Where does Passbolt saves Passwords!

eddie1337 · November 18, 2024, 8:46am

Hi all,

We have recently started using Passbolt but it’s still on test env till we are certain of it’s capabilities.
I have only been able to find only 1 other topic related to password security and that did not give me much comfort.
My question is simple I guess.

How does Passbolt encrypt passwords created or added?
Where are this passwords saved and are they encrypted or plain text?

Thanks in advance!

remy · November 18, 2024, 8:48am

Hello,

OpenPGP public keys (RSA or ECC)
Passwords are encrypted in the client (Mobile app, browser extension).

See. https://www.passbolt.com/docs/files/security_paper.pdf
And https://www.passbolt.com/security

eddie1337 · November 18, 2024, 10:30am

So passwords are encrypted on client side, but still I can add a password manually so I am not sure I quite understand how this works.

remy · November 18, 2024, 10:39am

Have a read at the white paper, it’s explained there.

eddie1337 · November 18, 2024, 11:28am

I did read it.

The web extension takes care of the sensitive part of the application
such as managing password workspace, the user workspace, the
account setup, login, password input, decryption, share, etc.

And this part is in Data in use:

Passwords, and other optionally encrypted fields such as description,
can be made available in a decrypted form at some point, for example
when using the quick access functionality or by copying a secret to the
clipboard, but they will never be stored in plain text on the filesystem on
either the client or server side.
Secrets are encrypted once per user. When sharing with a group (or
folder) the extension first fetches the group memberships (or folder
permissions) and compiles the final list of recipients. The server in turn
checks that all the recipients are included when a new version of the
secret is published.

eddie1337 · November 18, 2024, 2:05pm

If anyone can explain in simple words I would be happy to read their explanation!
Thanks!

clayton · November 20, 2024, 7:10am

Could you re-ask the questions you have after reading the security paper? You posted two snippets but didn’t really include a question there

eddie1337 · November 20, 2024, 9:01am

From what I came to understand is that when a password is added, it is encrypted with the public keys of the authorized users and then only those users can decrypt the password using their private keys.
The passwords are saved encrypted in the database, am I right?
The public key is saved on the server while the private key is saved on the end user locally?

remy · November 20, 2024, 9:26am

Yes all of it is correct.

eddie1337 · November 20, 2024, 2:51pm

Well that gave me some clarity. Thanks @remy for the help, much appreciated.