[Bug]: Config for files_external mount option "encryption" is not respected

[iCaotix]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

When the server has server-side-encryption enabled and an external mount is configured (e.g. SFTP or S3) which has the mount option "encrypt" set to false. Nextcloud still encrypts the files before upload.

Steps to reproduce

1. Enable server side encryption
2. Create a new mount of a type supporting encryption like S3
3. Set the value for "Activate Encryption" to false
4. Upload a file (it's specifically tested with newly uploaded files since existing files are by default not encrypted)
5. File is encrypted

Expected behavior

If encryption is disabled it should not encrypt uploaded files

Nextcloud Server version

33

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.4

Web server

Other

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "overwriteprotocol": "https",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "forwarded_for_headers": [
            "HTTP_X_REAL_IP",
            "HTTP_X_FORWARDED_FOR"
        ],
        "objectstore": {
            "class": "\\OC\\Files\\ObjectStore\\S3",
            "arguments": {
                "bucket": "nextcloud-main",
                "region": "garage",
                "hostname": "***REMOVED SENSITIVE VALUE***",
                "port": "",
                "storageClass": "",
                "objectPrefix": "urn:oid:",
                "autocreate": true,
                "use_ssl": true,
                "use_path_style": false,
                "legacy_auth": false,
                "key": "***REMOVED SENSITIVE VALUE***",
                "secret": "***REMOVED SENSITIVE VALUE***"
            }
        },
        "upgrade.disable-web": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "33.0.2.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "log_type": "errorlog",
        "log_type_audit": "errorlog",
        "files.chunked_upload.max_size": 0,
        "dbpersistent": true,
        "mysql.utf8mb4": true,
        "maintenance": false,
        "loglevel": 2,
        "maintenance_window_start": 1,
        "default_phone_region": "DE",
        "enable_previews": true,
        "preview_max_filesize_image": 50,
        "preview_max_x": 1024,
        "preview_max_y": 1024,
        "enabledPreviewProviders": [
            "OC\\Preview\\Movie",
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\MP3",
            "OC\\Preview\\MP4",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\PDF",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\Image"
        ],
        "config_preset": 1,
        "app_install_overwrite": [
            "memories"
        ],
        "memories.db.triggers.fcu": true,
        "memories.exiftool": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/exiftool-amd64-glibc",
        "memories.vod.path": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/go-vod-amd64",
        "memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
        "memories.vod.ffprobe": "\/usr\/bin\/ffprobe",
        "simpleSignUpLink.shown": false,
        "activity_expire_days": 90,
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpsecure": "",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "memories.gis_type": 2
    }
}

List of activated Apps

Enabled:
  - activity: 6.0.0
  - app_api: 33.0.0
  - bruteforcesettings: 6.0.0
  - circles: 33.0.0
  - cloud_federation_api: 1.17.0
  - comments: 1.23.0
  - contacts: 8.4.3
  - contactsinteraction: 1.14.1
  - dashboard: 7.13.0
  - dav: 1.36.0
  - encryption: 2.21.0
  - federatedfilesharing: 1.23.0
  - federation: 1.23.0
  - files: 2.5.0
  - files_downloadlimit: 5.1.0
  - files_external: 1.25.1
  - files_pdfviewer: 6.0.0
  - files_reminders: 1.6.0
  - files_sharing: 1.25.2
  - files_trashbin: 1.23.0
  - files_versions: 1.26.0
  - firstrunwizard: 6.0.0
  - groupfolders: 21.0.6
  - lookup_server_connector: 1.21.0
  - memories: 8.0.1
  - nextcloud_announcements: 5.0.0
  - notifications: 6.0.0
  - oauth2: 1.21.0
  - password_policy: 5.0.0
  - photos: 6.0.0
  - previewgenerator: 5.13.0
  - privacy: 5.0.0
  - profile: 1.2.0
  - provisioning_api: 1.23.0
  - serverinfo: 5.0.0
  - settings: 1.16.0
  - sharebymail: 1.23.0
  - support: 5.0.0
  - suspicious_login: 11.0.0
  - systemtags: 1.23.0
  - text: 7.0.0
  - theming: 2.8.0
  - twofactor_backupcodes: 1.22.0
  - twofactor_nextcloud_notification: 7.0.0
  - twofactor_totp: 15.0.0
  - twofactor_webauthn: 2.6.0
  - updatenotification: 1.23.0
  - user_status: 1.13.0
  - viewer: 6.0.0
  - weather_status: 1.13.0
  - webhook_listeners: 1.5.0
  - workflowengine: 2.15.0
Disabled:
  - admin_audit: 1.23.0
  - calendar: 6.2.2 (installed 6.2.2)
  - logreader: 6.0.0 (installed 6.0.0)
  - mail: 5.7.7 (installed 5.7.7)
  - notes: 4.13.1 (installed 4.13.1)
  - recommendations: 6.0.0 (installed 6.0.0-dev.0)
  - related_resources: 4.0.0 (installed 4.0.0-dev.0)
  - spreed: 23.0.3 (installed 23.0.3)
  - survey_client: 5.0.0 (installed 5.0.0)
  - testing: 1.23.0
  - user_ldap: 1.24.0

Nextcloud Signing status

Nextcloud Logs

Additional info

The issue can be fixed locally by patching

server/lib/private/Files/Storage/Wrapper/Encryption.php

Lines 897 to 898 in 7e1401a

	$mountPointConfig = $this->mount->getOption('encrypt', true);
	if ($mountPointConfig === false) {

to

if ($mountPointConfig == false) {

But probably the issue should be fixed further down so that mount->getOption() doesn't return an invalid value which is not the expected bool. My investigation showed that '' is returned which is not type matched to false with the trippe equals sign.