Steps to Install Passbolt Password Manager on Ubuntu
Posted on July 13th, 2020
Passbolt is an open-source, free self-hosted password manager that helps the user to securely share and store login credentials, such as password of the router, website, Wi-Fi, and more. Some of the features of Passbolt are:
- It uses the OpenPGP, a proven cryptographic standard to encrypt the passwords.
- Passbolt offers browser extensions for both Google Chrome and Firefox.
- The Passbolt manager helps to share the login credentials with the team securely.
- Passbolt is a clean and user-friendly interface.
- This tool helps to export and import passwords.
- By using Passbolt, you can add login credentials manually.
- Also, you can create and import passwords from kdbx and csv file in Passbolt.
In this knowledgebase, you learn how to install the Passbolt password manager on Ubuntu 18.04 server with Apache or Nginx web server. The Passbolt is built with the help of PHP and relies on MariaDB or MySQL database server.
Prerequisites
- Server with LAMP or LEMP stack pre-installed.
- A user with sudo privileges.
Install Passbolt
To install Passbolt on your Ubuntu server, follow the below steps:
1) Download and Install the Passbolt on to Your Server
You can download the Passbolt from the Github or the official website by entering the email address, name, and password. To download the Passbolt on your server from the Github, follow the below steps:
Run the following commands to install Git on to the server.
$ sudo apt install git
Then, switch to the ‘/var/www’ directory and install the Passbolt by executing the following commands.
$ sudo cd /var/www $ sudo git clone https://github.com/passbolt/passbolt_api.git
The downloaded files get saved in the ‘passbolt_api’ directory. Run the following command to rename that directory into ‘passbolt’.
$ sudo mv passbolt_api passbolt
Then, run the following command to change the owner of the directory as the webserver user.
$ sudo chown -R www-data:www-data /var/www/passbolt/
Switch to the Passbolt directory.
$ sudo cd /var/www/passbolt/
Then, run the following command to install Composer. The Composer is a PHP dependency manager.
$ sudo apt install composer
Execute the following command to install all the dependencies.
$ sudo -u www-data composer install --no-dev
2) Create a MariaDB/MySQL Database and User for Passbolt
We assume that the database is already available on your server. If not, first install the same. To install the LAMP stack on Ubuntu, refer: https://www.interserver.net/tips/kb/installing-a-lamp-stack-on-ubuntu-debian/ and to install LEMP stack on Ubuntu, refer: https://www.interserver.net/tips/kb/nginx-mysql-php-lemp-stack-ubuntu-16/.
To create a new database and user in MariaDB, follow the below steps:
Log in to the MariaDB console by executing the following command. Enter the MariaDB password when prompted.
$ sudo mysql -u root -p
Then, create a database for Passbolt. This knowledgebase names it as ‘passbolt’ and ‘utf8mb4’ as the character set to make sure that it supports non-Latin emojis and characters.
> CREATE DATABASE passbolt DEFAULT CHARACTER SET utf8mb4_unicode_ci;
Execute the following command to grant all the permission of the database to the created database user and password. This knowledge names the database user as ‘passboltuser’, and you can replace the userpassword with the actual password you want to set.
> GRANT ALL passbolt.* TO ‘passboltuser’@‘localhost’ IDENTIFIED BY ‘userpassword’;
Next, flush the privileges table and exit the console by using the following commands.
> FLUSH PRIVILEGES; > EXIT;
3) Install the Recommended and Required PHP Modules
Execute the following command to install all the required and recommended PHP modules.
$ sudo apt install php-gnupg php7.2-mysql php7.2-ldap php7.2-imap php7.2-curl php7.2-xml php7.2-bz2 php7.2-intl php7.2-mbstring php7.2-zip php7.2-json php7.2-gd php7.2-fpm php7.2-common php-imagick php7.2-gmp php7.2-xsl
After the installation, restart Apache if you are using the LAMP stack, and there is no need to restart Nginx if you are using the LEMP stack.
$ sudo systemctl restart apache2
4) Generate OpenPGP Key
If you are using a VPS server, then you should install the ‘haveged’ package before generating the key.
$ sudo apt install haveged
To generate the new pair of keys, run the following command. You can leave the ‘Passphrase’ line blank and select ‘Ok’ as the php-gnup module does not support the use of a passphrase now.
$ sudo gpg --gen-key
Then, execute the following commands to copy the private and public key to the configuration path of Passbolt. Replace the <domain_name> flag with your actual domain name.
$ sudo gpg --armor --export-secret-keys <domain_name> | sudo tee /var/www/passbolt/config/gpg/serverkey_private.asc > /dev/null $ sudo gpg --armor --export <domain_name> | sudo tee /var/www/passbolt/config/gpg/serverkey.asc > /dev/null
After that, run the following command to initialize the web user’s keyring.
$ sudo su -s /bin/bash -c “gpg --list-keys” www-data
5) Configure Passbolt
Switch to the ‘passbolt’ directory and copy the sample configuration file to the original configuration file.
$ sudo cd /var/www/passbolt $ sudo cp config/passbolt.default.php config/passbolt.php
Open the configuration file in edit mode with a nano editor.
$ sudo nano config/passbolt.php
Find the following line and replace the URL with your actual domain URL, like ‘https://passbolt.<domain_name>.
'fullBaseUrl' => 'https://www.passbolt.test',
Then, add the following line in the database section.
// Database configuration. 'Datasources' => [ 'default' => [ 'host' => 'localhost', //'port' => 'non_standard_port_number', 'username' => 'passboltuser', 'password' => 'secret', 'database' => 'passbolt', ], ],
Replace the following lines in the email configuration section.
// Email configuration. 'EmailTransport' => [ 'default' => [ 'host' => 'localhost', 'port' => 25, 'username' => 'passboltuser', 'password' => 'secret', // Is this a secure connection? true if yes, null if no. 'tls' => true, //'timeout' => 30, //'client' => null, //'url' => null, ], ], 'Email' => [ 'default' => [ // Defines the default name and email of the sender of the emails. 'from' => ['passbolt@<domain.name>' => 'Passbolt'], //'charset' => 'utf-8', //'headerCharset' => 'utf-8', ], ],
Then, add the GPG key in the gpg section. Replace the sample key with the actual key.
'fingerprint' => '2P3865433D51946E937F9FED47B0812467EE67J',
Then, uncomment the following lines.
'public' => CONFIG . 'gpg' . DS . 'serverkey.asc', 'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',
After that, save and close the file.
Note:
To get the GPG key fingerprint, run the following command.
$ sudo gpg --list-keys --fingerprint | grep -i -B 2 '<domain.name>'
6) Run installation script
Run the following command as the www-data user to execute the installation script.
$ sudo su -s /bin/bash -c “./bin/cake passbolt install --force” www-data
This script provides a URL to complete the installation.
7) Finish Installation
- First, install the Passbolt extension on either Firewall or Google Chrome.
- Then, browse the URL you received after running the installation script in that browser to open the web-based setup wizard for Passbolt.
- Make sure that the domain and generated server key fingerprint are correct.
- Then, click the ‘Next’ button to import the existing key.
- Create a passphrase and click the ‘Next’ button.
- Download and save the encrypted secret key and click the ‘Next’ button. Please note that one should have the passphrase to decrypt this key.
- Next, set a security token and click ‘Next’.
- Now, you can log in to the Passbolt using the created passphrase.
We hope that this knowledge base was helpful to you. Please comment below for any questions or queries. If you are an InterServer customer, please reach out to our support team for further help.