diff --git a/bin/ncp/SECURITY/nc-encrypt.sh b/bin/ncp/SECURITY/nc-encrypt.sh
index 47b6c274f..9f5434529 100644
--- a/bin/ncp/SECURITY/nc-encrypt.sh
+++ b/bin/ncp/SECURITY/nc-encrypt.sh
@@ -20,14 +20,14 @@ install()
 
 configure()
 {
-(
+
   set -e -o pipefail
   local datadir parentdir encdir tmpdir
   datadir="$(get_ncpcfg datadir)"
   [[ "${datadir?}" == "null" ]] && datadir=/var/www/nextcloud/data
   parentdir="$(dirname "${datadir}")"
   encdir="${parentdir?}/ncdata_enc"
-  tmpdir="$(mktemp -u -p "${parentdir}" -t nc-data-crypt.XXXXXX))"
+  tmpdir="$(mktemp -u -p "${parentdir}" -t nc-data-crypt.XXXXXX)"
 
   [[ "${ACTIVE?}" != "yes" ]] && {
     if ! is_active; then
@@ -59,7 +59,7 @@ configure()
   # Just mount already encrypted data
   if [[ -f "${encdir?}"/gocryptfs.conf ]]; then
     systemctl reset-failed ncp-encrypt ||:
-    systemd-run -u ncp-encrypt -E PASSWORD bash -c "gocryptfs -allow_other -q '${encdir}' '${datadir}' <<<\"\${PASSWORD}\" 2>&1 | sed /^Switch/d |& tee /var/log/ncp-encrypt.log"
+    systemd-run -u ncp-encrypt -E PASSWORD bash -c "gocryptfs -fg -allow_other -q '${encdir}' '${datadir}' <<<\"\${PASSWORD}\" 2>&1 | sed /^Switch/d |& tee /var/log/ncp-encrypt.log"
 
     # switch to the regular virtual hosts after we decrypt, so we can access NC and ncp-web
     a2ensite ncp 001-nextcloud
@@ -72,13 +72,32 @@ configure()
   mkdir -p "${encdir?}"
   echo "${PASSWORD?}" | gocryptfs -init -q "${encdir}"
   save_maintenance_mode
-  trap restore_maintenance_mode EXIT
+  cleanup() {
+    umount "${datadir}" ||:
+    [[ -f "${tmpdir}" ]] && {
+      rm -rf "${datadir?}" ||:
+      mv "${tmpdir}" "${datadir}"
+
+      chown -R www-data:www-data "${datadir}"
+    }
+    restore_maintenance_mode
+  }
+  trap cleanup EXIT
 
   mv "${datadir?}" "${tmpdir?}"
 
   mkdir "${datadir}"
   systemctl reset-failed ncp-encrypt ||:
-  systemd-run -u ncp-encrypt -E PASSWORD bash -c "gocryptfs -allow_other -q '${encdir}' '${datadir}' <<<\"\${PASSWORD}\" 2>&1 | sed /^Switch/d |& tee /var/log/ncp-encrypt.log"
+  systemd-run -u ncp-encrypt -E PASSWORD bash -c "gocryptfs -fg -allow_other -q '${encdir}' '${datadir}' <<<\"\${PASSWORD}\" 2>&1 | sed /^Switch/d |& tee /var/log/ncp-encrypt.log"
+
+  maxtries=5
+  while [[ "$(systemctl is-active ncp-encrypt)" != "active" ]]
+  do
+    echo "Wating for encryption process to start... (${maxtries})"
+    sleep 3
+    maxtries=$((maxtries - 1))
+    [[ $maxtries -gt 0 ]] || return 1
+  done
 
   echo "Encrypting data..."
   mv "${tmpdir}"/* "${tmpdir}"/.[!.]* "${datadir}"
@@ -88,7 +107,7 @@ configure()
   set_ncpcfg datadir "${datadir}"
 
   echo "Data is now encrypted"
-)
+
 }
 
 # License
diff --git a/ncp.sh b/ncp.sh
index 875dbe3a1..c2caedcd3 100644
--- a/ncp.sh
+++ b/ncp.sh
@@ -128,7 +128,7 @@ EOF
 
   cat > /home/www/ncp-app-bridge.sh <<'EOF'
 #!/bin/bash
-set -ex
+set -e
 grep -q '[\\&#;`|*?~<>^()[{}$&]' <<< "$*" && exit 1
 action="${1?}"
 [[ "$action" == "config" ]] && {