Session key decryption failed

Regarding the following:
Session key decryption failed. · Issue #1126 · openpgpjs/openpgpjs · GitHub
Browser extension v3.0.3: session key decryption failed

I am not interested in fighting to regenerate my keys etc anymore.
How do I set the relevant openpgp configuration flag to allow the insecure keys?

Hi @Hwiggy,

It’s enabled by default for everyone on the latest browser extension:

Can you describe a bit more your scenario/situation?

My key had expired so I then needed to regenerate the key but now no matter what kind of key I generate I just am always getting this error message, even on the website directly (not only in browser extension)

I am editing public key manually via mysql and dropping got keychain + reimporting server key but nothing is fixing this issue. I was hoping there might be a flag I can enable that just bypasses this error message.

@Hwiggy can you confirm this is your user key that is expired?

Unfortunately there is no user interface to rotate expired user keys.
However there is a manual procedure that can be followed:

  • Remove the expiry date and export a public and private key without expiry (or new expiry date set in the future), using gnupg for example
  • Manually update the public key in the database under the gpgkeys table for this user, make sure you update both the armored key and the modified date (so that your colleagues can get the updated key also).
  • Remove the key from the gnupg keyring on the server
  • Perform an account recovery with the new private key
  • From there you should be able to login.

I have manually reset my key in the database many times to no avail.
I got the system to a point where I could log in, but decrypting any password immediately failed.

Just a heads up that I did a full reinstall of Passbolt
(backup database, server key, remove entire directory, reinstall & reimport then recover)

I still cannot decrypt any of my passwords

I’m not sure what’s happening to you.

One logical explanation as of why you can login but not decrypt, would that the secret are encrypted with a different public key. Like either:

  • You created a new key that is not related to the expired one
  • The secrets were encrypted for another key than the expired one that you changed.

Hard to tell without having more information.

Ah, this might explain things.
Yeah it might be that I generated a new public key when I noticed mine was expired.
Not great, but perhaps I have a backup of my keypair.

I tested creating a new password and decrypting it, that worked fine with the new key stored on the server; I suppose this is a problem with my side then.


Okay so I was using the same public key as passbolt knew, but the problem was I had deleted the subkey that had expired, rather than changing the expiry. I guess I became a victim of my lack of encryption knowledge; I suppose this meant that passbolt (or gpg even) did not recognize that keys signed with a specific subkey applied to the existing public key.

Reimporting the expired subkey and properly changing the expiration date, then re-importing the public key on passbolt did the trick, and I have totally recovered my credentials.
Thank you very much.