I love the passboltce docker instance on my home lab, works great and no issues on it and used it for almost a year without any issues behind cloudflare tunnel, perfect for my needs.
Then I decided to update to the latest 5.10.X version (docker down > docker pull > docker up), run clear cache and health check all is good used it for another 2 months with no issues until I decided to export my passwords to a csv file, and to my surprise .CSV is no longer available as export option, it only allows ‘keepass’ .kdxb format.
I tried to search for a solution for few days but ran out of patience.
I can use KeepassXC to import .kdxb then export back to .csv but I wish the CSV export works out of the box.
CSV Export has been disabled by default in the latest release. This is needed for security certification processes that are in progress. This was mentioned in the latest release notes.
The reason is that CSV export is susceptible to formula injection when opened in spreadsheet software, and more broadly, it exposes credentials in plaintext, so starting with v5.10, Passbolt adopted a security-by-default approach and disabled it by default.
If you understands and accepts the risk, you can re-enable CSV export via one of two methods:
I use the CSV export function on a weekly basis to backup the credentials stored in Passbolt. I open the CSV file in Excel and then save as a password protected Excel document.
Will I need to edit the .php file every time Passbolt is updated?
I use the CSV export function on a weekly basis to backup the credentials stored in Passbolt. I open the CSV file in Excel and then save as a password protected Excel document.
Using Excel for backups works, but it lacks the structure and security guarantees of tools like KeePass or Passbolt that are designed specifically for handling sensitive credentials.
Will I need to edit the .php file every time Passbolt is updated?
I have upgraded our Passbolt server, and both the client and server are now running version 5.10.x. I also added PASSBOLT_PLUGINS_EXPORT_POLICIES_ALLOW_CSV_FORMAT=true to /etc/environment, but I still do not see the CSV export option.
I also tried Option 2 /usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/templates/config/passbolt.php, but that did not work either.
Could you please confirm the correct path for config/passbolt.php or advise if there are any additional steps required?
CSV export was disabled by default starting in v5.10 as part of ongoing security certification work. CSV files expose credentials in plaintext and are susceptible to formula injection when opened in spreadsheet software. You can re-enable it if you understand and accept those risks.
On the Virtual Appliance, the config file is at /etc/passbolt/passbolt.php. Add the following inside the 'passbolt' array:
The CSV option should then appear when you use the export function in the browser extension. The path you tried (/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/...) is the installer template, not the live configuration, so changes there have no effect. Similarly, setting the environment variable in /etc/environment won’t work because the web server process doesn’t read variables from there.
Let me know how you go and if you have any further questions.
I use the CSV export function on a weekly basis to backup the credentials stored in Passbolt. I open the CSV file in Excel and then save as a password protected Excel document.
Security wise that feels like bad opsec? Why store password backups in Excel when you can export them as Keepass? My implementation is exporting it as Keepass with a strong password, and save it to a USB that’s placed in a safe location. The password itself if base64 encoded, split in two and each part is printed on two different papers. I have one piece and another has the second one.
It’s used for disaster recovery, and not used in regular production.
