Device compromised

I have one of my devices unlocked in attacker hands. What’s next?
How to quickly block the access to the data?
This does not give me any clue: Passbolt Help | My secret key and passphrase are compromised, what do I do?
I have no idea what is

start a new with a fresh key and use your revocation certificate

I did not find such option in the UI…

Hi @albert-a

I am sorry to hear about this terrible issue.

Passbolt does not offer revocation certs yet.

If you know your ip address you can block the address.

You can delete the user

Looks like the disable user feature is still in the pipeline.

1 Like

I am sorry to hear that.

The first security measure I’d take is to stop nginx in order to prevent any access to the instance.

sudo systemctl stop nginx

Then, I would create a new admin user

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt register_user -i" www-data

It will generate a setup link, i’ll simply copy this link and restart nginx

sudo systemctl restart nginx

Once the new admin account is set up and you are completely logged in, log out and generate a recover token for your threatened account, replace with the correct one

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt recover_user -c -u" www-data

It will generate a recover link, you can copy/paste this link to the browser and proceed to the account recover, you’d have to import the private gpg key and the enter the passphrase, then you can follow those instructions

  1. Share all the passwords with the new admin account
  2. Log out
  3. Generate a recover link for the new admin account
    a. sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt recover_user -c -u" www-data
  4. Proceed to the account recovery of the new admin account
  5. Navigate to Users panel
  6. Delete the threatened account

IMHO, if someone could have 0.1% chance to access any of my passwords, i’ll probably rotate them all but I’d start with the most powerful one such as your email account and so on, so you will be able to recover all the accounts that are using the email to recreate a password, and then re-create them with the password generator from Passbolt.

I hope it helps


Hi @Duffman,
Thanks for the information! Don’t worry, the situation is hypothetical.

I’m new to Passbolt and to PM in general, so the first thing that come to mind after installation is to check what if one of the devices is compromised. And I was surprised that I did not find any quick countermeasures. Yes, I can delete user, it’s ok, my server has daily backups, but I guess it’s only the case when you have an access to the separate admin account. But what if not? And also it is not convenient to recover from server backup later.

I’m glad that there is some work in progress.

Hi @antony, thanks for the instruction!

I Agree on this.

As for instruction, I guess don’t have to recover my account if I have access to it on the other device (not only on compromised one) I just login, share the passwords with some new account and remove threatened account from yet another admin account, right?

Again, I need admin rights here… And a lot of time.

IMHO if a device is compromised, such measures should be

  1. Taken as quickly as possible, probably with one click
  2. Should not require admin rights

I think the best way to tackle this is to have static button “Block account” somewhere in very accessible place, so:

  1. You press the button.
  2. You request admin to recover your account and confirm your identity somehow.
  3. Admin send you recovery code
  4. You login to blocked account enter the recovery code, your old passphrase, your old key and proceed with generating a new key and entering a new passphrase.
  5. Wait while your plugin locally reencrypts all your passwords and saves them back to the server, and then the server unblocks your account.
  6. You recover your account with usual procedure (with the new key and the new passphrase) on your other devices, if any.

What do you think? Should I write some kind of feature request on this?

Thanks for your replies

Hi @albert-a

Good news that your situation was hypothetical!

I like your ideas. To help the Passbolt developers, the forum does ask that you use the template for Feature Requests

Remy is an amazing Passbolt Developer and follows the forum regularly.

I would also reference the feature request that Remy is currently working on.

Thank you for your interest in Passbolt!
Thank you for contributing to the community forum!


Hi @Duffman,

Thank you for directing me and providing me with the necessary information!
I read the document provided and put my thoughts on it and on this issue in a new request:

I hope Remy will notice the request and probably take some points into account while implementing the request he is currently working on as they are closely related.

Thanks again.