Unable to decrypt passwords

So I’ve set up passbolt for personal use, and have put a few passwords in. If I read it correctly the addon is supposed to work with web pages to auto fill passwords. I clicked on the addon, and got stuck on the “working” circle graphic. Then I realized that the addon has been updated for a few minor patches, but passbolt was not, and there may be some in compatability. So I removed the addon and installed the version matching my passbolt. I was not able to access the main site. Since this is for personal use I have no need for email, so that isn’t set up, so through a little working I was able to figure out how to reregister my main account at ~/setup/install/[userid]/[authentication_token]. I was trying to find a recovery page, but was met with not found, and unauthorized denials. So now I am able to access my passbolt account, but am unable to decrypt the passwords. Is there anything I can do to regain access to my passwords?

Hi @mayday010,

Let me see if I understand you correctly:

  • No mail settings were setup in the past
  • You couldn’t find the recovery page, but then you did but were not authorized to view it (it can be found at “yourdomain.com/users/recover”)
  • You now have access to your account, and can see the listed passwords you previously entered, but cannot decrypt them

Is this a correct understanding?

I’m a little confused by what you mean when you say “regain access to my passwords”. Do you have server-level access for your Passbolt installation? Do you have access to your database? Did you keep your key from last time?

  • correct, mail was not configured
  • I attempted to find a recovery page (as you point out ~/users/recover), that is similar to the account registration ( ~/setup/install/[userid]/[authorization_token]), where userid and authorization_token was pulled from the database.
  • correct. I can log into my account now. I can see the list of password entries I have made, but if I try to edit, or view the passwords, I get an error that they cannot be decrypted.

by regain access, I mean be able to view and edit the password entries that I have previously made. Yes, I have server access. Yes, I have database access. If the key is the one you download while initially setting up the account, then yes, I also have the key from last time.


That’s good news because you can take a record from the “secrets” table’s “data” field and email it to yourself. Before you do, in your email client you need to import your private key from the initial setup. And have your passphrase for the key handy as well.

Good luck!

ok so if I double click the saved key it says that its imported.
I’m a little confused at how to put it all together. If I email, or essentially just copy the data from the data field, how does this give me access? Wouldn’t I need some type of url / link, taking me to passbolt, which would update the appropriate files?


When you email a message to yourself (can even be from yourself) the body of the message should be the content of the data field. Something like this:

Version: OpenPGP.js v4.5.1
Comment: https://openpgpjs.org


I would recommend the plain text setting in your email client as well, if possible, just to eliminate any chance of stray parts.

The data is the encrypted password - no link or url to open it - only your key is needed. Now, to determine which password goes with which site, you’ll want to match up the resource_id field from the secrets table with the records in the resources table.

Your question may indicate you are attempting to restore your server back to it’s original form but it seems you have two users now, so I’m sharing the process to recover your passwords manually. It’s not clear what the problem with your installation is, and since you said you had a few passwords, I thought this might be the quickest way for you to get your passwords back.

No, It is still only one use, one account. I have the same user id as before. All the secrets are there and match with the corresponding resources. Pass bolt is just unable to decrypt them when I enter my account password.


Ok, let’s check to see if your key decrypts a record first. That would confirm it’s a good key.

It sounded like you had two keys when you said:

If the key is the one you download while initially setting up the account, then yes, I also have the key from last time.

Double check the users table regarding how many users.

Confirm back, thanks.

There is only 1 user in my users table

@mayday010 How about the key - does it decrypt via the email method?

I’m not a ware of my email client decrypting messages. So I copied it to a text file, and tried to decrypt it.

gpg -d gpg_test.gpg
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: Unknown system error

I did a gpg --list-keys and there are keys listed.

Was this import into your email client? If it was and it was successful, it will (should) automatically decrypt the record data when it receives an email.

oh, never mind. there was a leading space in the file that messed with it. it is now decrypting that file.


When I log into my passbolt installation, this is what it shows when I hover over the heart in the lower right corner. What does yours show?

mine shows 2.13.5/2.13.5

@mayday010 They don’t have to be the same version, so it’s okay to do the newer one.

Ok, so you followed a process like this post about recovering without email and were able to get back in but the passwords are not decrypting.

Since your key works, I would recommend:

  • reinstalling the most updated browser addon and doing the recover steps again.
  • Check the logs folder in the passbolt root for both debug.log and error.log files - make them if they are missing, and see if there are errors.
  • Also which browser/version are you using?

The advice on the linked post is pretty much exactly what I was looking for, except that I have tried that. when I go to the page

I am met with the bird. saying “you are not authorized to view that location”. and further it says that my token is not valid or expired. I copied the values straight from the database. the entry is marked as active, but can’t recover.


Try starting the recovery process again. Go to /users/recover path and have it send another email, then check for a new token in the database.

Thanks much. It is working now. Is there a place in the database that holds the private key? It seems that just needed to be updated.

1 Like



Actually, the private key is on the client side with the extension.