[solved] Can't access data after enabling encryption

I enabled encryption for my existing instance.

Screenshot from 2020-03-03 15-24-511383×155 11.2 KB

and enabled it.

Screenshot from 2020-03-03 15-28-331206×643 59.8 KB

Once done, I clicked “Re-synchronize” and tried to browse files…
I can still see them, their metadata and enter directories, but none can be opened/downloaded.

This is a typical request…

https://domain/io/common-files/test.rtf?AWSAccessKeyId=gateway&Expires=1583260083&Signature=It%2B8%2FpIj00wiaj9U7jULDHUgMds%3D&response-content-disposition=attachment%3B%20filename%3Dtest.rtf&pydio_jwt=xxxxx

… but the HTTP response is an empty 500 (content-type: application/xml and content-disposition: attachment; filename=test.rtf)

In cells output I can see the following corresponding to this download request:

ERROR pydio.gateway.data views.handler.encryption.GetObject: failed to get node info {"error": "{\"id\":\"node.key.dao\",\"code\":404,\"detail\":\"no entry for 0aebf3b7-5bc6-42ce-b60f-7eae39eb391b key\",\"status\":\"Not Found\"}"}

When using openstack object save pydio test.rtf I can get the unencrypted file, meaning that:

• Files are not encrypted in the storage backend
• File are unavailable from Pydio

Ironically: this is the opposite of what was initially intended when enabling encryption :S

Erase and restart is obviously not an option for a -production instance, neither is disabling encryption since it’s advertised to render unreadable all data.
By chance, it’s still a sandbox, but it’s still sufficiently worrying and distrust-prone that I should ask:
How would I save myself in such a situation?

Full trace about the unencrypted failing to be accessed by pydio:

2020-03-05T13:39:16.162Z	DEBUG	pydio.grpc.tree	ReadNode	{"time": "3.681485ms", "req": "Node:<Path:\"ovh/test.rtf\" MetaStore:<key:\"pydio:meta-data-source-path\" value:\"\\\"test.rtf\\\"\" > > ", "resp": "Node:<Uuid:\"0aebf3b7-5bc6-42ce-b60f-7eae39eb391b\" Path:\"ovh/test.rtf\" Type:LEAF Size:1735 MTime:1582669603 Mode:511 Etag:\"9b97a0f7a45712637d9883c0477618c1\" MetaStore:<key:\"name\" value:\"\\\"test.rtf\\\"\" > MetaStore:<key:\"pydio:meta-data-source-name\" value:\"\\\"ovh\\\"\" > MetaStore:<key:\"pydio:meta-data-source-path\" value:\"\\\"test.rtf\\\"\" > > "}
2020-03-05T13:39:16.268Z	ERROR	pydio.gateway.data	views.handler.encryption.GetObject: failed to get node info	{"error": "{\"id\":\"node.key.dao\",\"code\":404,\"detail\":\"no entry for 0aebf3b7-5bc6-42ce-b60f-7eae39eb391b key\",\"status\":\"Not Found\"}"}
github.com/pydio/cells/common/views.(*EncryptionHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-encryption.go:99
github.com/pydio/cells/common/views.(*AbstractHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-abstract.go:131
github.com/pydio/cells/common/views.(*AbstractHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-abstract.go:131
github.com/pydio/cells/common/views.(*AbstractHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-abstract.go:131
github.com/pydio/cells/common/views.(*AbstractHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-abstract.go:131
github.com/pydio/cells/common/views.(*HandlerEventRead).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-events-read.go:95
github.com/pydio/cells/common/views.(*AclFilterHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-acl-filter.go:197
github.com/pydio/cells/common/views.(*HandlerAuditEvent).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-audit-events.go:47
github.com/pydio/cells/common/views.(*AbstractBranchFilter).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-path-abstract-filter.go:300
github.com/pydio/cells/common/views.(*AbstractBranchFilter).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-path-abstract-filter.go:300
github.com/pydio/cells/common/views.(*AbstractBranchFilter).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-path-abstract-filter.go:300
github.com/pydio/cells/common/views.(*AbstractBranchFilter).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-path-abstract-filter.go:300
github.com/pydio/cells/common/views.(*AbstractBranchFilter).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-path-abstract-filter.go:300
github.com/pydio/cells/common/views.(*ArchiveHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-archive.go:86
github.com/pydio/cells/common/views.(*BinaryStoreHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-binary-store.go:120
github.com/pydio/cells/common/views.(*BinaryStoreHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-binary-store.go:120
github.com/pydio/cells/common/views.(*AbstractHandler).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/handler-abstract.go:131
github.com/pydio/cells/common/views.(*Router).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/common/views/router.go:201
github.com/pydio/cells/vendor/github.com/pydio/minio-srv/cmd/gateway/pydio.(*pydioObjects).GetObject
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/vendor/github.com/pydio/minio-srv/cmd/gateway/pydio/gateway-pydio.go:313
github.com/pydio/cells/vendor/github.com/pydio/minio-srv/cmd/gateway/pydio.(*pydioObjects).GetObjectNInfo.func1
	/opt/teamcity/agent/work/fb9e7e7133d45375/go/src/github.com/pydio/cells/vendor/github.com/pydio/minio-srv/cmd/gateway/pydio/gateway-pydio.go:293

If I pass the warning message of encryption disabling, then I can access back existing file that where created unencrypted.

That means unencrypted and encrypted files can coexist inside Pydio, but Pydio seems not to track which one is using encryption and which isn’t. I think that, at least some kind encryption icon should appear in the UI to help user distinguish this and that an error message should be triggered instead of nothing.

Hello @drzraf,

I assume that you already had data on that bucket before encryption?
In that case it will not work, we do not encrypt the resources that already exists.

You must have an empty bucket, then create your encrypted datasource, after that you can move your resources to it.

Could you try and tell me if that is working for you.

That’s it and replies to my question.
But I’m not sure the behavior is the best one.

At least some kind encryption icon should appear in the UI to help user distinguish this and that an error message should be triggered instead of nothing.

I"ll add an entry in our backlog for that, it could be good to have an indicator on what is encrypted or not.