nextcloud · cuppett · Apr 29, 2026 · cuppett · Apr 30, 2026
@@ -8,14 +8,17 @@
 namespace OC\Encryption;
 
 use OC\Files\Filesystem;
+use OC\Files\Mount\HomeMountPoint;
 use OC\Files\Storage\Wrapper\Encryption;
 use OC\Files\View;
 use OC\Memcache\ArrayCache;
 use OCP\Encryption\IFile;
 use OCP\Encryption\Keys\IStorage as EncryptionKeysStorage;
+use OCP\Exceptions\AppConfigTypeConflictException;
 use OCP\Files\Mount\IMountPoint;
 use OCP\Files\Storage\IDisableEncryptionStorage;
 use OCP\Files\Storage\IStorage;
+use OCP\IAppConfig;
 use OCP\IConfig;
 use OCP\IGroupManager;
 use OCP\IUserManager;
@@ -57,32 +60,67 @@ public function wrapStorage(string $mountPoint, IStorage $storage, IMountPoint $
 			'mount' => $mount
 		];
 
-		if ($force || (!$storage->instanceOfStorage(IDisableEncryptionStorage::class) && $mountPoint !== '/')) {
-			$user = Server::get(IUserSession::class)->getUser();
-			$mountManager = Filesystem::getMountManager();
-			$uid = $user ? $user->getUID() : null;
-			$fileHelper = Server::get(IFile::class);
-			$keyStorage = Server::get(EncryptionKeysStorage::class);
+		// Only evaluate other conditions if not forced
+		if (!$force) {
+			// If a disabled storage medium, return basic storage
+			if ($storage->instanceOfStorage(IDisableEncryptionStorage::class)) {
+				return $storage;
+			}
 
-			$util = new Util(
-				new View(),
-				Server::get(IUserManager::class),
-				Server::get(IGroupManager::class),
-				Server::get(IConfig::class)
-			);
-			return new Encryption(
-				$parameters,
-				$this->manager,
-				$util,
-				$this->logger,
-				$fileHelper,
-				$uid,
-				$keyStorage,
-				$mountManager,
-				$this->arrayCache
+			// Root mount point handling: skip encryption wrapper
+			if ($mountPoint === '/') {
+				return $storage;
+			}
+
+			// Skip encryption for home mounts if encryptHomeStorage is disabled
+			if ($mount instanceof HomeMountPoint && !$this->shouldEncryptHomeStorage()) {
+				return $storage;
+			}
+		}
+
+		// Apply encryption wrapper
+		$user = Server::get(IUserSession::class)->getUser();
+		$mountManager = Filesystem::getMountManager();
+		$uid = $user ? $user->getUID() : null;
+		$fileHelper = Server::get(IFile::class);
+		$keyStorage = Server::get(EncryptionKeysStorage::class);
+
+		$util = new Util(
+			new View(),
+			Server::get(IUserManager::class),
+			Server::get(IGroupManager::class),
+			Server::get(IConfig::class)
+		);
+		return new Encryption(
+			$parameters,
+			$this->manager,
+			$util,
+			$this->logger,
+			$fileHelper,
+			$uid,
+			$keyStorage,
+			$mountManager,
+			$this->arrayCache
+		);
+	}
+
+	private function shouldEncryptHomeStorage(): bool {
+		$appConfig = Server::get(IAppConfig::class);
+		try {
+			return $appConfig->getValueBool('encryption', 'encryptHomeStorage', true);
+		} catch (AppConfigTypeConflictException) {
+			// Stored as VALUE_STRING from a pre-upgrade installation.
+			// RetypeEncryptionConfigKeys repair step will fix the type on occ upgrade.
+			return $this->parseLegacyBoolString(
+				$appConfig->getValueString('encryption', 'encryptHomeStorage', '1')
 			);
-		} else {
-			return $storage;
+		} catch (\Throwable) {
+			// DB not ready (e.g. oc_appconfig does not yet exist during install).
+			return true;
 		}
 	}
+
+	private function parseLegacyBoolString(string $value): bool {
+		return in_array(strtolower(trim($value)), ['1', 'true', 'yes', 'on'], true);
+	}
 }