Passbolt Password Manager Installation
Passbolt is an open-source, self-hosted password manager designed for teams and organizations. Built with security as a core principle, Passbolt uses end-to-end encryption, GPG key management, and role-based access control. This guide covers Docker deployment, MySQL database setup, Nginx configuration, GPG key generation, and team collaboration setup.
Table of Contents
- Prerequisites
- System Requirements
- Docker Installation
- MySQL Database Setup
- Passbolt Deployment
- Nginx Configuration
- SSL Certificate Setup
- GPG Key Configuration
- Email Setup
- User and Team Management
- Backup Strategy
- Conclusion
Prerequisites
Ensure you have:
- Ubuntu 20.04 LTS or later
- Root or sudo access
- A registered domain name
- Minimum 4GB RAM (8GB+ recommended)
- 20GB available disk space
- Basic Linux administration knowledge
Update system:
sudo apt update && sudo apt upgrade -y
System Requirements
Verify system specifications:
Check OS version:
cat /etc/os-release
uname -m
Check available resources:
free -h
df -h
Docker Installation
Install Docker and Docker Compose:
sudo apt install -y docker.io docker-compose
Add user to docker group:
sudo usermod -aG docker $USER
newgrp docker
Verify installation:
docker --version
docker-compose --version
Start Docker:
sudo systemctl start docker
sudo systemctl enable docker
MySQL Database Setup
Create MySQL data directory:
sudo mkdir -p /var/lib/mysql-passbolt
sudo chown -R $USER:$USER /var/lib/mysql-passbolt
Create MySQL container:
docker run -d \
--name mysql-passbolt \
-e MYSQL_ROOT_PASSWORD=RootPassword123! \
-e MYSQL_DATABASE=passbolt \
-e MYSQL_USER=passbolt \
-e MYSQL_PASSWORD=PassboltPassword123! \
-v /var/lib/mysql-passbolt:/var/lib/mysql \
mysql:8.0
Verify MySQL is running:
docker ps | grep mysql
Passbolt Deployment
Create Passbolt directory:
mkdir -p /opt/passbolt
cd /opt/passbolt
Create docker-compose.yml:
nano docker-compose.yml
Add configuration:
version: '3'
services:
passbolt:
image: passbolt/passbolt:latest-ce
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /opt/passbolt/data:/var/www/passbolt/webroot/img
- /opt/passbolt/gpg:/var/www/passbolt/.gnupg
- /opt/passbolt/jwt:/var/www/passbolt/config/jwt
environment:
DATASOURCES_DEFAULT_HOST: mysql-passbolt
DATASOURCES_DEFAULT_USERNAME: passbolt
DATASOURCES_DEFAULT_PASSWORD: PassboltPassword123!
DATASOURCES_DEFAULT_DATABASE: passbolt
APP_FULL_BASE_URL: https://passbolt.example.com
PASSBOLT_SSL_PEER_VERIFY: "false"
PASSBOLT_PLUGINS_EXPORT_ENABLED: "true"
PASSBOLT_PLUGINS_IMPORT_ENABLED: "true"
depends_on:
- mysql-passbolt
networks:
- passbolt
mysql-passbolt:
image: mysql:8.0
restart: always
environment:
MYSQL_ROOT_PASSWORD: RootPassword123!
MYSQL_DATABASE: passbolt
MYSQL_USER: passbolt
MYSQL_PASSWORD: PassboltPassword123!
volumes:
- /var/lib/mysql-passbolt:/var/lib/mysql
networks:
- passbolt
networks:
passbolt:
driver: bridge
Create data directories:
mkdir -p /opt/passbolt/{data,gpg,jwt}
Start Passbolt containers:
docker-compose up -d
Verify containers are running:
docker-compose ps
docker-compose logs -f passbolt
Wait for initialization to complete.
Nginx Configuration
Install Nginx:
sudo apt install -y nginx
Create Nginx configuration:
sudo nano /etc/nginx/sites-available/passbolt
Add configuration:
upstream passbolt {
server localhost:443;
}
server {
listen 80;
listen [::]:80;
server_name passbolt.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name passbolt.example.com;
ssl_certificate /etc/letsencrypt/live/passbolt.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/passbolt.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
client_max_body_size 100M;
location / {
proxy_pass https://localhost:443;
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Enable site:
sudo ln -s /etc/nginx/sites-available/passbolt /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl start nginx
sudo systemctl enable nginx
SSL Certificate Setup
Install Certbot:
sudo apt install -y certbot python3-certbot-nginx
Obtain SSL certificate:
sudo certbot certonly --standalone -d passbolt.example.com
Verify certificate:
sudo openssl x509 -in /etc/letsencrypt/live/passbolt.example.com/fullchain.pem -noout -dates
Set up auto-renewal:
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
GPG Key Configuration
Generate GPG key for Passbolt:
docker exec passbolt su - www-data -s /bin/bash -c 'gpg --gen-key'
This will prompt for GPG key generation details.
Export public key:
docker exec passbolt su - www-data -s /bin/bash -c 'gpg --export --armor'
Email Setup
Configure SMTP email:
Edit docker-compose.yml:
nano docker-compose.yml
Add environment variables to passbolt service:
PASSBOLT_EMAIL_SEND: "true"
PASSBOLT_EMAIL_FROM: [email protected]
PASSBOLT_EMAIL_HOST: smtp.example.com
PASSBOLT_EMAIL_PORT: 587
PASSBOLT_EMAIL_USERNAME: [email protected]
PASSBOLT_EMAIL_PASSWORD: your-app-password
PASSBOLT_EMAIL_TLS: "true"
Restart containers:
docker-compose down
docker-compose up -d
User and Team Management
Access Passbolt:
Navigate to https://passbolt.example.com
Create initial admin account:
- Complete initial setup wizard
- Create admin email and password
- Configure security settings
Invite users:
- Administration → Users
- Click "Invite User"
- Send invitation via email
Create teams:
- Administration → Teams
- Click "Create Team"
- Add team members
- Set permissions
Manage password resources:
- Click "Password"
- Create new password entry
- Assign to users/teams
- Set sharing permissions
Configure user roles:
- Administration → Users
- Set user type (Admin, User)
- Configure specific permissions
Backup Strategy
Create backup script:
sudo nano /usr/local/bin/passbolt-backup.sh
Add:
#!/bin/bash
BACKUP_DIR="/backups/passbolt"
PASSBOLT_DIR="/opt/passbolt"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p $BACKUP_DIR
# Stop Passbolt
docker-compose -f $PASSBOLT_DIR/docker-compose.yml stop
# MySQL backup
docker exec mysql-passbolt mysqldump -u passbolt -p'PassboltPassword123!' passbolt | gzip > "$BACKUP_DIR/passbolt-db-$DATE.sql.gz"
# Data backup
tar -czf "$BACKUP_DIR/passbolt-data-$DATE.tar.gz" "$PASSBOLT_DIR"
# Start Passbolt
docker-compose -f $PASSBOLT_DIR/docker-compose.yml start
# Keep only 30 days
find $BACKUP_DIR -type f -mtime +30 -delete
echo "Backup completed: $DATE"
Make executable:
sudo chmod +x /usr/local/bin/passbolt-backup.sh
Schedule daily backups:
sudo crontab -e
Add:
0 2 * * * /usr/local/bin/passbolt-backup.sh >> /var/log/passbolt-backup.log 2>&1
Update Passbolt:
cd /opt/passbolt
docker-compose pull
docker-compose down
docker-compose up -d
Conclusion
Passbolt is now fully deployed as a team password manager. With MySQL database, Docker containerization, SSL encryption, GPG key management, and team collaboration features, you have a secure password vault solution. Create teams, manage users, and control password sharing with granular permissions. Regular backups ensure password recovery. Passbolt's end-to-end encryption and team-focused design make it ideal for organizational password management.