Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
TL;DR,
I created the metadata shared key, but I lost the previous server key and JWT token. Now I’m not sure how to fix the health check (Unable to decrypt the metadata private key…) error without risking the loss of the few resources currently saved with encrypted metadata.
similar issues:
- https://community.passbolt.com/t/the-server-metadata-private-key-is-not-valid-unable-to-validate-metadata-private-key-id-uuid-cleartext-data/13666
I believe the issue is similar, but in my case, the original key is lost.
I provide relevant information about my server:
Server Info - From outside the container
- Ubuntu 22.04.5 LTS
- Linux srvdocker01 5.15.0-134-generic #145-Ubuntu SMP Wed Feb 12 20:08:39 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
- Docker Version: 28.1.1+1
- MySQL 8.4
Server Info - From inside the container
- Debian GNU/Linux 13 (trixie)
- Linux 5d25e38638bd 5.15.0-134-generic #145-Ubuntu SMP Wed Feb 12 20:08:39 UTC 2025 x86_64 GNU/Linux
- PHP 8.4.11 (cli) (built: Aug 3 2025 07:32:21) (NTS)
- nginx version: nginx/1.26.3
- gpg (GnuPG) 2.4.7
- libgcrypt 1.11.0
I provide a copy of my logs and healthcheck
More healthcheck / version
Passbolt CE 5.5.0
Cakephp 5.2.6
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/...........................
-------------------------------------------------------------------------------
Environment
[INFO] Linux ba765f26c427 5.15.0-134-generic #145-Ubuntu SMP Wed Feb 12 20:08:39 UTC 2025 x86_64 GNU/Linux
[PASS] PHP version 8.4.11.
[PASS] PHP version is 8.2 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory /var/log/passbolt/ and its content are writable.
[WARN] System clock and NTP service information cannot be found.
[HELP] See `timedatectl | grep -i -A 1 clock`. More information: https://www.passbolt.com/docs/hosting/configure/ntp/
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.xxxxxxxxxxx.com
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[PASS] The SMTP Settings plugin endpoints are disabled.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[PASS] Using latest passbolt version (5.5.0).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 34 tables found.
[PASS] Some default content is present.
Metadata
[FAIL] Unable to decrypt the metadata private key data. Decryption failed. decrypt failed
[PASS] Active metadata key found or not required.
[PASS] The server has access to the metadata keys or does not require access to it.
[FAIL] The server metadata private key is not valid. Unable to decrypt the metadata private key (id: <<uid>>) data. Decryption failed. decrypt failed
[FAIL] 3 error(s) found. Hang in there!
Config passbolt
Metadata key policy
→ Allow the use of personal keys. (Recommended)
Zero knowledge
→ User-friendly mode (Better on-boarding)
Shared metadata keys
Fingerprint E120 .... .... DF25 Algorithm eddsa ed25519 Key length 256 Created 2 months agoEncrypted metadata
→ Enable encrypted metadata (recommended)
→ Enable legacy cleartext metadataDefault metadata type
→ Encrypted metadata (recommended)
Self served migration
→ Allow users to upgrade their content from cleartext >to encrypted metadata type.
Migrate metadata
Summary
Migration status Required
Resources 616 to be migrated (458 shared resources, 158 >personal resources)
I describe the steps on how to reproduce the issue
- Run a Passbolt instance in Docker without persistent volumes.
- Create a shared metadata encryption key in this instance.
The key is stored in the database (which in my case is an external MySQL, so the DB is persisted). - Connect a new Passbolt instance to the same database (either the same version or an upgraded one) without restoring the original server key.
- Since the server key is missing, any attempt to decrypt data will fail, even though metadata fields may still appear readable.
I describe the steps I have taken to trouble shoot the problem
I’m running a parallel Passbolt instance for testing.
Command used
docker run --name passbolt-lab \
--network it-app \
-p 7331:80 \
-p 41299:443 \
-v $PASSBOLT_LAB/config/ssl/star.com.fullchain.crt:/etc/ssl/certs/certificate.crt:ro \
-v $PASSBOLT_LAB/config/ssl/star.com.private.key:/etc/ssl/certs/certificate.key:ro \
-v $PASSBOLT_LAB/gpg_volume:/etc/passbolt/gpg:ro \ #not sure if ro can cause problem or viceversa
-v $PASSBOLT_LAB/jwt_volume:/etc/passbolt/jwt:ro \ #not sure if ro can cause problem or viceversa
--env-file $PASSBOLT_LAB/config/.env \
-d \
passbolt/passbolt:5.5.0-1-ce
I tried the steps mentioned in the article above, but I don’t have the UUID that appears in the health log within the database.
The metadata fields are all readable, so I manually deleted the key from the database and attempted to recreate it, but without success.
Error with the table metadata_keys empty after press generate key
{
"code": 400,
"body": {
"metadata_private_keys": {
"_empty": "The metadata private keys should not be empty."
}
}
}
Also from inside the container if i run this command:
gpg --list-secret-keys
return:
Error with the table metadata_keys empty after press generate key
gpg: WARNING: unsafe ownership on homedir '/var/lib/passbolt/.gnupg'
/var/lib/passbolt/.gnupg/pubring.kbx
------------------------------------
sec rsa3072 2025-09-19 [SC]
1BCF663E7AA3AC27FB2518DEADE3C6FB06C425B7
uid [ unknown] Passbolt default user <passbolt@yourdomain.com>
ssb rsa3072 2025-09-19 [E]
I think, I lost the original key that contained the orginal email, in one of many update, and I’m not sure which environment variable should be used to pass the server email, which I understand is required to generate the GPG key pair.
Unrelated to the issue, but I might have broke the browser extension. Even though I used incognito mode for the new test container, the old instance now asks for account recovery when accessed via URL, while it still works fine through the extension. Other browsers are unaffected
At this point, I’ve run out of options, so I’m opening a support ticket.
Thank you, I remain at your disposal