The “Emergency Access” feature
(like in „Vaultwarden“ which works technically the same way as in the official Bitwarden server) is based on asymmetric encryption.
The fact that you host the instance yourself does not change the cryptographic process, but it does entail additional responsibility for ensuring the server’s availability.
Here’s how the process works in detail:
1. Setup (Preparation)
1.1. Invitation: You invite a person (the authorized representative) directly to your Passbolt instance using their email address. This person must also have an account on your instance.
1.2. Key exchange: Upon accepting the invitation, the authorized representative’s public RSA key is transferred to your account.
1.3. Encryption: As soon as you confirm the contact, your client encrypts your own User Symmetric Key (the master key for your vault) using the authorized user’s public key. This encrypted “key container” is stored on your server.
2. The emergency scenario (access request)
2.1. Request: The authorized representative submits an access request via your server’s web interface.
2.2. Waiting period (grace period): You receive an email and can manually reject the request within the timeframe you have specified (e.g., 7 days).
2.3. Approval: If the time elapses without your veto, the server releases the encrypted key container to the authorized representative.
2.4. Decryption: The authorized representative can only open this container using their own private key (which only they or their device knows) to access your vault key. This gives them access to all your passwords.
The Crux of Self-Hosting an “Emergency Access”
Since you operate the server yourself, there are two critical points you must keep in mind:
-
Availability: If your server is offline in an emergency or the internet connection (e.g., DynDNS) isn’t working, the authorized user cannot even make the request. The server must therefore be online for the grace period logic to take effect.
-
Email delivery: Your Passbolt instance must be correctly configured for email delivery (SMTP) so that you are notified of the request and can reject it if necessary.
Tip:
For a truly comprehensive estate plan when self-hosting, you should also store the authorized representative’s access information for the server itself (e.g., hosting provider, login credentials for the NAS/Raspberry Pi) in a secure location, in case technical issues prevent regular emergency access.