Password change and recovery key

I am testing deployment for Passbolt for my small business. I currently have 2 users testing it and they like it quite a bit so far as they have to share passwords for certain accounts that do not allow multiple logins. They had not used any other password managers besides the browser.

One user changed her passphrase. And some changes I made in our windows AD resulted in the passbolt extensions uninstalling and reinstalling requiring account recovery.

The user that changed passphrase could not recover her account with the new passphrase. However, after some time she found the original passphrase and could recover with that.

I am guessing if she exported the recovery key after passphrase change she would have been able to recover the account.

It might be good to put a bold large warning that the old recovery key will not work with a new passphrase and ask the user to download the new recovery key whenever they change their passphrase.

Another question is, can you recover the current account with any passphrase/recovery key combination? Or if they recover with their initial passphrase/key will that only restore the account to the state before they changed their passphrase and they would lose any changes made with the new passphrase?

That might be a good question? Any answers?!

There is a warning before the passphrase change, that says:

Before getting started...

The passphrase is stored on your device and never sent server side. Changing your passphrase will only change it locally. If you have multiple browsers configured, the passphrase will need to be changed in all places individually.

[ ] Ok, I understand what I need to do.

We can adjust it of course if you have suggestions.

Unlike other password managers, the passphrase is only used to encrypt the private key locally, it is not used remotely. So in practice from a server perspective, it doesn’t matter what the passphrase is, only the private key comes into play.

This is why when you change the passphrase you need to download a new version of the private key that you can use for the account recovery, so that you know it’s encrypted with the latest version of the passphrase.

Let me know if that doesn’t make sense.

Would that text be more clear?

The passphrase is used to protect your private key locally. The passphrase is stored on your device and never sent to the server. 

Changing your passphrase will only update it on your current  device and browser profile. If you use Passbolt on multiple browsers or devices, you’ll need to update the passphrase in each one separately.

When you change your passphrase, a new backup of your key is automatically generated. This makes sure your backup file is always encrypted with your latest passphrase.

[✓] Ok, I understand what I need to do.

But I have to download it manually?

It’s downloaded automatically after you update the passphrase. There is then a message showing:

Your passphrase has been changed. Make sure you keep a backup of your secret key encrypted with this new passphrase. Keep this backup in a safe place, you will need it in case of emergency.

**Warning**: This recovery kit replace the old one.

You will need this recovery kit later to access your account (for example on a new device).

Apologies, I thought I had email alerts setup for this thread but missed your replies.

Those warnings look good.

Unfortunately, some users no matter what will just not read the warning.

Am I correct that those users can still use their original key (that IT helped them save to a safe spot when setting up their account) and their original password to recover their entire account? Essentially the passbolt server does not care which key-password pair you use?

Hi Mistborn25!

Yes, you are correct that the users can recover their private key from the “recovery kit” as long as they have the password for that specific file.

I just changed the user edith@passbolt.com passphrase and downloaded the file from the browser to show you.
Most of the passbolt UI that you see is generated client side by the browser extension. Encryption of secrets happens there, and the unlocking/changing of passphrases also happens there. Never touching the server.)

passphrase change: https://yourpassboltinstance/app/settings/passphrase

If you want to get a little nerdy you can see with the file command that the text file contains a PGP private key block (or open it in a text editor).
And if you dig further into the file (gpg --list-packets) you can see all the cryptographic specifics.

This is why the warning about "If you have multiple browsers configured, the passphrase will need to be changed in all places individually." because you may have passbolt setup in multiple browsers, or phone/desktop apps, and the passphrase is only to unlock the PGP private key locally.

The PGP private key is what’s used to encrypt a users resources and the PGP public key that’s paired with the user’s private key is the only thing that’s shared with the server.

[Note] The pro version of passbolt has an “account recovery” feature which saves an encrypted copy of a user’s private key in escrow for times when passwords are forgotten, or when members of an organisation leave unexpectedly.
https://www.passbolt.com/docs/user/quickstart/browser/admin-assisted-recovery/

Happy to help with any other questions or clarify on these.

cheers!
gareth

$ file passbolt-recovery-kit\ \(11\).txt
passbolt-recovery-kit (11).txt: PGP private key block

• S2K (String-to-Key) indicates that the private key is encrypted with a passphrase
• algo: 9 corresponds to AES-256
• SHA1 protection means the key material is hashed with SHA1 during the S2K process.
• protect count controls the number of hashing iterations (2²⁴)
• skey[2]: [v4 protected] means the private key data is encrypted and stored in version 4 protected format.

$ gpg --list-packets passbolt-recovery-kit\ \(11\).txt
# off=0 ctb=c5 tag=5 hlen=3 plen=1862 new-ctb
:secret key packet:
        version 4, algo 1, created 1435920447, expires 0
        pkey[0]: [4096 bits]
        pkey[1]: [17 bits]
        iter+salt S2K, algo: 9, SHA1 protection, hash: 8, salt: 4BF478E1EFC09BA6
        protect count: 16777216 (224)
        protect IV:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        skey[2]: [v4 protected]
        keyid: 1D67BAA69E67396C
# off=1865 ctb=cd tag=13 hlen=2 plen=33 new-ctb
:user ID packet: "Edith Clarke <edith@passbolt.com>"
# off=1900 ctb=c2 tag=2 hlen=3 plen=590 new-ctb
:signature packet: algo 1, keyid 1D67BAA69E67396C
        version 4, created 1562090519, md5len 0, sigclass 0x13
        digest algo 10, begin of digest d0 5e
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
        hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
        hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        hashed subpkt 33 len 21 (issuer fpr v4 D5FDE007B7B4B9816ECE25F61D67BAA69E67396C)
        hashed subpkt 2 len 4 (sig created 2019-07-02)
        subpkt 16 len 8 (issuer key ID 1D67BAA69E67396C)
        data: [4096 bits]
# off=2493 ctb=c7 tag=7 hlen=3 plen=1861 new-ctb
:secret sub key packet:
        version 4, algo 1, created 1435920447, expires 0
        pkey[0]: [4096 bits]
        pkey[1]: [17 bits]
        iter+salt S2K, algo: 9, SHA1 protection, hash: 8, salt: E677F3DEA7C14DC2
        protect count: 16777216 (224)
        protect IV:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        skey[2]: [v4 protected]
        keyid: E0C730E66DA271DA
# off=4357 ctb=c2 tag=2 hlen=3 plen=566 new-ctb
:signature packet: algo 1, keyid 1D67BAA69E67396C
        version 4, created 1562090531, md5len 0, sigclass 0x18
        digest algo 10, begin of digest 51 e3
        hashed subpkt 27 len 1 (key flags: 0C)
        hashed subpkt 33 len 21 (issuer fpr v4 D5FDE007B7B4B9816ECE25F61D67BAA69E67396C)
        hashed subpkt 2 len 4 (sig created 2019-07-02)
        subpkt 16 len 8 (issuer key ID 1D67BAA69E67396C)
        data: [4096 bits]