How meta data is encrypted?

When I add a group to a login, I only had to re-encrypt the “password” value of each user’s public key in the group then to send to the server, the meta data is not part of the “re-encrypt” process.

If the meta data such as description is also encrypted (using a person’s private key), then how do other users decrypt it?


There are different resource types, the most simple one is where it contains only a password (e.g. a string). Other content types, such as password with encrypted description, or passwords and TOTP, etc. are stored as JSON as part of the secret. The process is the same, you decrypt the secret and reencrypt them as is (optionally you can validate that the secrets matches the resource types).

Please note that not all the metada is end to end encrytped in passbolt at the moment (e.g. only in transit, and optionally at rest depending on your config). We have plans to add new content types that will allow to encrypt other metadata resource fields with passbolt v5, separately from the secret.

Checkout the white paper for more information: