User passphrase rotation policy

Q1. What is the problem that you are trying to solve?
As an administrator I want to be able to prompt my users to rotate their private key passphrase.

Original request:

I think about some security feature - to push users in my instance to change their passphrase regularly. Does anybody know how to do it? Maybe some shell script? Or specialized command in CLI (I looked through the mail list and didn`t find something close).

Q2 - Who is impacted?
Administrator that needs to ask their users to rotate their passphrase.

Q3 - Why is it important and/or urgent?
This may be needed in case of security incident, such as passphrase disclosure.

Q4 - What is your proposed solution? (optional)
In the user workspace an administrator can select a user and request for a passphrase rotation. Passphrase rotation on the client side should trigger an event log on the user record.

Additionally an administrator can use additional settings, just like password expiry policy, where they can choose a policy to rotate passphrase after a given amount of time.

Q5. Community support
People can vote for this idea to show traction:

  • :ok_woman: Must have: this is critical for me to have this
  • :raising_hand_woman: Should have: this is important for me to have this
  • :tipping_hand_woman: Could have: this could be nice to have
  • :no_good_woman: Won’t have: we should not schedule this (explain why)
0 voters

Why would you want to do this? The passphrase is used locally to decrypt the private key. Rotating the passphrase regularly will not improve security in most scenario. For example, it could be useful in the case where an attacker managed to get access to the passphrase but not the private key. If an attacker already has a copy of the private key rotating the passphrase will not help.

In the meantime what is possible is to prompt your users to select a very strong passphrase. This can be controlled using passphrase policy settings in the Pro Edition.

1 Like

Well, I have this task and I need to complete it without trying to evade.

Well, I have this task and I need to complete it without trying to evade.

There is no built-in functionalities to do this at the moment. Best you can do is send them email notifications to tell them to do it. The server doesn’t know when passphrase is rotated, because it is done locally.