Hello, I am looking into implementing passbolt at my workplace. Overall I do like the feature set and options we get.
There is a concern though. Is the Private Key generated on a random value such as PuttyGen? or is it based solely on the GPG server key? If it is only off of the server key, could this not allow the potential to have access to all user private keys?
Just trying to get a full statement so I can pitch this properly. Thanks!
Hi @rxthexletter This a great question.
See “PRNG” on page 15, and “Key Management” on page 16. The document overall is a very nice reference.
The user key is its own GPG key and separate from the GPG server key.
The user private keys are not kept on the server. When the private key is created in the user registration process it is critical that the user download the key and keep it safe and backed up. This private key is also created with the requirement of a user passphrase. Keeping this passphrase safe is also critical.
By design, the user private key is stored only in the user’s web extension. Access to user private keys is not possible via the server.
Management of the user public keys, however, is a built-in feature.
To request free Pro trial:
There are self-hosted and cloud options. Hope this helps.
I really appreciate all of the info! This is very useful!
So in short, the Secret Key generation is not utilizing the same “random seed” of the server’s GPG key, and would not be a security risk?
@rxthexletter I believe you will need to establish GPG configuration before beginning the passbolt install with regard to --no-random-seed-file option in GPG: GPG Configuration Options (Using the GNU Privacy Guard)
I think the passbolt package(s) could be installed, but the web-installer configuration should be started only after whatever other modifications you need are done first. I would recommend testing this for your case, as it would impact the speed at which keys are created.
Where can i enter this option in GPG? I can not seem to locate a config file pre-install of passbolt
@rxthexletter Yes, this may be the case if you are depending on passbolt to install GnuPG like if you use the debian package, the docker container or install script versions. You may also decide to install from source (these days we would not recommend this except if needed as the other packaged-based versions are much easier to install).
But once the different dependencies are installed, you look for the ~/.gnupg directory and create a gpg.conf config file: GPG Options (Using the GNU Privacy Guard)