Passbolt is an open-source password manager designed for teams and organizations that prioritize security and privacy. It offers the following features:
- Security-First Approach: Passbolt puts security first, with a security model that supports user-owned secret keys and end-to-end encryption, regularly assessed by top penetration testers.
- Built for Collaboration: It allows secure sharing of credentials with powerful auditing tools and unparalleled granularity for access controls and encrypted data.
- Privacy Focus: Headquartered in the EU, Passbolt prioritizes privacy and is designed to comply with European privacy laws.
- Versatility and Control: Passbolt is designed to put users in control of their data and protect them from a wide range of potential threats, making it suitable for security-conscious organizations.
Passbolt is trusted by a wide range of organizations, including Fortune 500 companies, the defense industry, universities, and startups, and has received 4,000 stars on GitHub as a seal of approval for its reliable and secure password management. It is also available as a free and open-source solution, with an extensible API for developers.
If you want to discuss the topic with other technology-minded people, join my Discord: https://discord.gg/YbSYGsQYES
More information on Github or Passbolt.com about the Docker installation.
Create a Podman network for the services
The containers have to reach each other. The way to do it is a separate network for them. Only the front-end, the Passbolt service has to be open to the world.
podman network create n_passbolt
Start the DB container
The DB is a standard MariaDB configured with environment variables here. Start the container and it will wait for the later connection from the Passbolt server.
The database_volume
will hold the SQL server’s persistent data.
podman run --rm -d --name db \
--network n_passbolt \
-e MYSQL_ROOT_PASSWORD=secret \
-e MYSQL_DATABASE=passbolt \
-e MYSQL_USER=passbolt \
-e MYSQL_PASSWORD=secret \
-v database_volume:/var/lib/mysql \
docker.io/library/mariadb:11
Start the Passbolt service container
The Passbolt service will expose the port 8000 and port 4443 in this configuration. It is because I use a non-root Podman container.
The environment variables configure the database connection and they export some volumes for persistent data.
podman run --rm -d --name passbolt \
--network n_passbolt \
--requires db \
-p 8000:80 \
-p 4430:443 \
-e DATASOURCES_DEFAULT_HOST=db \
-e DATASOURCES_DEFAULT_PASSWORD=secret \
-e DATASOURCES_DEFAULT_USERNAME=passbolt \
-e DATASOURCES_DEFAULT_DATABASE=passbolt \
-e APP_FULL_BASE_URL=https://passbolt.local:4430 \
-v gpg_volume:/etc/passbolt/gpg \
-v jwt_volume:/etc/passbolt/jwt \
docker.io/passbolt/passbolt:4.4.2-1-ce
Register the first admin user
The first user can be registered with the following command:
podman exec passbolt su -m -c "bin/cake passbolt register_user -u tmolnar0831@gmail.com -f Tamas -l Molnar -r admin" -s /bin/sh www-data
The command output will contain a URL with the activation key.
Put it all together
A composite file will ensure that the services can be handled together. With podman-compose
it is possible to bring up or take down the database and Passbolt with only one command. It is also a great habit to separate the environment variables from the composite file. The example below is a fully functional docker-compose.yml
file.
---
services:
mariadb:
container_name: db
networks:
- n_passbolt
env_file:
- .env.db
volumes:
- database_volume:/var/lib/mysql
image: docker.io/library/mariadb:11
passbolt:
container_name: passbolt
networks:
- n_passbolt
depends_on:
- db
ports:
- 8000:80
- 4430:443
env_file:
- .env.passbolt
- .env.passbolt_smtp
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
image: docker.io/passbolt/passbolt:4.4.2-1-ce
networks:
n_passbolt:
external:
name: n_passbolt
volumes:
database_volume:
external:
name: database_volume
gpg_volume:
external:
name: gpg_volume
jwt_volume:
external:
name: jwt_volume
Running the podman-compose up -d
command will bring up the services and Passbolt will be available on the https://passbolt.local:4430
URL.
Adding own custom SSL certificates
Follow the Official Documentation for installing SSL certificates for the Passbolt service!
Before you start:
- All users must save their private key
- The users must have their recovery file
- Be informed that with the change of the domain all accounts must be restored!
In the docker-compose.yml
file extend the passbolt
service:
(...)
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
- ./certs/cert.pem:/etc/ssl/certs/certificate.crt:ro
- ./certs/key.pem:/etc/ssl/certs/certificate.key:ro
(...)
In the project folder create a certs
directory and place the certificate and key file there.
Change the APP_FULL_BASE_URL=https://passbolt.local:4430
variable to your doman.
For example:
APP_FULL_BASE_URL=https://passbolt.tomsitcafe.com:4430
Now the new certificate and URL must work!
Join my Discord: https://discord.gg/YbSYGsQYES