I was thinking of using a shared hosting (OVH) for my passbolt instance but unfortunately, the PHP GnuPG extension is not installed and it is not possible to install it (I will do a feature request on OVH side but I cannot count on it). The only thing I can do is using composer.
Is there anyway to fulfill the GnuPG dependency by a composer module? For instance, I have found the module https://packagist.org/packages/phar-io/gnupg which seems to be a good replacement for the extension. Could it work?
Checklist
[x] I have read intro post:
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[x] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[x] I describe the steps on how to reproduce the issue
HI @samuel, unfortunately to my knowledge there is not simple ways at the moment to switch the Gnupg backend to the library you mentioned, without editing the code of passbolt itself (like removing checks for extension_loaded(‘gnupg’) ).
We do have a wrapper class, as we were aiming at that direction (as we use another library to perform some sanity checks before sending data down to gnupg), but we just didn’t have the time to go all the way with it.
ref. https://github.com/passbolt/passbolt_api/blob/master/app/Model/Utility/Gpg.php
This is something we discussed regularly with @cedric and @kevin so maybe worth creating a feature request for this.
Thanks for your reply! Do you want me to create the feature request?
I’d be happy to help if I can (i’m not a PHP developer but if there are enough tests, I should be able to find my way).
You want to put your password manager on shared hosting? That sounds like a terrible idea. As far as i understand the keys are encrypted but the privatekey is also on the server because this is needed to allow additional people access to the keys. So you should only run passbolt on a secure server.
@eddie4 the server private key is actually needed to authentify the server (e.g. to make man in the middle attack a little more complicated at login). The end user private key are not on the server, only the public keys.
Using shared hosting as in preconfigured VPS could be interesting if you don’t want to manage the updates and if there is way to whitelist who can connect to it. Personally I would only use passbolt on a private network / behind a VPN, if that’s possible with shared hosting that’s not that bad.
Security is relative, as in it depends on what an organization is currently doing e.g. for example if they are sharing the password in plaintext in a wiki on a shared hosting setup, then passbolt is an improvement, still not the best setup but less terrible.
How can my college give additional people access to my shared passwords without the private key being on the server? Looks to me like the private keys must be on the server.
@eddie4 public keys are used to encrypt the secrets, private keys are used to decrypt them. So the server only stores the public key and act as a broker to provide them to your colleagues. The private key is stored in the extension chrome.storage (with sync’ disabled) and encrypted using the passphrase.
