Question about Passwort Sharing

GLE · June 4, 2024, 10:31am

Hi everyone,

i read some infos about the Passbolt security, what data is stored in the database and how the Browser Extension works.

As far as I understand it, the sender encrypts the passwort with the public key of the recipient and his Extension.
The Passwort is sent and stored on the server, the recipient gets the encrypted password and decrpyts is with his private key.

Am I right?

The first question I have: how does it work if there are severals receivers? Does the sender know about all the public keys of the Users and encyrpts the password separate with every single key?

Second question: If the password is sent to several users, are the multiple entries for the same password on the Passbolt server/ Database so that each user can receive it and decrpyt it?

Thanks!!

Steph · June 4, 2024, 2:21pm

Hi @GLE!

To make it short, you understood it well.

The decryption/encryption of the resources secrets (the “stored” password in other words) are done in the clients: the browser extension, the desktop app, or the GO client.
These operations are not done on the server side.

As a consequence it means that when we share a secret to somebody else, we need to retrieve their public GPG key first before proceeding. And what happens is that we encrypt the secret for each individual GPG keys.
To say it differently, if we share the secret to 5 other persons, we will first retrieve these 5 GPG keys, and run 5 encryption of the secret.

And for the second question, yes as well. In the previous example the 5 encryption results are stored on the server database and the recipient will have access to the secret then.

GLE · June 4, 2024, 2:50pm

Thanks!

And after the recipients decrypted the secrets individually, will the passwords stay on the Passbolt database forever?

Steph · June 4, 2024, 2:54pm

I’m not sure to fully understand the question.

On the server side is stored only the encrypted version of a secret and there’s no way for the server to decrypt it.
If a user decrypts a secret, it happens only on the client side. And each time a user signs in to its passbolt account, the resources/secrets are downloaded again from the server to the client. So yes, they stay on the server.
However, it could be remove from the server if a user owner of a secret decides to remove it. Then, the data is cleaned and the encrypted message for this secret are no more.

GLE · June 4, 2024, 3:31pm

That answers my question. Thank you very much!!

GLE · June 5, 2024, 6:14am

Its me again.

how does the sender get all the other public keys? I asume it happens after the sender logs in? Are the other users doing a broadcast to share it?

clayton · June 5, 2024, 6:42am

Passbolt acts as your key server for sharing public keys here. They are stored in the gpgkeys table in the database.

You can view a public key of a user by going to the users workspace, clicking on a user, and then on the right side there is section named Public key which you can expand to view the key and related information. Otherwise you could query the database to see the keys if that fits your workflow better