Encryption key not valid but can't be enabled

I'm a longtime user of Joplin across Windows, Android and iOS. I noticed recently that I was not making use of the "master password" functionality so I decided to set one. However, I'm now seeing that my encryption key went from being valid to invalid.

When I try to enter my master password or my old encryption key password and click Save, nothing happens. If I disable the encryption key, everything seems to be OK, except that I would assume that nothing new is being encrypted if there are no encryption keys enabled? On the other hand, if I enable the key, it says "Your master password is needed to decrypt some of your data. Please click on "Manage master password..." to proceed. But when I click the button, the dialog says my Master Password status is Valid and there's nothing I can do except to change the password. When the key is enabled, I also get a message in the main window "One or more master keys need a password"

From reading the documentation, it seems like setting the master password would have changed the password on my encryption key to the new master password. Is that right? That doesn't work.

Bottom line - are my notes still being encrypted and synced properly? If not, how do I get that going again?

Using Nextcloud sync, Windows joplin client 2.7.15

You need to set the password for the key ca62

When I enter the password, and click save, the field goes back to empty again and nothing happens. I have tried both my new master password and the old password I had used for that encryption key.

I think there's a fix for this in prerelease 2.8. Could you give it a try?

Ok, I installed 2.8.8. I pasted my old encryption password in and clicked save, and the key changed from invalid to valid. Then, because I was curious and wanted to test, I pasted my master password in and clicked save.

That changed the key to invalid again and the password field is now not editable. It's replaced with "(master password)".

if I attempt to change the master password, it says the key can't be re-encrypted, probably because of an incorrect password. Seems like there is still a bug in here somewhere...

I've now synced across all my devices with encryption disabled, and I'm seeing discrepancies in the number of decrypted notes across the devices according to the encryption settings window
#1 (Windows): 5996 / 6021
#2 (Android): 6022 / 6022 (but 2 notes, 1 resource, and 4 revisions listed at the top as items that cannot be decrypted)
#3 (iOS): Sync Status Total: 6018/6018
#4 (Windows): 5992/7266

At this point, I'm concerned about data loss. Is there a way to easily identify any notes on the sync server (Nextcloud) that are encrypted and then manually decrypt them outside of Joplin, and then start fresh on syncing to all my clients?

The cli command e2ee target-status <path> would give you some info. You'd need to get all the Nextcloud files in your computer first, because "path" must be a local path

I installed joplin on the nextcloud server and ran this command directly there.

user@server:/mnt/storage/nextcloud-data/user/files/joplin$ joplin e2ee target-status .
EACCES: permission denied, scandir '.'

Running with sudo didn't help either. Any suggestions?

Maybe try to input the full path instead of "."?

Ok, I got it working. The owner of the dir was www-data, which it didn’t like. I had to copy to my home dir and chown that.

I got this result, which I’m not sure how to interpret… Only the first line looks a little suspicious to me. I snipped my keys out of this.

Invalid property format: }: {
"version": 3,
"e2ee": {
"value": false,
"updatedTime": 1654407654512
},
"activeMasterKeyId": {
"value": "ca62fd8dbe3c4ab788abab1a03fd9010",
"updatedTime": 0
},
"masterKeys": [
{
"id": "ca62fd8dbe3c4ab788abab1a03fd9010",
"created_time": 1562122910790,
"updated_time": 1654709710956,
"source_application": "net.cozic.joplin-desktop",
"encryption_method": 4,
"checksum": "",
"content": "{"iv":"","v":1,"iter":10000,"ks":256,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"","ct":""}",
"enabled": 1,
"hasBeenUsed": true
}
],
"ppk": {
"value": {
"id": "9EdF5jl0lOYmE3HNam0wMX",
"keySize": 2048,
"privateKey": {
"encryptionMethod": 4,
"ciphertext": "{"iv":"","v":1,"iter":10000,"ks":256,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"","ct":"
"}"
},
"publicKey": "-----BEGIN RSA PUBLIC KEY-----\n\n-----END RSA PUBLIC KEY-----",
"createdTime": 1649606929391
},
"updatedTime": 1649606929391
}
}

I decided to take another route to debug. In the Windows client, I see some notes that are marked "Encrypted" and can't be opened. I turned on developer tools to get their IDs and then manually inspect that file on the Nextcloud server.

It turns out the handful of files I spot checked are NOT encrypted. The client just thinks it is and having trouble with it.

On the server, at the end of the file, I see:
encryption_cipher_text:
encryption_applied: 0

On the client in the debug window, I see:
encryption_cipher_text: "<obfuscated - looks like a big JSON object>"
id: "8710213ad38f4d1a9fe9bb09fdd02e8b"

It seems like the issue is completely on the client side. Would you suggest uninstalling the client and its directory and then reinstalling and resyncing?