Passbolt Password Manager Instaleation

Passbolt is an open-source, self-hosted password manager designed for teams and organizations. Built with security as a core principle, Passbolt uses end-to-end encryption, GPG key management, and role-based access control. This guide covers Docker deployment, MySQL database setup, Nginx configuration, GPG key generation, and team collaboration setup.

Tabla de contenidos

Requisitos previos

Ensure you have:

  • Ubuntu 20.04 LTS or later
  • Root or sudo access
  • A registered domain name
  • Minimum 4GB RAM (8GB+ recommended)
  • 20GB available disk space
  • Basic Linux administration knowledge

Update system:

sudo apt update && sudo apt upgrade -y

Requisitos del sistema

Verifique las especificaciones del sistema:

Check OS version:

cat /etc/os-release
uname -m

Check available resources:

free -h
df -h

Docker Instaleation

Instale Docker and Docker Compose:

sudo apt install -y docker.io docker-compose

Add user to docker group:

sudo usermod -aG docker $USER
newgrp docker

Verifique installation:

docker --version
docker-compose --version

Start Docker:

sudo systemctl start docker
sudo systemctl enable docker

MySQL Database Setup

Cree MySQL data directory:

sudo mkdir -p /var/lib/mysql-passbolt
sudo chown -R $USER:$USER /var/lib/mysql-passbolt

Cree MySQL container:

docker run -d \
  --name mysql-passbolt \
  -e MYSQL_ROOT_PASSWORD=RootPassword123! \
  -e MYSQL_DATABASE=passbolt \
  -e MYSQL_USER=passbolt \
  -e MYSQL_PASSWORD=PassboltPassword123! \
  -v /var/lib/mysql-passbolt:/var/lib/mysql \
  mysql:8.0

Verifique MySQL is running:

docker ps | grep mysql

Passbolt Implementement

Cree Passbolt directory:

mkdir -p /opt/passbolt
cd /opt/passbolt

Cree docker-compose.yml:

nano docker-compose.yml

Add configuration:

version: '3'

services:
  passbolt:
    image: passbolt/passbolt:latest-ce
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /opt/passbolt/data:/var/www/passbolt/webroot/img
      - /opt/passbolt/gpg:/var/www/passbolt/.gnupg
      - /opt/passbolt/jwt:/var/www/passbolt/config/jwt
    environment:
      DATASOURCES_DEFAULT_HOST: mysql-passbolt
      DATASOURCES_DEFAULT_USERNAME: passbolt
      DATASOURCES_DEFAULT_PASSWORD: PassboltPassword123!
      DATASOURCES_DEFAULT_DATABASE: passbolt
      APP_FULL_BASE_URL: https://passbolt.example.com
      PASSBOLT_SSL_PEER_VERIFY: "false"
      PASSBOLT_PLUGINS_EXPORT_ENABLED: "true"
      PASSBOLT_PLUGINS_IMPORT_ENABLED: "true"
    depends_on:
      - mysql-passbolt
    networks:
      - passbolt

  mysql-passbolt:
    image: mysql:8.0
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: RootPassword123!
      MYSQL_DATABASE: passbolt
      MYSQL_USER: passbolt
      MYSQL_PASSWORD: PassboltPassword123!
    volumes:
      - /var/lib/mysql-passbolt:/var/lib/mysql
    networks:
      - passbolt

networks:
  passbolt:
    driver: bridge

Cree data directories:

mkdir -p /opt/passbolt/{data,gpg,jwt}

Start Passbolt containers:

docker-compose up -d

Verifique containers are running:

docker-compose ps
docker-compose logs -f passbolt

Wait for initialization to complete.

Configuración de Nginx

Instale Nginx:

sudo apt install -y nginx

Cree Nginx configuration:

sudo nano /etc/nginx/sites-available/passbolt

Add configuration:

upstream passbolt {
    server localhost:443;
}

server {
    listen 80;
    listen [::]:80;
    server_name passbolt.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name passbolt.example.com;

    ssl_certificate /etc/letsencrypt/live/passbolt.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/passbolt.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    client_max_body_size 100M;

    location / {
        proxy_pass https://localhost:443;
        proxy_ssl_verify off;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable site:

sudo ln -s /etc/nginx/sites-available/passbolt /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl start nginx
sudo systemctl enable nginx

Configuración del certificado SSL

Instale Certbot:

sudo apt install -y certbot python3-certbot-nginx

Obtain SSL certificate:

sudo certbot certonly --standalone -d passbolt.example.com

Verifique certificate:

sudo openssl x509 -in /etc/letsencrypt/live/passbolt.example.com/fullchain.pem -noout -dates

Configure auto-renewal:

sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

GPG Key Configuration

Generate GPG key for Passbolt:

docker exec passbolt su - www-data -s /bin/bash -c 'gpg --gen-key'

This will prompt for GPG key generation details.

Export public key:

docker exec passbolt su - www-data -s /bin/bash -c 'gpg --export --armor'

Email Setup

Configure SMTP email:

Edit docker-compose.yml:

nano docker-compose.yml

Add environment variables to passbolt service:

PASSBOLT_EMAIL_SEND: "true"
PASSBOLT_EMAIL_FROM: [email protected]
PASSBOLT_EMAIL_HOST: smtp.example.com
PASSBOLT_EMAIL_PORT: 587
PASSBOLT_EMAIL_USERNAME: [email protected]
PASSBOLT_EMAIL_PASSWORD: your-app-password
PASSBOLT_EMAIL_TLS: "true"

Reinicie containers:

docker-compose down
docker-compose up -d

Gestión de usuarios y equipos

Access Passbolt:

Navigate to https://passbolt.example.com

Cree initial admin account:

  1. Complete initial setup wizard
  2. Cree admin email and password
  3. Configure security settings

Invite users:

  1. Administration → Users
  2. Click "Invite User"
  3. Send invitation via email

Cree teams:

  1. Administration → Teams
  2. Click "Cree Team"
  3. Add team members
  4. Set permissions

Manage password resources:

  1. Click "Password"
  2. Cree new password entry
  3. Assign to users/teams
  4. Set sharing permissions

Configure user roles:

  1. Administration → Users
  2. Set user type (Admin, User)
  3. Configure specific permissions

Backup Strategy

Cree backup script:

sudo nano /usr/local/bin/passbolt-backup.sh

Add:

#!/bin/bash

BACKUP_DIR="/backups/passbolt"
PASSBOLT_DIR="/opt/passbolt"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR

# Stop Passbolt
docker-compose -f $PASSBOLT_DIR/docker-compose.yml stop

# MySQL backup
docker exec mysql-passbolt mysqldump -u passbolt -p'PassboltPassword123!' passbolt | gzip > "$BACKUP_DIR/passbolt-db-$DATE.sql.gz"

# Data backup
tar -czf "$BACKUP_DIR/passbolt-data-$DATE.tar.gz" "$PASSBOLT_DIR"

# Start Passbolt
docker-compose -f $PASSBOLT_DIR/docker-compose.yml start

# Keep only 30 days
find $BACKUP_DIR -type f -mtime +30 -delete

echo "Backup completed: $DATE"

Make executable:

sudo chmod +x /usr/local/bin/passbolt-backup.sh

Schedule daily backups:

sudo crontab -e

Add:

0 2 * * * /usr/local/bin/passbolt-backup.sh >> /var/log/passbolt-backup.log 2>&1

Update Passbolt:

cd /opt/passbolt
docker-compose pull
docker-compose down
docker-compose up -d

Conclusión

Passbolt is now fully deployed as a team password manager. With MySQL database, Docker containerization, SSL encryption, GPG key management, and team collaboration features, you have a secure password vault solution. Cree teams, manage users, and control password sharing with granular permissions. Regular backups ensure password recovery. Passbolt's end-to-end encryption and team-focused design make it ideal for organizational password management.