Skip to main content

How can I rotate the server GPG keys?

Docker installation

It is quite simple with docker to rotate your passbolt server GPG keys. Connect yourself inside the passbolt container and delete the keys:

rm /etc/passbolt/gpg/serverkey.asc
rm /etc/passbolt/gpg/serverkey_private.asc

Destroy then recreate passbolt container and new GPG server keys will be generated.

docker compose up -d --force-recreate

Other installations

Create a temporary GPG home folder:

mkdir /tmp/gpg-temp

Generate new GPG keys:

gpg --homedir /tmp/gpg-temp --batch --no-tty --gen-key <<EOF
Key-Type: default
Key-Length: ${PASSBOLT_KEY_LENGTH:-2048}
Subkey-Type: default
Subkey-Length: ${PASSBOLT_SUBKEY_LENGTH:-2048}
Name-Real: ${PASSBOLT_KEY_NAME:-Passbolt default user}
Name-Email: ${PASSBOLT_KEY_EMAIL:-[email protected]}
Expire-Date: ${PASSBOLT_KEY_EXPIRATION:-0}
%no-protection
%commit
EOF

Replace the current GPG server keys with the new ones:

gpg --homedir /tmp/gpg-temp --armor --export ${PASSBOLT_KEY_EMAIL:-[email protected]} | sudo tee /etc/passbolt/gpg/serverkey.asc > /dev/null
gpg --homedir /tmp/gpg-temp --armor --export-secret-key ${PASSBOLT_KEY_EMAIL:-[email protected]} | sudo tee /etc/passbolt/gpg/serverkey_private.asc > /dev/null

Ensure new GPG keys owner and group are correct. Replace www-data with nginx if you are using RPM-based Linux distribution.

sudo chown www-data:www-data /etc/passbolt/gpg/serverkey_private.asc
sudo chown www-data:www-data /etc/passbolt/gpg/serverkey.asc

Get new GPG keys fingerprint from public key:

sudo gpg --show-keys /etc/passbolt/gpg/serverkey.asc | grep -Ev "^(pub|sub|uid|$)" | tr -d ' '

Ensure the fingerprint from private key is the same:

sudo gpg --show-keys /etc/passbolt/gpg/serverkey_private.asc | grep -Ev "^(pub|sub|uid|$|sec|ssb)" | tr -d ' '

CentOS 7 gpg command is quite old and has no –show-keys parameter. Use these commands instead:

# public key fingerprint
sudo cat /etc/passbolt/gpg/serverkey.asc | gpg --with-fingerprint - | grep -Ev "^(pub|sub|uid|$)" | tr -d ' ' | sed 's/Keyfingerprint=//'
# private key fingerprint
sudo cat /etc/passbolt/gpg/serverkey_private.asc | gpg --with-fingerprint - | grep -Ev "^(pub|sub|uid|$|sec|ssb)" | tr -d ' ' | sed 's/Keyfingerprint=//'

Open /etc/passbolt/passbolt.php configuration file and replace old fingerprint with the new one in the passbolt section:

    'passbolt' => [
// GPG Configuration.
// The keyring must to be owned and accessible by the webserver user.
// Example: www-data user on Debian
'gpg' => [
// Main server key.
'serverKey' => [
// Server private key fingerprint.
'fingerprint' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX',
'public' => CONFIG . DS . 'gpg' . DS . 'serverkey.asc',
'private' => CONFIG . DS . 'gpg' . DS . 'serverkey_private.asc',
],
],

Launch a healthcheck command to get passbolt GNUPGHOME folder (usually /var/lib/passbolt/.gnupg but can be different if you installed passbolt from source):

sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck --gpg" | grep GNUPGHOME

Delete the current GNUPGHOME folder, it will be automatically recreated.

sudo rm -rf /var/lib/passbolt/.gnupg

On next connection through web interface, you will get a warning that the server key has been changed:

Server key has changed
fig. Server key has changed

You can now delete the temporary GPG home folder:

rm -rf /tmp/gpg-temp