Hello,
I’m following the guide to set up automated backups for my passbolt installation. It says I also have to backup the public and private GPG keys used for authentication by the passbolt api.
However I’m concerned this might introduce a security issue? Like what if the backup itself is compromised, and someone gets access to the keys, couldn’t these be used misused? Should I be worrying about this?
Hi @passbolt_user Welcome to the forum! Definitely read the whitepaper if you haven’t already https://help.passbolt.com/assets/files/Security%20White%20Paper%20-%20Passbolt%20Pro%20Edition.pdf
Risk mitigation strategies are discussed.
Hi @passbolt_user,
The private key itself needs to be unlock with your passphrase. If the attacker got access to your private key, the entropy of your passphrase will be the last barrier to access your account.
Take a look at this nice table made by a reddit user: https://i.imgur.com/gfYw57t.png
It’s fair to say that bruteforce attack on a passphrase are very unlikely to succeed if you got a decent entropy( and not leaked…) passphrase.
Best,
Max
Hi, during the installation it says that I shouldn’t set any passphrase for the private key?
Maybe an attacker could use the private key and a compromised domain to spoof the passbolt server?
Hi, for the private key of the server yes.
For the user’s private keys you need to.
Best,
Max
