I came upon this page and was wondering if it is intentional that an account’s passphrase and private key cannot be recovered even with an administrator account or if recovering an account where the passphrase or even the private key has been lost is an upcoming feature?
If it is an intentional design, can I ask the justification behind this implementation decision?
Hi @csss_admin, Regarding the second part of your question, the intro in this document helps to explain the rationale. It’s intentional in the spirit of addressing certain security scenarios.
Hi @garrett,
Thanks for the response, I assume that the point “Granular encryption and secrecy” is the explanation for the second part of my question?
Right. Assuming there is a “team” then every password is shared with at least one other person. To lose a password in this scenario, multiple people have to lose private keys.
Backup of one’s key is the solution, generally speaking. It’s possible to manage keys for others, I suppose, by creating the keys first then distributing them for others to use…a process outside of the native design, on a few points. Backing up those keys, then, would still be the need.
I am just having trouble understanding the decisions made when it comes to allowing someone to re-download their private key and generate a passphrase.
I personally envision the process for re-gaining access to one’s account can be implemented such that it can be started by allowing an administrator to click a button similar to “re-send invite”. The idea being that the user who has lost their passphrase and/or their private key needing to only have access to their email to re-gain access to their passwords.
Is the concern that the email from passbolt to the user’s email will be potentially intercepted or that the email inbox itself is a point of attack?
In response to either concern, I would ask, would it be perhaps more appropriate to let the user take that risk if they want and to simply advise users to not need to resort to that method but offer it nonetheless?
Downloading the private key would require it to be kept on the server… If it’s not on the server then it can’t be downloaded.
Yes, in addition to other concerns (like takeover of a domain) and attack surfaces.
The nature of the app architecture, in some respects, means it would be inappropriate to offer the options as the option would be contrary to the guiding principles.
i see. I would prefer if the option was there but I see the reason why it is not a planned feature. thank you for answering my questions.
You are very welcome! I know the developers appreciate hearing the feedback - you’ve asked good questions.