Unable to decrypt passwords

Hi @mayday010,

Let me see if I understand you correctly:

  • No mail settings were setup in the past
  • You couldn’t find the recovery page, but then you did but were not authorized to view it (it can be found at “yourdomain.com/users/recover”)
  • You now have access to your account, and can see the listed passwords you previously entered, but cannot decrypt them

Is this a correct understanding?

I’m a little confused by what you mean when you say “regain access to my passwords”. Do you have server-level access for your Passbolt installation? Do you have access to your database? Did you keep your key from last time?

  • correct, mail was not configured
  • I attempted to find a recovery page (as you point out ~/users/recover), that is similar to the account registration ( ~/setup/install/[userid]/[authorization_token]), where userid and authorization_token was pulled from the database.
  • correct. I can log into my account now. I can see the list of password entries I have made, but if I try to edit, or view the passwords, I get an error that they cannot be decrypted.

by regain access, I mean be able to view and edit the password entries that I have previously made. Yes, I have server access. Yes, I have database access. If the key is the one you download while initially setting up the account, then yes, I also have the key from last time.

@mayday010

That’s good news because you can take a record from the “secrets” table’s “data” field and email it to yourself. Before you do, in your email client you need to import your private key from the initial setup. And have your passphrase for the key handy as well.

Good luck!

ok so if I double click the saved key it says that its imported.
I’m a little confused at how to put it all together. If I email, or essentially just copy the data from the data field, how does this give me access? Wouldn’t I need some type of url / link, taking me to passbolt, which would update the appropriate files?

@mayday010

When you email a message to yourself (can even be from yourself) the body of the message should be the content of the data field. Something like this:

-----BEGIN PGP MESSAGE-----
Version: OpenPGP.js v4.5.1
Comment: https://openpgpjs.org

wcBMA1lK1Qw/f9iVAQf+NNPH+Jbu4mFWk02trwHPvWOT9m8MMDgNiD71hrV/
ryWgUhA69wbvp71WDC1YTReJcNcapl8gkVKSeaXZtHvSu6tQHLWCTn2KTHLz
9dizkJowQXhKz7yGUt9Jx2RKoD47uCYYLuYcDq26DX0fXQyf8nUq2U4J6+rO
CL7dqDCx9cHo8pl3RXt+5W1aUW9kWZWLn8TrlS7CTon59IjmTTqJWv3Vqkgl
mCljkwjwKbLEiQJ2OU+x9WJ2tr8PP9hy20V1G+rTH7lpmIXHDhIKhIBzIa9E
8NJWAX0hgR//6OdM2LOCku2/ZWgGZ8Y4lh6I5D2/iKWnuBqRjxl3k5NHBzWq
tU2RhOZ2Ataqqzjc3PLxfAtBLts5Nj4A/5Vkos2H/9TmsyNGqhSiiMf3XAo=
=ziH3
-----END PGP MESSAGE-----

I would recommend the plain text setting in your email client as well, if possible, just to eliminate any chance of stray parts.

The data is the encrypted password - no link or url to open it - only your key is needed. Now, to determine which password goes with which site, you’ll want to match up the resource_id field from the secrets table with the records in the resources table.

Your question may indicate you are attempting to restore your server back to it’s original form but it seems you have two users now, so I’m sharing the process to recover your passwords manually. It’s not clear what the problem with your installation is, and since you said you had a few passwords, I thought this might be the quickest way for you to get your passwords back.

No, It is still only one use, one account. I have the same user id as before. All the secrets are there and match with the corresponding resources. Pass bolt is just unable to decrypt them when I enter my account password.

@mayday010

Ok, let’s check to see if your key decrypts a record first. That would confirm it’s a good key.

It sounded like you had two keys when you said:

If the key is the one you download while initially setting up the account, then yes, I also have the key from last time.

Double check the users table regarding how many users.

Confirm back, thanks.

There is only 1 user in my users table

@mayday010 How about the key - does it decrypt via the email method?

I’m not a ware of my email client decrypting messages. So I copied it to a text file, and tried to decrypt it.

gpg -d gpg_test.gpg
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: Unknown system error

I did a gpg --list-keys and there are keys listed.

Was this import into your email client? If it was and it was successful, it will (should) automatically decrypt the record data when it receives an email.

oh, never mind. there was a leading space in the file that messed with it. it is now decrypting that file.

@mayday010

When I log into my passbolt installation, this is what it shows when I hover over the heart in the lower right corner. What does yours show?
image

mine shows 2.13.5/2.13.5

@mayday010 They don’t have to be the same version, so it’s okay to do the newer one.

Ok, so you followed a process like this post about recovering without email and were able to get back in but the passwords are not decrypting.

Since your key works, I would recommend:

  • reinstalling the most updated browser addon and doing the recover steps again.
  • Check the logs folder in the passbolt root for both debug.log and error.log files - make them if they are missing, and see if there are errors.
  • Also which browser/version are you using?

The advice on the linked post is pretty much exactly what I was looking for, except that I have tried that. when I go to the page
https://<your_domain>/setup/recover/<user_id>/<authentication_token.token>

I am met with the bird. saying “you are not authorized to view that location”. and further it says that my token is not valid or expired. I copied the values straight from the database. the entry is marked as active, but can’t recover.

@mayday010

Try starting the recovery process again. Go to /users/recover path and have it send another email, then check for a new token in the database.

Thanks much. It is working now. Is there a place in the database that holds the private key? It seems that just needed to be updated.

1 Like

@mayday010

Great!

Actually, the private key is on the client side with the extension.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.