Help Search

How to rotate server GPG keys

Docker installation

It is quite simple with docker to rotate your passbolt server GPG keys. Connect yourself inside the passbolt container and delete the keys:

rm /etc/passbolt/gpg/serverkey.asc
rm /etc/passbolt/gpg/serverkey_private.asc

Destroy then recreate passbolt container and new GPG server keys will be generated.

docker-compose up -d --force-recreate

Other installations

Create a temporary GPG home folder:

mkdir /tmp/gpg-temp

Generate new GPG keys:

gpg --homedir /tmp/gpg-temp --batch --no-tty --gen-key <<EOF
    Key-Type: default
    Key-Length: ${PASSBOLT_KEY_LENGTH:-2048}
    Subkey-Type: default
    Subkey-Length: ${PASSBOLT_SUBKEY_LENGTH:-2048}
    Name-Real: ${PASSBOLT_KEY_NAME:-Passbolt default user}
    Name-Email: ${PASSBOLT_KEY_EMAIL:[email protected]}
    Expire-Date: ${PASSBOLT_KEY_EXPIRATION:-0}
    %no-protection
    %commit
EOF

Replace the current GPG server keys with the new ones:

gpg --homedir /tmp/gpg-temp --armor --export ${PASSBOLT_KEY_EMAIL:[email protected]} | sudo tee /etc/passbolt/gpg/serverkey.asc > /dev/null
gpg --homedir /tmp/gpg-temp --armor --export-secret-key ${PASSBOLT_KEY_EMAIL:[email protected]} | sudo tee /etc/passbolt/gpg/serverkey_private.asc > /dev/null

Ensure new GPG keys owner and group are correct. Replace www-data with nginx if you are using RPM-based Linux distribution.

sudo chown www-data:www-data /etc/passbolt/gpg/serverkey_private.asc
sudo chown www-data:www-data /etc/passbolt/gpg/serverkey.asc

Get new GPG keys fingerprint from public key:

sudo gpg --show-keys /etc/passbolt/gpg/serverkey.asc | grep -Ev "^(pub|sub|uid|$)" | tr -d ' '

Ensure the fingerprint from private key is the same:

sudo gpg --show-keys /etc/passbolt/gpg/serverkey_private.asc | grep -Ev "^(pub|sub|uid|$|sec|ssb)" | tr -d ' '

CentOS7 gpg command is quite old and has no –show-keys parameter. Use these commands instead:

# public key fingerprint
sudo cat /etc/passbolt/gpg/serverkey.asc | gpg --with-fingerprint - | grep -Ev "^(pub|sub|uid|$)" | tr -d ' ' | sed 's/Keyfingerprint=//'
# private key fingerprint
sudo cat /etc/passbolt/gpg/serverkey_private.asc | gpg --with-fingerprint - | grep -Ev "^(pub|sub|uid|$|sec|ssb)" | tr -d ' ' | sed 's/Keyfingerprint=//'

Open /etc/passbolt/passbolt.php configuration file and replace old fingerprint with the new one in the passbolt section:

    'passbolt' => [
        // GPG Configuration.
        // The keyring must to be owned and accessible by the webserver user.
        // Example: www-data user on Debian
        'gpg' => [
            // Main server key.
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX',
                'public' => CONFIG . DS . 'gpg' . DS . 'serverkey.asc',
                'private' => CONFIG . DS . 'gpg' . DS . 'serverkey_private.asc',
            ],
        ],

Launch a healthcheck command to get passbolt GNUPGHOME folder (usually /var/lib/passbolt/.gnupg but can be different if you installed passbolt from sources):

 sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck --gpg" | grep GNUPGHOME

Delete the current GNUPGHOME folder, it will be automatically recreated.

sudo rm -rf /var/lib/passbolt/.gnupg

On next connection through web interface, you will get a warning that the server key has been changed:

Server key has changed fig. Server key has changed

You can now delete the temporary GPG home folder:

rm -rf /tmp/gpg-temp

Not finding what you are looking for? You can also ask the community on the forum.

Talk to a human
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!