My regular browser is Firefox, and it is the one I used to create my Passbolt account and perform the first tests.
Now, I wanted to test whether I could make Passbolt’s Chrome extension work, but I am surprised to see that Passbolt asks me to “démarrer la récupération” (recover), and to this aim, asks for my private key.
I thought I just had to upload the ASC file Passbolt initially provided me with, but when I upload it with the “Parcourir” (Browse) button, Passbolt gets me an error message :
when I leave the content “as is” (as was interpreted by Passbolt)
In this case, it tells me that the key doesn’t match any account
when I erase what seems to me not to be part of the key itself, that is the following parts :
You will be able to compare with the one you saved during the creation of your account.
Unlike other password managers, password security in Passbolt relies on asymmetric encryption with a private/public GPG key pair.
Your private key is stored in the extension and nowhere else, and without your private key, you cannot decrypt any password. If the passbolt database is stolen, there is no way to recover any password without the private key. To share a password with another user, you encrypt the password with his public key. Thus you ensure no one except this user will be able to decrypt the password. This is part of GPG basics.
As your private key is currently stored in your Firefox extension, this is why you are asked for an account recovery in Chrome: you need to import your private key in passbolt chrome extension to be able to use it.
I opened Chrome, went to https://community.passbolt.com, typed in my email and was informed I will be receiving an email to “recover” my account
I went to my emails, clicked on the button “recover” and was directed to the page asking for my private key… within my default browser, that is Firefox. But I did not know that was not relevant. It is only your explanation hereafter that made me understand that it was only a problem of which browser I was using to upload my private key : “As your private key is currently stored in your Firefox extension, this is why you are asked for an account recovery in Chrome: you need to import your private key in passbolt chrome extension to be able to use it.”
As a reasonably geeky guy (clearly (far) more than the average, although with no real coding abilities nor real knowledge in cryptography), I nethertheless had no clue that answering the query in the wrong browser was a problem. In terms of UX, it would probably be a very good idea to state this clearly, in plain language, not only what we technically have to do (“submit your private key”, in short), but WHY we have to do that, somthing like : “You’re trying to connect to your Passbolt account with a new browser. Your passwords can only be deciphered with your private key, which is only stored locally, within the browser extension. Please be sure to open the recovering link we send you by email, with this same browser, otherwise the recovery won’t work.”
You see the idea… (of course, my proposal is a bit verbose)
And, conversely, still in terms of UX, I don’t get the relevance of the error messages I got when trying to submit my (correct) private key in the recovering window opened up in Firefox. The error message should read something entirely different, I don’t know, for instance : “Your private key is already stored in this browser’s Passbolt extension. Don’t you rather intend to submit it in another browser ?”
Anyway, now it is alright on my side with access to Passbolt from Chrome.
And a question : what is the use of storing my private key elsewhere than in my Passbolt space ? Does (or will, with the future recovery feature) this locally available private key enable me to recover access to my Passbolt account if I lose my master password ?
If the only occurence of your private key is stored in your Firefox profile, without any backup, and if there is a disk crash, your computer stolen, or anything else, you will loose all non-shared password.
That’s why it is recommended to keep this private key in a safe place, and not on the same computer.
As an example, my private key is backed up on a keepass file. This keepass file is backed up on google drive, a S3 bucket and at my parent’s house
Of course, if you forgot your master passphrase, you can’t use your key, but you can brute-force it
With the future account recovery feature, your users can loose their private key, as the Passbolt administrator will be able to recover it.
Caveats:
if the Passbolt admin loose the private key of the account recovery feature, it won’t be possible to recover private keys
there will be multiple policy, it is under the responsability of the Passbolt administrator to make the account recovery feature mandatory or optional
hi @AnatomicJC thanks for all that. When you say it will be a “PRO” feature, do you mean only available for “Enterprise” plans, which necessitate a custom quote ?
