Skip to main content

Account Recovery with the Help of an Administrator


This feature needs to be activated by your administrator first and you need to have completed the setup for your user account. The feature is currently not available in the community edition.

The Account recovery is a feature introduced with passbolt v3.6.0 that as for aim to help users to recover their accounts in the scenario where they have lost their recovery kit and/or passphrase.

The way it works is that during setup, the user will share an encrypted version of their private key. The private key material is encrypted using an organization recovery key.


You can follow this procedure if you are meeting the following requirements:

  • Your organisation is running Passbolt Pro > v3.6.0 or Passbolt Cloud.
  • Account recovery was setup for your organization by your administrator.
  • You are in possession of a valid user account (you have completed the setup, and you are not suspended);
  • You subscribed to the account recovery program while installing passbolt for the first time or via in your user settings workspace.


There are 2 ways to start the procedure:

  1. Assuming the browser extension is configured but the passphrase is lost: users can, at any time, click on the “help, I lost my passphrase” link in the sign in screen. An email will be sent to them to start the procedure.
Login screen with lost passphrase
fig. Login screen - lost passphrase
  1. Assuming users are configuring Passbolt for a new browser or a new browser profile: during the process, they will be prompted to provide a recovery kit and its passphrase. If one of the information is missing, users can click on the “help, I lost my private key” link. Users will receive an email to start the procedure.
Setup on a new device with lost passphrase
fig. Setup on a new device - lost passphrase

How does the account recovery procedure look like

  1. Users have asked for an account recovery and just received an email to start. The email contains a link that brings the users to the account recovery request page. Pay attention that at this moment, the browser being used must be the one on which the browser extension has to be configured to access the application. If the browser or profile is changed during the process users will be blocked at some point and might need to restart from the beginning.

  2. Users are prompted to provide a new passphrase and set their security token. Please note that the chosen passphrase is not a temporary one and will be the new passphrase to sign in. It’s the same for the security token.

  3. After these steps, an email is sent to the administrators to tell them that an account recovery has been requested. Users need to wait for them to accept the account recovery request (they could also reject it if they wish and users won’t be able to finish the recovery process).

  4. If they reject or accept the request an email is sent to inform the users about their choice. If it’s accepted, the email contains a link that users can follow to go on with the account recovery procedure.

  5. At this step, users are asked to provide the passphrase they chose previously. If they don’t remember it, they’re still able to request for another account recovery from the interface. After entering the right passphrase, the browser extension will sign the users in after ensuring they have downloaded their new recovery kit.

Going further

To know more about account recovery, checkout the following: