After Upgrade on new Server Private Key not valid

I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue


we tried to upgrade Passbolt from version 2.4.1 to the latest version on a new server running Ubuntu 22.04.2.

We followed this guide: Passbolt Help | Migrate an existing Passbolt CE to a new Ubuntu server

However we get an error when importing the old serverkey:

fabian@passbolt:~$ sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import --verbose --pinentry-mode loopback /etc/passbolt/gpg/serverkey_private.asc" www-data
gpg: sec  rsa2048/F47BC46B7421040D 2020-07-13  Fabian (nope) <>
gpg: key F47BC46B7421040D: "Fabian (nope) <>" not changed
gpg: key F47BC46B7421040D/F47BC46B7421040D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
gpg: error reading '/etc/passbolt/gpg/serverkey_private.asc': Permission denied
gpg: import from '/etc/passbolt/gpg/serverkey_private.asc' failed: Permission denied
gpg: Total number processed: 0
gpg:              unchanged: 1
gpg:       secret keys read: 1

The permissions are all as they should be according to the guide


GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [PASS] There is a valid email id defined for the server key.

So now I don’t know what we could do…

Hello @Fabian and Welcome to the forum.

I took a look at the error and found something on the Internet. It could be the GPG command that needs an extra parameter since a newer version of GNUPG2.

Maybe you can try this instead:

 sudo su -s /bin/bash -c "gpg --batch --home /var/lib/passbolt/.gnupg --import --verbose --pinentry-mode loopback /etc/passbolt/gpg/serverkey_private.asc" www-data

Basically, it’s the same command as before with the extra parameter --batch. If it works it means we need to update the help page to reflect that change.

Hello, thanks for this advise, but still the same error

Can you check the permission and ownership of the keyring and the two keys inside the second folder please


Yeah sure,


Can you do a
chown www-data:www-data /var/lib/passbolt/.gnupg/*
And try again please

1 Like