Hi Mistborn25!
Yes, you are correct that the users can recover their private key from the ârecovery kitâ as long as they have the password for that specific file.
I just changed the user edith@passbolt.com
passphrase and downloaded the file from the browser to show you.
Most of the passbolt UI that you see is generated client side by the browser extension. Encryption of secrets happens there, and the unlocking/changing of passphrases also happens there. Never touching the server.)
passphrase change: https://yourpassboltinstance/app/settings/passphrase
If you want to get a little nerdy you can see with the file
command that the text file contains a PGP private key block (or open it in a text editor).
And if you dig further into the file (gpg --list-packets
) you can see all the cryptographic specifics.
This is why the warning about "If you have multiple browsers configured, the passphrase will need to be changed in all places individually."
because you may have passbolt setup in multiple browsers, or phone/desktop apps, and the passphrase is only to unlock the PGP private key locally.
The PGP private key is whatâs used to encrypt a users resources and the PGP public key thatâs paired with the userâs private key is the only thing thatâs shared with the server.
[Note] The pro version of passbolt has an âaccount recoveryâ feature which saves an encrypted copy of a userâs private key in escrow for times when passwords are forgotten, or when members of an organisation leave unexpectedly.
https://www.passbolt.com/docs/user/quickstart/browser/admin-assisted-recovery/
Happy to help with any other questions or clarify on these.
cheers!
gareth
$ file passbolt-recovery-kit\ \(11\).txt
passbolt-recovery-kit (11).txt: PGP private key block
S2K
(String-to-Key) indicates that the private key is encrypted with a passphrase
algo: 9
corresponds to AES-256
SHA1 protection
means the key material is hashed with SHA1 during the S2K process.
protect count
controls the number of hashing iterations (2²â´)
skey[2]: [v4 protected]
means the private key data is encrypted and stored in version 4 protected format.
$ gpg --list-packets passbolt-recovery-kit\ \(11\).txt
# off=0 ctb=c5 tag=5 hlen=3 plen=1862 new-ctb
:secret key packet:
version 4, algo 1, created 1435920447, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
iter+salt S2K, algo: 9, SHA1 protection, hash: 8, salt: 4BF478E1EFC09BA6
protect count: 16777216 (224)
protect IV: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skey[2]: [v4 protected]
keyid: 1D67BAA69E67396C
# off=1865 ctb=cd tag=13 hlen=2 plen=33 new-ctb
:user ID packet: "Edith Clarke <edith@passbolt.com>"
# off=1900 ctb=c2 tag=2 hlen=3 plen=590 new-ctb
:signature packet: algo 1, keyid 1D67BAA69E67396C
version 4, created 1562090519, md5len 0, sigclass 0x13
digest algo 10, begin of digest d0 5e
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 33 len 21 (issuer fpr v4 D5FDE007B7B4B9816ECE25F61D67BAA69E67396C)
hashed subpkt 2 len 4 (sig created 2019-07-02)
subpkt 16 len 8 (issuer key ID 1D67BAA69E67396C)
data: [4096 bits]
# off=2493 ctb=c7 tag=7 hlen=3 plen=1861 new-ctb
:secret sub key packet:
version 4, algo 1, created 1435920447, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
iter+salt S2K, algo: 9, SHA1 protection, hash: 8, salt: E677F3DEA7C14DC2
protect count: 16777216 (224)
protect IV: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skey[2]: [v4 protected]
keyid: E0C730E66DA271DA
# off=4357 ctb=c2 tag=2 hlen=3 plen=566 new-ctb
:signature packet: algo 1, keyid 1D67BAA69E67396C
version 4, created 1562090531, md5len 0, sigclass 0x18
digest algo 10, begin of digest 51 e3
hashed subpkt 27 len 1 (key flags: 0C)
hashed subpkt 33 len 21 (issuer fpr v4 D5FDE007B7B4B9816ECE25F61D67BAA69E67396C)
hashed subpkt 2 len 4 (sig created 2019-07-02)
subpkt 16 len 8 (issuer key ID 1D67BAA69E67396C)
data: [4096 bits]