Should OpenPGP server have a password or not?

Installation Issues
1

After successfully setting up a docker installation using the ‘latest-ce-non-root’ image and following the FAQ regards generating an openpgp public/private key pair I would lose access to the application within around 20 mins. The error message when I attemtped to open the app on my desktop was “could not verify the server key” and the recovery process would fail even though I knew the password and had the recovery key file itself.

After googling I found this community post citing their issue was because they created the keys with a password as I had (step 9 in the FAQ guide) and solved them by recreating new keys without a password.

This has solved my issue / the problem which was consistently repeatable is no longer happening. I suspect this could just be a documentation oversight regards in the first link above but would appreicate a more experienced confirmation or correction?

2

There are two categories of keys in the app.

Server keys. No passphrase, see Passbolt Help | How to rotate server GPG keys

User keys, what you were linking to. They need a passphrase.

Once done correctly, any timeouts are session related and recovery is not needed (only logging back in).

(Edit: I suppose there is a third regarding jwt keys…)

1 Like
3

Hello @KillerKelvUK,

We recommend not putting passphrase on server keys, I think the FAQ is a aimed at end-user keys, but indeed should be clearer. The passphrases are stored temporarily by default by GPG by passphrase entry / gpg agent process. It possible to still use a passphrase with long TTL but in order to reducing support issues, we’re not promoting this: https://www.gnupg.org/documentation/manuals/gnupg/Invoking-gpg_002dpreset_002dpassphrase.html#Invoking-gpg_002dpreset_002dpassphrase

Hope this clarifies it.

1 Like