Passbolt: Essential Tips for Successful Self-Hosting

Passbolt is an open-source, self-hosted password manager designed for teams, offering a secure, customizable solution with complete control over your data. It stands out with its end-to-end encryption, API-first architecture, and seamless integration into existing workflows. This guide will walk you through installing Passbolt, configuring it for optimal performance, and leveraging its features for secure, efficient password management.

Installing Passbolt

📦 Docker/Docker Compose Setup

Docker provides an efficient way to deploy Passbolt. Create the following docker-compose.yml file:

version: '3.8'

services:

passbolt:

image: passbolt/passbolt:latest

container_name: passbolt

environment:

APP_FULL_BASE_URL: "https://yourdomain.com"

DATASOURCES_DEFAULT_HOST: "db"

DATASOURCES_DEFAULT_USERNAME: "passbolt_user"

DATASOURCES_DEFAULT_PASSWORD: "yourpassword"

DATASOURCES_DEFAULT_DATABASE: "passbolt_db"

volumes:

- ./passbolt/config:/etc/passbolt

- ./passbolt/gpg:/var/www/passbolt/config/gpg

- ./passbolt/uploads:/var/www/passbolt/webroot/uploads

ports:

- "8080:80"

depends_on:

- db

db:

image: mariadb:10.6

container_name: passbolt_db

environment:

MYSQL_ROOT_PASSWORD: "rootpassword"

MYSQL_DATABASE: "passbolt_db"

MYSQL_USER: "passbolt_user"

MYSQL_PASSWORD: "yourpassword"

volumes:

- ./db_data:/var/lib/mysql

To start the containers, run:

docker-compose up -d

This will spin up Passbolt and a MariaDB database. Ensure your volumes are correctly mapped for persistence.

🚀 Manual Installation

For a manual installation on a Linux server (e.g., Ubuntu 22.04), follow these steps:

1. Install dependencies:

sudo apt update

sudo apt install -y nginx mariadb-server php php-mysql php-gnupg unzip

2. Download and set up Passbolt:

wget https://github.com/passbolt/passbolt_api/releases/latest/download/passbolt-ce-ubuntu-installer.tar.gz

tar -xzvf passbolt-ce-ubuntu-installer.tar.gz

cd passbolt-installer

sudo ./install_passbolt.sh

3. Follow the prompts to complete the installation.

Configuring Nginx as a Reverse Proxy

🌐 Nginx Configuration

To serve Passbolt with Nginx, create a new server block:

sudo nano /etc/nginx/sites-available/passbolt

Paste the following:

server {

listen 80;

server_name yourdomain.com;

location / {

proxy_pass http://127.0.0.1:8080;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

}

Enable the configuration:

sudo ln -s /etc/nginx/sites-available/passbolt /etc/nginx/sites-enabled

sudo nginx -t

sudo systemctl reload nginx

🔒 SSL/TLS Setup

Secure Passbolt with Let's Encrypt:

sudo apt install certbot python3-certbot-nginx

sudo certbot --nginx -d yourdomain.com

Automate certificate renewals:

sudo systemctl enable certbot.timer

🛠️ Testing and Reloading Nginx

Validate your setup:

sudo nginx -t

sudo systemctl reload nginx

Visit https://yourdomain.com to verify the app is running behind Nginx.

Logging and Debugging Passbolt

🗃️ Enabling Debug Logs

Enable debug-level logging in Passbolt. Edit the Passbolt configuration file:

sudo nano /etc/passbolt/passbolt.php

Set:

'debug' => true,

📄 Viewing Logs

For Docker:

docker logs passbolt

For manual installs:

tail -f /var/www/passbolt/logs/error.log

🛠️ Troubleshooting Common Issues

Check for database connection issues:

docker exec -it passbolt ping db

Verify GPG key setup:

gpg --list-keys

📤 Exporting Logs

To send logs to an external system (e.g., ELK stack), configure filebeat or forward logs via syslog.

Backup and Restore

🗂️ File-Based Backups

Backup Passbolt configuration and GPG keys:

tar -czvf passbolt_backup.tar.gz /etc/passbolt /var/www/passbolt/config/gpg

🔄 Database Backups

Export the database:

docker exec passbolt_db mysqldump -u root -p passbolt_db > passbolt_db_backup.sql

Restore:

docker exec -i passbolt_db mysql -u root -p passbolt_db < passbolt_db_backup.sql

📅 Automated Backup Scripts

Add a cron job for periodic backups:

crontab -e

Insert:

0 2 * * * docker exec passbolt_db mysqldump -u root -p passbolt_db > /backups/passbolt_db_$(date +\%F).sql

Updating and Upgrading Passbolt

⬆️ Updating Docker Images

Pull the latest image and redeploy:

docker-compose pull

docker-compose down

docker-compose up -d

🛠️ Manual Updates

For manual installs:

cd /var/www/passbolt

sudo git pull origin master

sudo composer install --no-dev

sudo chown -R www-data:www-data /var/www/passbolt

🔍 Checking for Updates

Stay informed about updates via the Passbolt repository:

sudo apt update && sudo apt list --upgradable

Leveraging Passbolt’s Unique Features

🔧 Enabling APIs

Enable the Passbolt REST API. Edit the configuration file:

sudo nano /etc/passbolt/passbolt.php

Set:

'Features' => [

'API' => true,

],

🌟 Advanced Configurations

Customize Passbolt by integrating tools such as Slack or Microsoft Teams for notifications. Configure SMTP for email:

sudo nano /etc/passbolt/passbolt.php

Add:

'EmailTransport' => [

'default' => [

'host' => 'smtp.yourprovider.com',

'port' => 587,

'username' => 'your-email',

'password' => 'your-password',

'tls' => true

]

],

Wrapping Up

This guide provided a complete walkthrough for deploying, configuring, and managing Passbolt effectively. By following these steps, you can ensure a secure, self-hosted password management solution tailored to your team's needs. With its extensive features and flexibility, Passbolt empowers you to take full control of your sensitive credentials. Start implementing these configurations today and enjoy the benefits of secure, streamlined password management!