How to rotate server GPG keys
Docker installation
It is quite simple with docker to rotate your passbolt server GPG keys. Connect yourself inside the passbolt container and delete the keys:
rm /etc/passbolt/gpg/serverkey.asc
rm /etc/passbolt/gpg/serverkey_private.asc
Destroy then recreate passbolt container and new GPG server keys will be generated.
docker-compose up -d --force-recreate
Other installations
Create a temporary GPG home folder:
mkdir /tmp/gpg-temp
Generate new GPG keys:
gpg --homedir /tmp/gpg-temp --batch --no-tty --gen-key <<EOF
Key-Type: default
Key-Length: ${PASSBOLT_KEY_LENGTH:-2048}
Subkey-Type: default
Subkey-Length: ${PASSBOLT_SUBKEY_LENGTH:-2048}
Name-Real: ${PASSBOLT_KEY_NAME:-Passbolt default user}
Name-Email: ${PASSBOLT_KEY_EMAIL:[email protected]}
Expire-Date: ${PASSBOLT_KEY_EXPIRATION:-0}
%no-protection
%commit
EOF
Replace the current GPG server keys with the new ones:
gpg --homedir /tmp/gpg-temp --armor --export ${PASSBOLT_KEY_EMAIL:[email protected]} | sudo tee /etc/passbolt/gpg/serverkey.asc > /dev/null
gpg --homedir /tmp/gpg-temp --armor --export-secret-key ${PASSBOLT_KEY_EMAIL:[email protected]} | sudo tee /etc/passbolt/gpg/serverkey_private.asc > /dev/null
Ensure new GPG keys owner and group are correct. Replace www-data with nginx if you are using RPM-based Linux distribution.
sudo chown www-data:www-data /etc/passbolt/gpg/serverkey_private.asc
sudo chown www-data:www-data /etc/passbolt/gpg/serverkey.asc
Get new GPG keys fingerprint from public key:
sudo gpg --show-keys /etc/passbolt/gpg/serverkey.asc | grep -Ev "^(pub|sub|uid|$)" | tr -d ' '
Ensure the fingerprint from private key is the same:
sudo gpg --show-keys /etc/passbolt/gpg/serverkey_private.asc | grep -Ev "^(pub|sub|uid|$|sec|ssb)" | tr -d ' '
CentOS7 gpg command is quite old and has no –show-keys parameter. Use these commands instead:
# public key fingerprint
sudo cat /etc/passbolt/gpg/serverkey.asc | gpg --with-fingerprint - | grep -Ev "^(pub|sub|uid|$)" | tr -d ' ' | sed 's/Keyfingerprint=//'
# private key fingerprint
sudo cat /etc/passbolt/gpg/serverkey_private.asc | gpg --with-fingerprint - | grep -Ev "^(pub|sub|uid|$|sec|ssb)" | tr -d ' ' | sed 's/Keyfingerprint=//'
Open /etc/passbolt/passbolt.php configuration file and replace old fingerprint with the new one in the passbolt section:
'passbolt' => [
// GPG Configuration.
// The keyring must to be owned and accessible by the webserver user.
// Example: www-data user on Debian
'gpg' => [
// Main server key.
'serverKey' => [
// Server private key fingerprint.
'fingerprint' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX',
'public' => CONFIG . DS . 'gpg' . DS . 'serverkey.asc',
'private' => CONFIG . DS . 'gpg' . DS . 'serverkey_private.asc',
],
],
Launch a healthcheck command to get passbolt GNUPGHOME folder (usually /var/lib/passbolt/.gnupg but can be different if you installed passbolt from sources):
sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck --gpg" | grep GNUPGHOME
Delete the current GNUPGHOME folder, it will be automatically recreated.
sudo rm -rf /var/lib/passbolt/.gnupg
On next connection through web interface, you will get a warning that the server key has been changed:

You can now delete the temporary GPG home folder:
rm -rf /tmp/gpg-temp
Other frequently asked questions in the same category
- How to install passbolt server
- How to make passbolt backups
- How can I update my passbolt server?
- What are the minimum server requirements?
- Does passbolt provide hosting?
- Where can I get help for installation issues?
- Why do I see an unsafe mode banner in the footer?
- Why are my emails not being sent?
- Why should I install haveged on virtual environments?
- How to update my subscription key
- Why am I getting ldap synchronization issues?
- How to increase auto logout time?
- Firewall rules
- How to generate JWT key pair manually
- Troubleshoot Docker
- How to migrate from HTTP to HTTPS
- How to use docker rootless images
- How to import SSL certificate on mobile application
- Troubleshoot SSL
- How to rotate server GPG keys
- iOS / Android Mobile FAQ
- How to install passbolt in non-interactive mode?
- Troubleshoot Helm
- How to set up NTP
- Docker Secrets