Install Passbolt Self-Hosted With Podman

~ tmolnar0831

Passbolt is an open-source password manager designed for teams and organizations that prioritize security and privacy. It offers the following features:

  • Security-First Approach: Passbolt puts security first, with a security model that supports user-owned secret keys and end-to-end encryption, regularly assessed by top penetration testers.
  • Built for Collaboration: It allows secure sharing of credentials with powerful auditing tools and unparalleled granularity for access controls and encrypted data.
  • Privacy Focus: Headquartered in the EU, Passbolt prioritizes privacy and is designed to comply with European privacy laws.
  • Versatility and Control: Passbolt is designed to put users in control of their data and protect them from a wide range of potential threats, making it suitable for security-conscious organizations.

Passbolt is trusted by a wide range of organizations, including Fortune 500 companies, the defense industry, universities, and startups, and has received 4,000 stars on GitHub as a seal of approval for its reliable and secure password management. It is also available as a free and open-source solution, with an extensible API for developers.

If you want to discuss the topic with other technology-minded people, join my Discord: https://discord.gg/YbSYGsQYES

More information on Github or Passbolt.com about the Docker installation.

Create a Podman network for the services

The containers have to reach each other. The way to do it is a separate network for them. Only the front-end, the Passbolt service has to be open to the world.

podman network create n_passbolt

Start the DB container

The DB is a standard MariaDB configured with environment variables here. Start the container and it will wait for the later connection from the Passbolt server.

The database_volume will hold the SQL server’s persistent data.

podman run --rm -d --name db \
--network n_passbolt \
-e MYSQL_ROOT_PASSWORD=secret \
-e MYSQL_DATABASE=passbolt \
-e MYSQL_USER=passbolt \
-e MYSQL_PASSWORD=secret \
-v database_volume:/var/lib/mysql \
docker.io/library/mariadb:11

Start the Passbolt service container

The Passbolt service will expose the port 8000 and port 4443 in this configuration. It is because I use a non-root Podman container.

The environment variables configure the database connection and they export some volumes for persistent data.

podman run --rm -d --name passbolt \
--network n_passbolt \
--requires db \
-p 8000:80 \
-p 4430:443 \
-e DATASOURCES_DEFAULT_HOST=db \
-e DATASOURCES_DEFAULT_PASSWORD=secret \
-e DATASOURCES_DEFAULT_USERNAME=passbolt \
-e DATASOURCES_DEFAULT_DATABASE=passbolt \
-e APP_FULL_BASE_URL=https://passbolt.local:4430 \
-v gpg_volume:/etc/passbolt/gpg \
-v jwt_volume:/etc/passbolt/jwt \
docker.io/passbolt/passbolt:4.4.2-1-ce

Register the first admin user

The first user can be registered with the following command:

podman exec passbolt su -m -c "bin/cake passbolt register_user -u tmolnar0831@gmail.com -f Tamas -l Molnar -r admin" -s /bin/sh www-data

The command output will contain a URL with the activation key.

Put it all together

A composite file will ensure that the services can be handled together. With podman-compose it is possible to bring up or take down the database and Passbolt with only one command. It is also a great habit to separate the environment variables from the composite file. The example below is a fully functional docker-compose.yml file.

---
services:

  mariadb:
    container_name: db
    networks:
      - n_passbolt
    env_file:
      - .env.db
    volumes:
      - database_volume:/var/lib/mysql
    image: docker.io/library/mariadb:11

  passbolt:
    container_name: passbolt
    networks:
      - n_passbolt
    depends_on:
      - db
    ports:
      - 8000:80
      - 4430:443
    env_file:
      - .env.passbolt
      - .env.passbolt_smtp
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    image: docker.io/passbolt/passbolt:4.4.2-1-ce

networks:
  n_passbolt:
    external:
      name: n_passbolt

volumes:
  database_volume:
    external:
      name: database_volume
  gpg_volume:
    external:
      name: gpg_volume
  jwt_volume:
    external:
      name: jwt_volume

Running the podman-compose up -d command will bring up the services and Passbolt will be available on the https://passbolt.local:4430 URL.

Adding own custom SSL certificates

Follow the Official Documentation for installing SSL certificates for the Passbolt service!

Before you start:

  • All users must save their private key
  • The users must have their recovery file
  • Be informed that with the change of the domain all accounts must be restored!

In the docker-compose.yml file extend the passbolt service:

(...)
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
      - ./certs/cert.pem:/etc/ssl/certs/certificate.crt:ro
      - ./certs/key.pem:/etc/ssl/certs/certificate.key:ro
(...)

In the project folder create a certs directory and place the certificate and key file there.

Change the APP_FULL_BASE_URL=https://passbolt.local:4430 variable to your doman.

For example:

APP_FULL_BASE_URL=https://passbolt.tomsitcafe.com:4430

Now the new certificate and URL must work!

Join my Discord: https://discord.gg/YbSYGsQYES

Published by tmolnar0831

My name is Tom, and I’m the founder and main contributor to Tom's IT Cafe. I’m a technology enthusiast and IT professional with over two decades of experience in the industry.

Leave a comment