Skip to main content

Encrypted Metadata

Configure which metadata format (encrypted v5 or legacy cleartext v4) is used for new resources. You can enable both formats during migration, or enforce only encrypted metadata for new installations.

What is Metadata Encryption?

Metadata encryption encrypts:

  • Resource names, usernames, URLs, descriptions, and custom field keys
Watch the metadata encryption video
Watch the metadata encryption video (Youtube)

Requirements and Warnings

Requirements:

  • API version v5.2 or higher
  • A shared metadata key (generated automatically on installation)

Warnings:

  • Enabling encrypted metadata has an impact on the auditability of resource metadata that won't be stored in clear anymore
  • Migrating content to encrypted metadata might break your in-house integration with passbolt
  • See Metadata Key for key distribution configuration

Configuration Options

Navigate to Organisation settings > Content types > Encrypted metadata to configure metadata encryption options:

Encrypted metadata configuration options
Encrypted metadata configuration options in Passbolt

Enable Encrypted Metadata

Enables support for encrypted metadata (v5 format). New resources can use encrypted fields for name, username, URI, and description.

Enable Legacy Cleartext Metadata

Enables support for legacy v4 formats with unencrypted metadata. When enabled, legacy metadata formats can be selectively re-enabled by content type on the Allow Content Types page.

Default Metadata Type

Choose the default metadata format for newly created resources:

  • Encrypted metadata (recommended)
  • Legacy cleartext metadata
note

This option is only visible and configurable when both "Enable Encrypted Metadata" and "Enable Legacy Cleartext Metadata" options are enabled above.

Self-Served Migration

Allow users to manage their own format changes:

  • Upgrade from cleartext to encrypted: Users can convert their existing resources from cleartext to encrypted format
  • Downgrade from encrypted to cleartext: Users can convert their existing resources from encrypted to cleartext format
note

These migration options are only relevant when both metadata formats are enabled.

Important Considerations

caution

Legacy cleartext metadata is less secure and not recommended for new resources. Consider using encrypted metadata for all new resources.

To implement encrypted metadata:

  1. Configure encryption settings on this page
  2. Configure key distribution in Metadata Key
  3. Enable content types in Allow Content Types
  4. Migrate existing resources using Migrate Metadata if needed