Encrypted Metadata
This section defines the global metadata encryption strategy for the instance. Administrators can enable encrypted and legacy formats, choose defaults, and permit user-driven migration.
What is Metadata Encryption?
Metadata encryption allows you to encrypt various types of content:
- Resource metadata (names, usernames, URLs)
- Folder names and structure
- Tag names and labels
- Comments and notes
- Custom fields and values
Supported Content Types
When encrypted metadata is enabled, the following content types are protected:
| Content Type | Protected Fields | Notes |
|---|---|---|
| Password Resources | • Name • Username • URI • Description • Custom fields | Most common resource type |
| TOTP Resources | • Name • Username • URI • Description • Custom fields | For time-based one-time passwords |
| Custom Fields | • Field name • Field value • Field type • Field description | Can be added to any resource |
| Resource Metadata | • Tags • Categories • Properties • Relationships | Additional resource information |
All content types use the same encryption method, ensuring consistent security across your metadata.
Requirements and Warnings
Requirements:
- API version v5.2 or higher
Warnings:
- Enabling encrypted metadata has an impact on the auditability of resource metadata that won't be stored in clear anymore
- Migrating content to encrypted metadata might break your in-house integration with Passbolt
- A metadata key should be enabled to allow users to create resources with encrypted metadata. See Metadata Key
Configuration Options
Navigate to Organisation settings > Content types > Encrypted metadata to configure metadata encryption options:
If you enable encrypted metadata but haven't generated a shared key on the Metadata Key page, you'll see a warning message.
Enable Encrypted Metadata
Enables support for encrypted metadata. New resources can store fields like name, username, and URI securely.
This setting will not take effect until a metadata key is created on the Metadata Key page.
Enable Legacy Cleartext Metadata
Enables support for legacy v4 formats with unencrypted metadata. When enabled, legacy metadata formats can be selectively re-enabled by content type on the Allow Content Types page.
Default Metadata Type
Choose the default metadata format for newly created resources:
- Encrypted metadata (recommended)
- Legacy cleartext metadata
This option is only visible and configurable when both "Enable Encrypted Metadata" and "Enable Legacy Cleartext Metadata" options are enabled above.
Self-Served Migration
Allow users to manage their own format changes:
- Upgrade from cleartext to encrypted: Users can convert their existing resources from cleartext to encrypted format
- Downgrade from encrypted to cleartext: Users can convert their existing resources from encrypted to cleartext format
These migration options are only relevant when both metadata formats are enabled.
Important Considerations
Legacy cleartext metadata is less secure and not recommended for new resources. Consider using encrypted metadata for all new resources.
To fully implement encrypted metadata:
- Generate a metadata key on the Metadata Key page
- Configure the encryption settings on this page
- Enable the desired content types in Allow Content Types
- Migrate existing resources using Migrate Metadata if needed