The private key cannot be used to decrypt a message

Installation Issues
1

Hi, I’ve recently upgraded my company’s Passbolt instalation (originally configured by an intern).

The platform works wonders, but I’ve launched a healthcheck with the following results:

---------------------------------------------------------------
     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.0.15-0ubuntu0.16.04.4
 [PASS] PCRE compiled with unicode support
 [PASS] The temporary directory and its content are writable
 [PASS] The public image directory and its content are writable

 Config files

 [PASS] The core config file is present
 [PASS] The database config file is present
 [PASS] The email config file is present
 [PASS] The application config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [FAIL] Default value found for security.salt
  [HELP] Edit the security.salt in app/Config/core.php
 [FAIL] Default value found for security.cipherSeed
  [HELP] Edit the security.cipherSeed in app/Config/core.php
 [PASS] Full base url is set to https://passbolt.devecomputer.es
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] Configured to use a supported database backend
 [PASS] The application is able to connect to the database
 [PASS] Not using a prefix for database tables
 [PASS] 20 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded
 [PASS] The server gpg key is not the default one
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg/
 [PASS] The directory /home/www-data/.gnupg/ containing the keyring is writable by the user the webserver is running as.
 [PASS] The public key file is defined in app/config.php and readable.
 [PASS] The private key file is defined in app/config.php and readable.
 [PASS] The server key fingerprint matches the one defined in app/config.php.
 [PASS] The server key defined in the app/Config.php is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt and sign a message.
 [FAIL] The private key cannot be used to decrypt a message
  [HELP] Make sure that the server private key is valid and that there is no passphrase.

 Application configuration

 [PASS] Using latest passbolt version (1.6.5)
 [PASS] Passbolt is configured to force SSL use
 [PASS] App.fullBaseUrl is set to HTTPS
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 Development Tools (optional)

 [PASS] Phpunit is installed
 [PASS] Phpunit version is 3.7.38

  3 error(s) found. Hang in there!

I’m concerned of this situation, because we have a pretty decent amount of passwords to worry about. Could we lose our passwords because of a corrupted key? Do they work independently of this server’s private-public pair of keys? We should generate a new pair of keys without any worries?

May be the issue The public key cannot be used to encrypt and sign a message related?

2

Hi @plargomohe

  • The salt and ciphersee are currently not in use so this is not an issue. This is a default Cakephp settings that we thought we may use in the future but that have currently no impact on security
  • The server key not being able to decrypt is a false positive if you are able to login. This could be due to the permissions of user running the healthcheck script being different from the webserver one.

To answer your questions:

Could we lose our passwords because of a corrupted key?
No. Worst case scenario you will need to generate a new server key and have all users perform a recover to accept the new key.

Do they work independently of this server’s private-public pair of keys?
Yes. The clients keys have nothing to do with the server keys. They are generated (or imported) and stored in the client.

We should generate a new pair of keys without any worries?
It is not required to generate a new server key (unless it is about the expire for example).

3

Thank you so much, your answers were very helpful! (I would even consider them perfect for a FAQ section).

I was also kind of worried because, trying to validate my private key, I’ve got this result:

root@srvpassbolt:/opt/passbolt/app/Config/gpg# openssl rsa -noout -modulus -in serverkey.private.asc
unable to load Private Key
139950514628248:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:809:

I feel that this problem could be strongly related, but I’m not able to understand why I can login, as you previously stated. I’ve also triple checked the permissions of the file, the user executing the healthcheck, etc.

4

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.