Passbolt - Self hosted, open-source password manager built for teams!

Passbolt - Self hosted, open-source password manager built for teams!

I am a huge fan of free and open source software, and password managers are no exception. I have been using Bitwarden for a while now but I recently decided to check out Passbolt.

Passbolt is an open-source password manager that allows you to keep all your passwords centralized in one place without any vendor lock-in. Passbolt allows you to securely store and share your passwords with your team members. It has a web interface and a browser extension that make it easy to use.

Although you can sign up for a managed Passbolt instance on the cloud, you can also install Passbolt on your own server. By doing so, you can maintain full control of your passwords and sync them between all my devices with ease. There are several ways of deploying passbolt, but in this blog post we are going to discuss two of the popular options:

  1. Deploying Passbolt using Docker containers together with traefik reverse proxy
  2. Deploying Passbolt on DigitalOcean

Deploying Passbolt using Docker containers

Before you can deploy Passbolt in Docker, you need a Linux Server that has Docker and Docker-Compose installed. The server can be sitting locally in your home lab or on the public cloud provides. You can use this link to get $200 60-day credit on DigitalOcean or $100 60-day credit on Linode. You can also use Azure, AWS or GCP depending on what you like.

To deploy Passbolt in Docker, you will need to download the docker-compose.yml file that provided by Passbolt, that defines the services and networks for your application.

First, create a directory for storing the file:

mkdir passbolt && cd passbolt

Then download the docker-compose.yamlfile:

wget "https://download.passbolt.com/ce/docker/docker-compose-ce.yaml"

To verify that the file has not been corrupted, download the SUM512.txt and verify that the signature actually matches the original, by running the following commands:

wget https://github.com/passbolt/passbolt_docker/releases/latest/download/docker-compose-ce-SHA512SUM.txt

Then

sha512sum -c docker-compose-ce-SHA512SUM.txt

This should return the following:
docker-compose-ce.yaml: OK

This docker compose file creates two docker containers: db which is a mariaDB database container and the Passbolt container itself. Be sure you replace the APP_FULL_BASE_URL value with your Passbolt’s server FQDN. Remember to set this up in your hosting provider and point it back to your server’s IP (proper DNS records).

With this configuration, the docker container is ready to go. However, setting up like this will have Passbolt running with an untrusted certificate, which is never a good thing to do , especially with a password manager. So we will configure this in the next steps before spinning up the docker containers.

Setting up traefik reverse proxy and ssl certificates

To activate SSL on Passbolt, we have to add another service, traefik. To handle HTTPS setup with Let’s Encrypt, add a traefik service as describe in the documentation.

Traefik will:

  • Act as a proxy in front of passbolt service, that’s why we defined ports 80 and 443.
  • Handle Let’s Encrypt certificates renew.

To make traefik aware of the Passbolt service, we need to add a labels section to the passbolt docker container definition. Place the labels just after the line with command in the passbolt definition. We will need to change the hosts in the lables to match the FQDL that was defined earlier. Here is an example:

Configuring traefik

Now that we are done with the docker-compose.yaml file, we need to add a number of configuration files to configure traefik.

In the same directory as the docker-compose.yaml file, add a file called traefik.yaml with the following configurations, as described in the documentation (https://help.passbolt.com/configure/https/ce/docker/auto.html). We will need to add a valid email address to the configuration, which will be used to get a certificate from Let’sEncrypt.

To avoid conflicts with other running containers, you should disable the exposedByDefault setting in the traefik yaml.

Next, we will create two other files inside a folder called conf.
Use mkdir conf && cd conf

Create a file headers.yaml, using your preferred editor and paste everything as it appears in the documentation.

Create another file, tls.yaml and paste everything as it appears in the documentation.

Go back one directory using cd .. and bring the containers up with the following command:

docker-compose -f docker-compose-ce.yaml up -d

Once the containers have been created, we will use the following command to create the first user to be used in the set up. Replace the fields with your details:

docker-compose -f docker-compose-ce.yaml exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \                                passbolt register_user \                                -u <[email protected]> \                                -f <yourname> \                                -l <surname> \                                -r admin" -s /bin/sh www-data

It will output a link similar to the below one that can be pasted on the browser to finalize user registration:

https://my.domain.tld/setup/install/1eafab88-a17d-4ad8-97af-77a97f5ff552/f097be64-3703-41e2-8ea2-d59cbe1c15bc

Configuring Passbolt

Using this URL, it will prompt you to install an extension for the browser you are using before proceeding with the setup.

Once done, a window will appear asking for your passphrase. This is like your password manager, and you will need to remember it.

Make sure your recovery kit is downloaded (you will need it on every new device that you want to connect with your account).

Set up the correct security token which you will need to make sure you are connecting to the correct server, and which will also protect you from phishing attacks.

Setting up email server and notifications in Passbolt

Passbolt relies heavily on emails for:

  • Account creation
  • Account recovery
  • Notifications on different user actions

Having a working email setup is essential if you want to use Passbolt at its best. There are many email providers and each one has its own setup process. The aim of this help page is to provide the basic concepts so each admin can setup their provider adjusting to their particular case.

Requirements
You can follow this procedure if you are meeting the following requirements:

  • You are running Passbolt > 3.8.0 or Passbolt Cloud
  • You have an active administrator account

If you are running Passbolt < 3.7.3, you will need to configure your email server settings manually in the config/passbolt.php file.

How do emails in passbolt work?

Configuring email server through the UI is a feature introduced with Passbolt v3.8.0 that aims to help all administrators who need to change their SMTP server settings the easiest way. Email configuration was moved from config/passbolt.php directly into the database and your credentials are encrypted with the server GPG public key.

Access to email server configurations

In order to configure your email server settings, go to administration setting workspace.
Administration > Email server

Choosing your email server provider

When you open your email server settings for the first time, by default, the provider is Other. Everything is filled out except login details. You are free to edit those fields to match your email configuration.

Passbolt provides pre-filled configuration for most common mail servers such as Gmail, AWS SES, MailGun, e.t.c. But still, you can navigate through advanced settings to change all the settings like SMTP host, TLS, and port. I will be using Gmail for this example. Be sure to change the senders email to match your hosting provides policy to avoid being banned or your emails from landing into the spam section. For authentication, Gmail uses app passwords instead of the normal gmail accout passwords. Follow this guide to create a Gmail Account App Password

If at least one mandatory field is empty or doesn’t match the expected format, you will see an error message and you won’t be able to save your changes.
If everything is correct, you will see a confirmation message and your new email server settings will be applied.

How to configure email notification settings for your organization

To configure email notification settings for your organization, you need to have admin rights on your Passbolt server. You can access the email notification settings page by clicking on the admin icon on the top right corner of the screen, and then selecting “Email notification settings” from the dropdown menu.

On the email notification settings page, you will see a list of checkboxes that correspond to different types of events that trigger email notification. You can enable or disable each type of notification by checking or unchecking the boxes. By default, all the settings are true, which means all the notifications are set to be sent.

You can also change the default sender name and email address for the notifications by editing the fields below the checkboxes. The sender name and email address are used to identify who is sending the notifications, and they should match the domain name of your Passbolt server.

After making any changes, don’t forget to click on the “Save” button at the bottom of the page to apply them.

How to customize email notification settings for your preferences

As a user of Passbolt, you can also customize your own email notification settings according to your preferences. You can access your personal email notification settings page by clicking on your profile picture on the top right corner of the screen, and then selecting “My profile” from the dropdown menu.

On your profile page, you will see a tab called “Email notifications”. Click on it to see a list of checkboxes that correspond to different types of events that trigger email notification. You can enable or disable each type of notification by checking or unchecking the boxes. By default, your personal settings are inherited from the organization settings, which means you will receive all the notifications that are enabled by the admin.

You can also choose to receive a daily digest email instead of individual emails for each event. The daily digest email is a summary of all the events that happened in the past 24 hours. To enable this option, check the box that says “Send me a daily digest instead of individual emails”.

After making any changes, don’t forget to click on the “Save” button at the bottom of the page to apply them.

Setting up Multi Factor Authentication

Passbolt recently added support for multifactor authentication in their community edition, a feature previously only available for the paid plans. If you have followed this guide, as of April 2023, then the docker container image you have installed should include this support by default. Otherwise, you will need to replace the tag on the docker container with the latest available image on Docker hub and rebuild the container.

To enable multi facto authentication, you first need to log in with your administrator account and go to the administration section.

Toggle on the multifactor authentication,YubiKey or Duo depending on The MFA option you want to use. Once this is enabled, the multifactor authentication will be available for any user created. Make sure you save the settings.

Once this is enabled, go back to your profile section and set up multifactor authentication. This will apply to any user and not just the administrator.

Setting up MFA would be the same as for any other steps. I use Aegis for my Multifactor Authentication app. It is free and open source and addresses most of the issues that the popular MFA apps have. For setting up the other ways of Multifactor Authentication, Christian Lempa has a good guide available on YouTube. Be sure to check it out.

Installing Passbolt on DigitalOcean

Another way of deploying pass bolt is deploying it directly to digital ocean, which is a straightforward and easy process. You can get $200 60-Day credit for free by usint this link.

Here is the step-by-step guide:

Go to the Passbolt website and choose ‘On Premise Installation’ to set up your own Passport server. Select ‘Free Download’ to install it on a server that you create.

Click ‘Deploy to Digital Ocean’ to launch a server on Digital Ocean to host your Passport website.

Once the marketplace page opens, click on create droplet. Choose a region closest to you to reduce the latency.

You will choose how powerful the server should be based on your organization needs and how big the company is. For a small site, the $7/month Droplet is enough, although passbolt recommends a VM with at least two virtual CPUs. You can also use the Regular CPU type which has cheaper options.

It is recommended to enable SSH keys to connect to the server instead of passwords for security reasons. Click on ‘Launch Droplet’. This will take a few minutes to start.

Once the Droplet launches, it will show you the IP address to access it. Open that IP address in your browser to access your passbolt server. This will launch a web page with passbolt ready to be configured. But before proceeding with the configuration, let us first set up SSL certificates on the droplet.

Setting up an SSL certificate on passbolt droplet on Digital Ocean

It is highly recommended to use Passbolt with a trusted certificate. We will Set up SSL encryption for the passbolt site using Let’s Encrypt by performing a HTTPS challenge for your site.

To achieve this, you need to create a DNS record linking your site’s domain/subdomain name to the Droplet’s IP address. This can be achieved on any DNS service. I will use Cloudflare for this example. Create an A record pointing ether to your domain or create a subdomain and save.

Connect to your Droplet using SSH and edit the passbolt configuration file install files. The path is: /etc/nginx/sites-enabled/nginx-passbolt.conf.Open this file and modify ‘server_name _; to your domain/subdomain name. (See the documentation here)

Save the file and runsudo dpkg-reconfigure passbolt-ce-server to reload Passbolt with the new settings.

Follow the prompts while using the following configuration:

  • Choose ‘no’ to setup your own MySQL database.
  • Choose ‘yes’ to configure the web server.
  • Select ‘auto’ to use Let’s Encrypt for SSL encryption.
  • Enter your subdomain/ domain name and valid email email address to be used for the SSL certificate

Passbolt will check if Let’s Encrypt received the HTTPS challenge for your site. If so, SSL setup will complete successfully.

Open https://mypassboltsite.com in your browser to access your Passport server. Select ‘Get Started’ and then on ‘Start Configuration’

You can keep the default MySQL database settings.

Create a new OpenPGP key for your server by entering your Server name and a valid email address. You can also choose to import an existing OpenPGP key if you hd one set up before.

Set ‘Force SSL’ to yes to make sure passbolt will use SSL certificate we set up earlier.

We will set up our email provider during the installation step in this case. Similar to the docker-container set up, you can use your existing email provider (like Gmail) SMTP settings for email. Once configured, send a test email to ensure it’s working.

Enter details for your admin user like name, email, password, etc. to create the admin account.

Your passbolt server setup on Digital Ocean is now complete! The rest of the configuration is similar to the one we covered in docker container installation steps.

I hope you enjoyed this blog post and learned how to deploy Passbolt in Docker using Traefik. If you have any questions or feedback, please leave a comment below. Thank you for reading!

## Convertkit Newsletter