Passbolt is an open-source, self-hosted password manager designed for teams, offering a secure, customizable solution with complete control over your data. It stands out with its end-to-end encryption, API-first architecture, and seamless integration into existing workflows. This guide will walk you through installing Passbolt, configuring it for optimal performance, and leveraging its features for secure, efficient password management.
Installing Passbolt
📦 Docker/Docker Compose Setup
Docker provides an efficient way to deploy Passbolt. Create the following docker-compose.yml
file:
version: '3.8'
services:
passbolt:
image: passbolt/passbolt:latest
container_name: passbolt
environment:
APP_FULL_BASE_URL: "https://yourdomain.com"
DATASOURCES_DEFAULT_HOST: "db"
DATASOURCES_DEFAULT_USERNAME: "passbolt_user"
DATASOURCES_DEFAULT_PASSWORD: "yourpassword"
DATASOURCES_DEFAULT_DATABASE: "passbolt_db"
volumes:
- ./passbolt/config:/etc/passbolt
- ./passbolt/gpg:/var/www/passbolt/config/gpg
- ./passbolt/uploads:/var/www/passbolt/webroot/uploads
ports:
- "8080:80"
depends_on:
- db
db:
image: mariadb:10.6
container_name: passbolt_db
environment:
MYSQL_ROOT_PASSWORD: "rootpassword"
MYSQL_DATABASE: "passbolt_db"
MYSQL_USER: "passbolt_user"
MYSQL_PASSWORD: "yourpassword"
volumes:
- ./db_data:/var/lib/mysql
To start the containers, run:
docker-compose up -d
This will spin up Passbolt and a MariaDB database. Ensure your volumes are correctly mapped for persistence.
🚀 Manual Installation
For a manual installation on a Linux server (e.g., Ubuntu 22.04), follow these steps:
- Install dependencies:
sudo apt update
sudo apt install -y nginx mariadb-server php php-mysql php-gnupg unzip
- Download and set up Passbolt:
wget https://github.com/passbolt/passbolt_api/releases/latest/download/passbolt-ce-ubuntu-installer.tar.gz
tar -xzvf passbolt-ce-ubuntu-installer.tar.gz
cd passbolt-installer
sudo ./install_passbolt.sh
- Follow the prompts to complete the installation.
Configuring Nginx as a Reverse Proxy
🌐 Nginx Configuration
To serve Passbolt with Nginx, create a new server block:
sudo nano /etc/nginx/sites-available/passbolt
Paste the following:
server {
listen 80;
server_name yourdomain.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Enable the configuration:
sudo ln -s /etc/nginx/sites-available/passbolt /etc/nginx/sites-enabled
sudo nginx -t
sudo systemctl reload nginx
🔒 SSL/TLS Setup
Secure Passbolt with Let's Encrypt:
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com
Automate certificate renewals:
sudo systemctl enable certbot.timer
🛠️ Testing and Reloading Nginx
Validate your setup:
sudo nginx -t
sudo systemctl reload nginx
Visit https://yourdomain.com
to verify the app is running behind Nginx.
Logging and Debugging Passbolt
🗃️ Enabling Debug Logs
Enable debug-level logging in Passbolt. Edit the Passbolt configuration file:
sudo nano /etc/passbolt/passbolt.php
Set:
'debug' => true,
📄 Viewing Logs
For Docker:
docker logs passbolt
For manual installs:
tail -f /var/www/passbolt/logs/error.log
🛠️ Troubleshooting Common Issues
Check for database connection issues:
docker exec -it passbolt ping db
Verify GPG key setup:
gpg --list-keys
📤 Exporting Logs
To send logs to an external system (e.g., ELK stack), configure filebeat or forward logs via syslog.
Backup and Restore
🗂️ File-Based Backups
Backup Passbolt configuration and GPG keys:
tar -czvf passbolt_backup.tar.gz /etc/passbolt /var/www/passbolt/config/gpg
🔄 Database Backups
Export the database:
docker exec passbolt_db mysqldump -u root -p passbolt_db > passbolt_db_backup.sql
Restore:
docker exec -i passbolt_db mysql -u root -p passbolt_db < passbolt_db_backup.sql
📅 Automated Backup Scripts
Add a cron job for periodic backups:
crontab -e
Insert:
0 2 * * * docker exec passbolt_db mysqldump -u root -p passbolt_db > /backups/passbolt_db_$(date +\%F).sql
Updating and Upgrading Passbolt
⬆️ Updating Docker Images
Pull the latest image and redeploy:
docker-compose pull
docker-compose down
docker-compose up -d
🛠️ Manual Updates
For manual installs:
cd /var/www/passbolt
sudo git pull origin master
sudo composer install --no-dev
sudo chown -R www-data:www-data /var/www/passbolt
🔍 Checking for Updates
Stay informed about updates via the Passbolt repository:
sudo apt update && sudo apt list --upgradable
Leveraging Passbolt’s Unique Features
🔧 Enabling APIs
Enable the Passbolt REST API. Edit the configuration file:
sudo nano /etc/passbolt/passbolt.php
Set:
'Features' => [
'API' => true,
],
🌟 Advanced Configurations
Customize Passbolt by integrating tools such as Slack or Microsoft Teams for notifications. Configure SMTP for email:
sudo nano /etc/passbolt/passbolt.php
Add:
'EmailTransport' => [
'default' => [
'host' => 'smtp.yourprovider.com',
'port' => 587,
'username' => 'your-email',
'password' => 'your-password',
'tls' => true
]
],
Wrapping Up
This guide provided a complete walkthrough for deploying, configuring, and managing Passbolt effectively. By following these steps, you can ensure a secure, self-hosted password management solution tailored to your team's needs. With its extensive features and flexibility, Passbolt empowers you to take full control of your sensitive credentials. Start implementing these configurations today and enjoy the benefits of secure, streamlined password management!