Hi,
We recently installed Passbolt Pro and configured the Account Recovery feature using an unencrypted Organization GPG Key pair, as recommended in the official documentation. However, I am currently unable to perform an account recovery for a user who has forgotten their passphrase. It appears that this cannot be done with an unencrypted private key.
What did I do wrong ?
Regards,
Simon
Hi @Simon.P and welcome to the forum !
I think there might be confusion with the key. The Organisation Recovery Kit (ORK) for the Account Recovery requires to be encrypted. However the private GPG key of the Passbolt server which is a different one requires to be unencrypted.
Thankfully, you can encrypt that ORK’s private key using a terminal with the gpg client.
If you know the fingerprint of your ORK you can do:
gpg --edit-key <ORK`s fingerprint>
It will open a gpg prompt from which you can type:
passwd
save
It should somehow ask you to provide the desired passphrase for the key and save it.
There are more details for the procedure here
https://www.cyberciti.biz/faq/linux-unix-gpg-change-passphrase-command/
[Edit]: by the way I took a look at our documentation. The confusion is quite logical as the Account Recovery help page mention a page to generate a key pair that says ‘do not set a password’. An internal ticket have been created by @Clayton in order to update the documentation and avoid that confusion.
Thank you for your prompt response. I understand the confusion indeed. By encrypting the private key, I was able to successfully approve the account recovery. Thank you!
By the way, I’m not sure what you’re referring to when you mention the GPG key of the Passbolt server.
Regards,
Simon
I’m glad you could solve your issues!
For the other set of keys I was referring to the ones that are generated during the installation process of the Passbolt server. They are also GPG keys and they are used for different purpose like for the authentication process to allow the browser extension to identify the server for instance or also to encrypt/decrypt some settings in the database.
Cheers,
Steph