Skip to main content

How to configure Account Recovery

Requirements

You can follow this procedure if you are meeting the following requirements:

  • You are running Passbolt Pro >= v3.6.0 or Passbolt Cloud.
  • You have an active administrator account

How does it work?

Account recovery is a feature introduced with passbolt v3.6.0 that as for aim to help users to recover their accounts in case of recovery kit or passphrase loss.

Depending on the organisation policy, all users will be able to deposit an encrypted backup of their private keys in passbolt. Backups that can only be unlocked cryptographically by the organisation administrators having in their possession the organisation recovery key.

Enable account recovery

To enable account recovery for your organization, navigate to the account recovery administration page: * Administration > Account recovery*.

Choose the organisation policy

By default, the feature is disabled. To enable it, choose among the proposed policies the one that best suits your organization.

Choose account recovery policy
fig. Choose account recovery policy
  • Mandatory: as its name states, users have to subscribe to the program no matter their preferences. New users will be forced to subscribe to the program while registering for the first time while existing users will be prompted to subscribe after signing in to the application.
  • Opt-out: users have the choice to subscribe or reject the program, but they are subscribed by default. Users will be able to set their preferences while registering for the first time while existing users will be prompted to subscribe after signing in to the application.
  • Opt-in: as the opt-out option, users have the choice to subscribe or reject the program, but they are not subscribed by default. New users will be able to set their preferences while registering for the first time and existing users will be able to set their preference via their settings workspace.
  • Disable: as the name states, the program is disabled and nobody will be able to use it.

Set the organisation key

Once you have chosen the organisation policy the next step is to set an organisation key. This key will be used to encrypt the escrow of the organisation users private keys.

Import the organisation key

This method is the recommended one as it will keep your organisation key isolated from passbolt until the moment you need it.

Import account recovery key
fig. Import account recovery key

In order to be accepted, the organisation key should meet these requirements:

  • The key should be public gpg key
  • The key should use the algorithm RSA
  • The key should have a length of 4096 bits
  • The key should have a passphrase
info

If you do not know how to generate an OpenPGP key, checkout the following documentation: how to generate an OpenPGP key.

Generate the organisation key

If you cannot generate an OpenPGP key on your own, we got your back. In the import recovery key dialog, click on the “Generate” tab. From there you will find a tool that will help you to generate your organisation key.

Generate account recovery key
fig. Generate account recovery key
caution

Passbolt will prompt you to save the generated key on your computer. Keep this backup offline in a safe place, it will be required later to update the organisation policy as well as to approve users' recovery requests.

Activate the policy

Once the account recovery policy is configured and its key is set, click "Save settings" to activate the policy.

Confirm account recovery policy
fig. Confirm account recovery policy

On the next step you will be prompted to review the policy. It is advised to do a careful check here before continuing.

Disable account recovery

To disable account recovery for your organization, navigate to the account recovery administration page: * Administration > Account recovery*.

Disable account recovery policy
fig. Disable account recovery policy

Select the policy "Disable" and click on the "Save settings" button on top of the screen. You will be prompted to review the changes and then to provide the organisation key currently in use. This extra check will prevent attackers to disable then enable again the feature with an organisation key of their own.

Provide account recovery key
fig. Provide account recovery key
warning

By disabling account recovery, you will truncate all the relative data. If you decide to enable it again you and the all the users will have to start everything from scratch.

Update account recovery

To update the account recovery policy of your organization, navigate to the account recovery administration page: * Administration > Account recovery*.

Select the policy of your choice and update the organisation key if necessary as explained in the section enable account recovery.

Once you have made your changes, click on the "Save settings" button on top of the screen. You will be prompted to review the changes and to provide the organisation key currently in use. This extra check will prevent attackers to disable then enable again the feature with an organisation key of their own.

Review account recovery changes
fig. Review account recovery changes