery key available for user ' . $user);
+ return false;
+ } else {
+ $user = $recoveryKeyId;
+ }
} else {
+ $output->writeln('You can only decrypt the files of all users if the');
+ $output->writeln('recovery key is enabled by the admin and activated by the users.');
+ $output->writeln('');
$user = $recoveryKeyId;
}
- } else {
- $output->writeln('You can only decrypt the files of all users if the');
- $output->writeln('recovery key is enabled by the admin and activated by the users.');
- $output->writeln('');
- $user = $recoveryKeyId;
+
+ $question->setHidden(true);
+ $question->setHiddenFallback(false);
+ $password = $this->questionHelper->ask($input, $output, $question);
}
- $question->setHidden(true);
- $question->setHiddenFallback(false);
- $password = $this->questionHelper->ask($input, $output, $question);
$privateKey = $this->getPrivateKey($user, $password);
if ($privateKey !== false) {
$this->updateSession($user, $privateKey);
@@ -132,9 +139,13 @@ class DecryptAll {
*/
protected function getPrivateKey($user, $password) {
$recoveryKeyId = $this->keyManager->getRecoveryKeyId();
+ $masterKeyId = $this->keyManager->getMasterKeyId();
if ($user === $recoveryKeyId) {
$recoveryKey = $this->keyManager->getSystemPrivateKey($recoveryKeyId);
$privateKey = $this->crypt->decryptPrivateKey($recoveryKey, $password);
+ } elseif ($user === $masterKeyId) {
+ $masterKey = $this->keyManager->getSystemPrivateKey($masterKeyId);
+ $privateKey = $this->crypt->decryptPrivateKey($masterKey, $password, $masterKeyId);
} else {
$userKey = $this->keyManager->getPrivateKey($user);
$privateKey = $this->crypt->decryptPrivateKey($userKey, $password, $user);
diff --git a/apps/encryption/lib/keymanager.php b/apps/encryption/lib/keymanager.php
index 0c957e1201215bf41ca82ba7d665720494c842d0..4169569d8b2417680c93346f4b08e9fd194c5393 100644
--- a/apps/encryption/lib/keymanager.php
+++ b/apps/encryption/lib/keymanager.php
@@ -658,7 +658,7 @@ class KeyManager {
* @return string
* @throws \Exception
*/
- protected function getMasterKeyPassword() {
+ public function getMasterKeyPassword() {
$password = $this->config->getSystemValue('secret');
if (empty($password)){
throw new \Exception('Can not get secret from ownCloud instance');
diff --git a/apps/encryption/tests/lib/crypto/decryptalltest.php b/apps/encryption/tests/lib/crypto/decryptalltest.php
index 84819aa73bd55ecbf7d03b43c9d1d61b0a780b12..0945692e4277c140f415fdaf6fe9abddd6671c8b 100644
--- a/apps/encryption/tests/lib/crypto/decryptalltest.php
+++ b/apps/encryption/tests/lib/crypto/decryptalltest.php
@@ -87,7 +87,7 @@ class DecryptAllTest extends TestCase {
* @param string $user
* @param string $recoveryKeyId
*/
- public function testGetPrivateKey($user, $recoveryKeyId) {
+ public function testGetPrivateKey($user, $recoveryKeyId, $masterKeyId) {
$password = 'passwd';
$recoveryKey = 'recoveryKey';
$userKey = 'userKey';
@@ -102,6 +102,13 @@ class DecryptAllTest extends TestCase {
$this->keyManager->expects($this->never())->method('getPrivateKey');
$this->crypt->expects($this->once())->method('decryptPrivateKey')
->with($recoveryKey, $password)->willReturn($unencryptedKey);
+ } elseif ($user === $masterKeyId) {
+ $this->keyManager->expects($this->once())->method('getSystemPrivateKey')
+ ->with($masterKeyId)->willReturn($masterKey);
+ $this->keyManager->expects($this->never())->method('getPrivateKey');
+ $this->crypt->expects($this->once())->method('decryptPrivateKey')
+ ->with($masterKey, $password, $masterKeyId)->willReturn($unencryptedKey);
+
} else {
$this->keyManager->expects($this->never())->method('getSystemPrivateKey');
$this->keyManager->expects($this->once())->method('getPrivateKey')
@@ -117,8 +124,9 @@ class DecryptAllTest extends TestCase {
public function dataTestGetPrivateKey() {
return [
- ['user1', 'recoveryKey'],
- ['recoveryKeyId', 'recoveryKeyId']
+ ['user1', 'recoveryKey', 'masterKeyId'],
+ ['recoveryKeyId', 'recoveryKeyId', 'masterKeyId'],
+ ['masterKeyId', 'masterKeyId', 'masterKeyId']
];
}