We recently installed passbolt for our company and we are loving it! We like that everything is audited, that the source is available, and that you take security seriously.
However we’ve run into a big issue that might be a deal breaker for us. We are a small company in a service industry with a team of technical people and other teams of non-technical people. We were thinking of storing all kinds of sensitive accounts in passbolt, things that obviously we wouldn’t want just anyone to access. But if we were to use passbolt for everything related to the company, we are worried it might introduce a single point of failure. If for some reason the passbolt server goes down, the whole company might be left without access to all accounts. More so if we add random passwords + password rotation policies. Imagine just a day without access to any accounts, it would be catastrophic for us.
Ok, we can do automated backups, and restore from them. But the process of deploying passbolt and restoring from the backup is too involved and not something a non-technical person can do. Also if a technical person were to do it, it would have to be a very trustworthy person within the company, since if they have access to the server they could with some effort access all accounts.
Currently I’m the one tasked with this, but if for some reason I was absent, there is no other person in the company that the stakeholders can trust to do this process.
This big con might just offset all of the pros of using passbolt. We can’t tell everyone to change their passwords to strong ones and rotate them every so often knowing that if the server goes down we will be locked out of all our accounts.
What we’d like ideally is for there to be a local passbolt application that keeps its database in sync with the entirety of the passbolt database in the server. This application is installed in a set of secure desktop machines. In the case of failure in the server and that we are unable to safely restore manually from the backup, a non-technical person with their respective credentials can login in to the secure machine through a GUI and still access their accounts.
Ideally then the non-technical person has time to contact a trustworthy organization and have them deploy a secure passbolt server and restore from backup, but they are not locked out in the meantime.
I read in the roadmap that you are in the process of implementing a desktop application and two-way sync with keepass, we look forward to these, but we are wondering if this use case is considered. For these solutions to work for us, the local application would have to keep a copy of the entirety of the database, meaning all passbolt users can physically log in from the secure machine with their respective credentials and retrieve their accounts from the local database copy.
By having this application in a secure machine(s) inside the company and easily accessible by non-technical users through a GUI, the risk of the server going down and being locked out of all accounts is completely eliminated. Also there would be no need of manually configuring automatic backups since the desktop apps would do it for themselves.
Maybe you’ve already considered this use case, but still I hope that this feedback is useful to you so you can keep building great products and continuously improving them! Thank you for taking the time to read it through.