Alert before expiration

upperlimit · May 30, 2024, 7:49am

It would be useful being able to set an expiry for any secret and send an e-mail before expiration, for example a few days before.

It would also be useful to be able to see a report of secrets that are about to expire, for example in a few days.

Keep in mind, expiration is a core feature of KeePass.

Q1. What is the problem that you are trying to solve?
Alert secret owners before expiration.

Q2 - Who is impacted?
No impact.

Q3 - Why is it important and/or urgent?
Not stretegic but useful to determine if secrets rotation needs to take place.

Q4 - What is your proposed solution? (optional)
Send an e-mail
Display a report

Steph · May 30, 2024, 8:33am

Hello @upperlimit and welcome to the forum!

The password expiry feature already exists actually (or maybe I misunderstood your point).
However, it exists in 2 variants mainly, the CE one and the PRO and requires your passbolt server to be at a minimum version of 4.5.0. The feature could be activated from the administration settings.

On the CE variant you can have 2 automatic workflows (you have either both of them or none of them):

automatic expiry: when a user looses a permissions on a resources that it read in the past, the resources is marked as expired
automatic update: when an expired resource has its secret changed, it’s marked a not expiring again

On the PRO variant, you have more granular options where:

you have the possibility to set the 2 previous automatic workflows (at the contrary of the CE you can choose if you want just 1 automatic workflow, the 2 of them or none of them)
you have the possibility to define a default expiration delay. For example, you can choose 60 days, and every new update or creation of a secret will have an expiration date set to 60 days in the future
you can also let the users override the expiration date such that they can manually set for each resources an expiration period or a precise date.

On both version once the feature is activated, you will see extra columns on the password grid with an expiration date and an “attention required” icon for resources that have expired. Plus you will find a new filter to display only the expired passwords.

About the point regarding sending an email n-days before the expiration of a secret. This is not yet available. We did a first try with it, but we encountered issues and put that part for later (no ETA that I know though).

Anyway, this feature would be part of the PRO version.

If you want to know a bit more about it, there was a community forum post regarding the release of the 4.5.0 of the API New Release: v4.5.0 ~ Summer is Ending also you will there pages linked as well:

CE release notes: Passbolt Help | Summer is ending
PRO release notes: Passbolt Help | Summer is ending

upperlimit · May 30, 2024, 9:38am

Thanks for the detailed information.

I have now enabled the password expiry feature and I can see the expiry column.
I cannot change it though because I am running the community edition and that’s understood.

However, I also wish to be able to see which secrets have an expiration date in the near future, for example in a few days (as user input), to start making preparations for secrets rotation before the secrets expire.

I believe this is a competitive function.

upperlimit · September 6, 2024, 7:55pm

I think this relates to As a logged in user I should know if a password is about to expire and should be changed