Q1. What is the problem that you are trying to solve?
In our experience with passbolt in a small company environment, the number one administrative pain point is when a user loses their private key. Typically this is because the machine where they generated it has crashed or needed reinstallation, and they didn’t keep a separate copy of the private key.
We would like to help our users (and admins) by relieving them of the responsibility of keeping a secure copy of their private key.
The way we do this today is that we’ve created a simple one-page escrow web application where people can paste their private key - it simply encrypts the content with an escrow GPG public key and dumps it into a folder. It’s pretty secure: the corresponding private key is not kept on this server, and of course, it’s also still encrypted with their passphrase.
However this relies on users remembering to use our escrow service when they create their private key, and unfortunately not many do. I would like to have this integrated with key creation so that it just becomes a checkbox to backup the key, or mandatory based on policy.
Q2 - Who is impacted?
Administrators of passbolt where users don’t always do what they’re told, and forget to keep a backup copy of the private key separate from the machine where they use it.
Q3 - Why is it important and/or urgent?
Recovery of access for an authorised user is a time consuming and complex operation.
- First, any passwords which they are owner of must have the ownership transferred to someone else
- Any passwords which they were the sole owner of and were not shared with anyone else need to be destroyed
- Care is needed for groups that they are sole member or administrator of
- The old user can then be deleted
- A new user is created with a new key and the same E-mail address
- They need to be put back in the right groups/roles
Q4 - What is your proposed solution? (optional)
I would like a checkbox saying “Store an encrypted backup copy of your private key on the server”. Configurable server-side to be checked by default or mandatory.
When selected, the client would locally encrypt the freshly-generated GPG private key with an escrow public key, and upload it to the server. The server would store it somewhere.
I believe the client already has the passbolt API server’s public key, so that could be used for escrow, but if the passbolt server also has the private key then this makes the escrow less secure.
With a separate escrow key, it would be the responsibility of the administrator to:
- create the escrow public/private key
- store the private key securely somewhere
- manually perform decryption with the private key, when recovering a lost key
Optionally: the client could refuse to use the escrow key unless it’s signed by the passbolt server key. But to be honest, if an attacker has taken over the API, all security bets are off anyway.
Would like to be able to list users which we have escrow keys for, and those we don’t.
Q5. Community support
People can vote for this idea to show traction:
- Must have: this is critical for me to have this
- Should have: this is important for me to have this
- Could have: this could be nice to have
- Won’t have: we should not schedule this (explain why)