Hello, I am looking into implementing passbolt at my workplace. Overall I do like the feature set and options we get.
There is a concern though. Is the Private Key generated on a random value such as PuttyGen? or is it based solely on the GPG server key? If it is only off of the server key, could this not allow the potential to have access to all user private keys?
Just trying to get a full statement so I can pitch this properly. Thanks!
See “PRNG” on page 15, and “Key Management” on page 16. The document overall is a very nice reference.
The user key is its own GPG key and separate from the GPG server key.
The user private keys are not kept on the server. When the private key is created in the user registration process it is critical that the user download the key and keep it safe and backed up. This private key is also created with the requirement of a user passphrase. Keeping this passphrase safe is also critical.
By design, the user private key is stored only in the user’s web extension. Access to user private keys is not possible via the server.
Management of the user public keys, however, is a built-in feature.
To request free Pro trial:
There are self-hosted and cloud options. Hope this helps.
I think the passbolt package(s) could be installed, but the web-installer configuration should be started only after whatever other modifications you need are done first. I would recommend testing this for your case, as it would impact the speed at which keys are created.
@rxthexletter Yes, this may be the case if you are depending on passbolt to install GnuPG like if you use the debian package, the docker container or install script versions. You may also decide to install from source (these days we would not recommend this except if needed as the other packaged-based versions are much easier to install).