Hello again! I’m trying to rotate the organization’s recovery private key because it’s too old. Still, it gives me an error because I changed the server domain when I migrated from my previous source installation to a Docker instance.
I can generate a new recovery key using the Passbolt web interface, it downloads a copy and everything seems fine unless I try to save the changes. Then it asks me for my previous organization key and when I complete the form and send it, it gives me the following error:
During the rotation of the organisation key, as you noticed, we do a check of the domain for security reasons.
Unfortunately, there is no way to force the rotation in such case.
It depends on your constraints. What you could do is to remove the organisation recovery key save and recreate a new one.
However, doing so, every users who shared their key for the account recovery will need to resend their key again.
If there is a problem removing the ORK from the UI, you could log on your server and with the CLI you could run a command such as ./bin/cake passbolt truncate_account_recovery_tables
which clean everything related to the account recovery. It resets everything and your instance will behave like there wasn’t any account recovery configured. So you can set a new key but, it implies as well that users send back their private key.
If it’s not a suitable scenario for you, then you will need to do what the browser extension does by yourself and changing the domain name in the data. It’s quite tedious to do by hand honestly.
Hello @Steph and thank you for answering.
I understand the security check and it makes sense. As you mentioned, the easiest way is to delete the account recovery settings and set it up again.
But since this is a scenario that could happen again to someone in the future, would you agree to explain how to change the domain name in the data and keep it documented here to allow them to choose what to do?
make sure you have a gpg client you could use on a machine before proceeding
have access to the private ORK with its passphrase
read the database and get all open pgp message that are concerned
decrypt the PGP messages
read the result as JSON
change the domain in the JSON data
encrypt the message again
save the messages back on the database
It’s something that would be easier to run as a script somehow IMO.
Also, I’m thinking to create an internal ticket to propose to think about a solution for such a case. I don’t know what solution will be done and when.
If you can, I think creating the ticket would be a good solution for the future.
For now, as a sort of workaround, I would try to follow all those steps and finally rotate the key.
Any help will be appreciated hahahaha
I created the ticket PB-33626 for information. It’s an investigation ticket as we need first to define an approach for this issue before implementing any solution.
