Still Not Clear on GPG Encryption

To preface this post - I did read. Extensively. And not for just a few minutes before giving up - but for at least an hour or so, because this issue is meaningful for me.

Cutting to the Short

I want am self-hosting Passbolt as a tool / resource that other users (subscription-based service) can use.

Specifically, the main reason I am doing so is for the GPG integration aspect of Passbolt.

However, I’m not clear on GPG and how its deployed for Passbolt in the following ways:

  1. Admins use their GPG key to sign the server at installation time (went through this process), which is fine with me. Cool.

  2. Users also use GPG keys - what is this for? Specifically, I am hoping that their keys are used to encrypt their information (i.e., as the sysadmin, I won’t be able to simply decrypt their vaults and gain access to their information).

Number two is most meaningful for me, because I feel the biggest ‘checkmate’ of any privacy / security (in this case) focused service is that they rely on encryption by way of a sysadmin provision of some sort.

And while this may protect users (and be really effective encryption), the sysadmin is ultimately the eternal, central point of weakness in that scheme. And knowing that puts a target on that individual’s back for any and all entities that would rather bypass the ‘hack’ route and simply attempt to strong-arm the sysadmin (in-person) for access or, if we’re talking some nation-state’s police / law force - they can coerce the sysadmin through a number of different ways.

This is the Ultimate Flaw in Other Implementations

Why? It can’t be beaten.

To assume that your sysadmin will be willing to undergo extraordinary duress and/or potentially the threat of great physical harm / death imposed on them and perhaps their loved ones as well - is asinine at best (with all due respect).

Enough Rambling - Main Point

  1. Are the GPG keys that users use for this platform used to encrypt one’s vault? Or are they just used to authenticate the identity of the server admin?

  2. If the latter is true in number one, why? This seems like a gross misuse of GPG encryption (or should I say, underuse). While this is valid, to stop here would be a tragedy.

  3. If the latter is not true, is there any documentation that provides more concrete (updated) information about the specific integration of GPG keys in Passbolt’s greater architecture as it pertains to user safety?

Optimistically Awaiting Passbolt’s Response

I hope that my suppositions are correct about the platform (and that it uses GPG key encryption to afford each user with the ability to take care of their own encryption / decryption of their own database backend passwords).

If they are incorrect, then I would be extremely curios to know why.

I would also solicit interest in these forums to fork the project so that we can provide GPG encryption (not as a project coup - but a rejection of this idea would indicate to me that this is not part of the current development direction - and rather than fighting with the established structure + community of Passbolt).

Thank you in advance for feedback and guidance. If I’ve missed documentation, I apologize - really not trying to be redundant as I’m sure the GPG-key premise of Passbolt’s platform has been extensively probed (I’m just not able to find a recent forum threat that deals with this issue / documentation that provides me with an adequate understanding)


Users public keys are used to encrypt the passwords. The server key is only used during authentication. Passbolt supports end to end encryption. A sysadmin is not able to decrypt the content on the server.

Some more info can be found in the white paper (crypto part starts page 13):

Some more general answers: