Reinitialize encryption keys without deleting it manually (LDAP backend)

[js94x]

Steps to reproduce

There is a internal password policy that forces users to change their ldap password every x days in our company. Since we connected our Nextcloud to LDAP, some time has passed.

Empoloyees who didn´t use Nextcloud for a long time get a warning "Invalid private key for Encryption App. Please update your private key password in your personal settings to recover access to your encrypted files." after login. So the user key pair is based on a pretty old password.

This is completely ok but the admins must be able to easily reset the account, so the encryption keys can be recreated with the current login password (at least for users without enabled recovery key).

Currently the only known way is deleting the keypair:
rm <OC-Basedir>/data/<Username>/files_encryption/OC_DEFAULT_MODULE/<Username>.privateKey
rm <OC-Basedir>/data/<Username>/files_encryption/OC_DEFAULT_MODULE/<Username>.publicKey

After a re-login everything works fine.

Expected behaviour

A button or something in personal settings section with a warning that reinitialize is dangerous and cause a data loss. To prevent abuse an extension for occ commandline tool could also be a solution.

[MorrisJobke]

cc @nextcloud/encryption

[schiessle]

if you delete the users private and public key, they will no longer be able to access their old files. Don't do this. The only way to update a key is to manually add the old and the new password in the personal settings as suggested by Nextcloud. This way the existing key gets re-encrypted with the users new password.

With Nextcloud13 and newer we switched to the master key by default (only new installations) which solves this issue completely by becoming independent from the users login password