Passbolt CE: Recovery kit/private key does not help when user forgets passphrase

We are implementing Passbolt Community Edition for a small organization as their password management solution.

During testing and initial usage, we faced an important issue related to account recovery. One of the users forgot their passphrase. The recovery kit/private key had been saved properly, and the recovery email was received successfully. However, after importing the private key, Passbolt still asks for the old passphrase.

As a result, the recovery kit/private key does not seem to help in this situation, because the user still needs to remember the original passphrase.

We understand that Passbolt is based on end-to-end encryption and that the private key is protected by the user’s passphrase. However, from an implementation and operational perspective, this creates a serious risk for small organizations using the Community Edition. If a user forgets their passphrase, access to passwords that were not shared with other users or groups may be permanently lost.

Could you please confirm whether our understanding is correct?

Specifically:

In Passbolt Community Edition, is it impossible to reset or recover a forgotten passphrase, even if the recovery kit/private key is available?
Is Admin-Assisted Account Recovery available only in Pro/Cloud versions?
What is the recommended best practice for implementers and small organizations using Community Edition to avoid credential loss in such situations?
Are there any recommended implementation guidelines for this scenario when deploying Passbolt CE for clients?

We would appreciate any clarification, recommendation, or best-practice guidance from the community or the Passbolt team.

Thank you in advance.

Hello,

Your understanding is correct. In Passbolt Community Edition, a recovery kit alone is not sufficient if the user has forgotten the passphrase protecting their private key. The recovery kit contains the private key, but that key remains encrypted with the original passphrase.

Admin-Assisted Account Recovery is available in Passbolt Pro and Cloud editions. This feature automates the recovery process and allows users to regain access without needing their original passphrase.

For Community Edition deployments, a common recommendation is to establish a manual recovery process during onboarding. For example, users can securely share their recovery kit and passphrase with a trusted administrator or another designated user. This is essentially the manual equivalent of what Passbolt Pro automates. Another approach is for the administrator to create the user account/keys and share them with the users, so that the admin always has a copy.

We also recommend ensuring that business-critical credentials are shared with groups or multiple trusted users, rather than being accessible to a single individual.

If you are implementing Passbolt for clients, feel free to reach out: https://www.passbolt.com/reseller
We offer special partner pricing and programs that may be attractive for you an your clients depending on your use case.

Cheers,