Hi @jtillman If it isn’t consistent, I can’t see how anyone has been able to recover keys.??
My question would be, after you change the password on the key from your own keyring, what is happening to the file before you import it to passbolt? Or, what kind of file format are you saving it to when downloading? Maybe the file is getting characters added or is formatted badly.
I’m just exporting the file from the user profile page then importing it in the recovery page. This is without using gpg to change the key’s password, so I’m kind of surprised it didn’t (apparently) work.
Does the account recovery utility work with the file you get from using the private key exporter from your user profile page? Or is it expecting a different file/key?
Have you used the account recovery utility before? Have you tried using it on the private key you can export from your profile page? I’m just trying to understand whether what I’m seeing is an application bug or if I’m using the app incorrectly.
Thanks for confirming that the feature does in fact work. Was able to verify functionality - was dealing with a combination of not using the -a flag when exporting my key as well as long delays on the passbolt recovery email due to our environment’s filtering.
Was able to in the end verify the feature’s functionality - thanks again.
edit: Actually - the issue seems to be that you cannot change your password while still logged into the app. Not sure if this is documented somewhere and I missed it, but I’m consistently getting the ‘key doesn’t match any users’ error message if I’m authenticated to passbolt (in one of my 10,000 browser tabs) while attempting the my-passbolt-uri/recovery workflow. Logging out beforehand allows the recovery process to complete successfully.
Thanks again for verifying that the process worked.
This error message/failure path is insufficient. There should be reasonable messaging to say you need to be logged out of the app to do the password reset process. Even just changing the wording to ‘This key doesn’t match any account, log out of passbolt and try again’ would have covered my issue.
@jtillman It seems like you are making the assumption that someone who is logged in would be trying to restore their key.
The more reasonable assumption is that a user who is using the account recovery process is doing so because they cannot access their account without going through those steps.
To tell that user to log out would seem very odd, wouldn’t it?
No, the workflow here is a user has their key but wants to (or is required to by policy) change the passphrase. They then export their key, change the key passphrase, and import the key (with new passphrase) back into their account.
I know this probably isn’t the ‘intended, expected’ use of the /recovery workflow, but I’m unaware of any other way to change an account’s passphrase. It’s also seemingly what passbolt suggests via passbolt-dot-com/faq/security/change-passphrase
Even just updating the change-passphrase documentation to include a ‘you must be logged out to complete the account recovery process’ would be sufficient. As-is, users get a weird error message (I just exported this key from my passbolt profile, but the recovery workflow says it doesn’t acknowledge this key as being associated with any accounts).