How to Install Passbolt Password Manager on Ubuntu 22.04 Server

Passbolt is an open-source self-hosted password manager, which allows you to securely store and share login credentials of website, router password, Wi-Fi password, etc. This tutorial will be showing you how to install Passbolt Community Edition (CE) on Ubuntu 22.04 with Apache or Nginx web server.

Passbolt Features

• Free & open source
• Passwords are encrypted with OpenPGP, a proven cryptographic standard.
• Browser extensions are available for Firefox, Google Chrome, Microsoft Edge and Brave Browser.
• Mobile app is available for iOS and Android.
• Easily share login credentials with your team without compromising security.
• Clean, user-friendly interface.
• Import and export passwords. You can export your passwords to .kdbx or .csv file format for use with KeepassX, LastPass or 1password.
• You can manually add login credentials.

Prerequisites of installing Passbolt on Ubuntu 22.04 Server

Passbolt is written in PHP and relies on MySQL/MariaDB database server. So you need to set up a LAMP stack or LEMP stack before installing Passbolt.

• If you prefer Apache web server, then set up LAMP stack: How to Install LAMP Stack on Ubuntu 22.04
• If you prefer Nginx web server, then set up LEMP stack: How to Install LEMP Stack on Ubuntu 22.04

It’s very important that your server can send emails, so you can recover your Passbolt account if you forget the password. Follow the tutorial linked below to set up SMTP relay on Ubuntu.

• How to Set Up Postfix SMTP Relay on Ubuntu with Sendinblue

You also need a domain name, so you will be able to securely access Passbolt from anywhere with a web browser. I registered my domain name from NameCheap because the price is low and they give whois privacy protection free for life.

After the above requirements are met, follow the instructions below to install Passbolt.

Step 1: Download Passbolt onto Your Ubuntu 22.04 Server

If you go to the official website to download Passbolt, you are required to enter your name and email address. If that’s not what you like, then download the latest stable version from Github by executing the following commands on your server.

sudo apt install git

sudo mkdir -p /var/www/

sudo chown www-data:www-data /var/www/ -R

cd /var/www/

sudo -u www-data git clone https://github.com/passbolt/passbolt_api.git

The files will be saved in passbolt_api directory. We rename it to passbolt.

sudo mv passbolt_api passbolt

Then make the web server user (www-data) as the owner of this directory.

sudo chown -R www-data:www-data /var/www/passbolt

Run the following command to install PHP modules required or recommended by Passbolt

sudo apt install php-imagick php-gnupg php8.1-gnupg php8.1-common php8.1-mysql php8.1-fpm php8.1-ldap php8.1-gd php8.1-imap php8.1-curl php8.1-zip php8.1-xml php8.1-mbstring php8.1-bz2 php8.1-intl php8.1-gmp php8.1-xsl

Then restart Apache. (If you use Nginx, you don’t need to restart Nginx.)

sudo systemctl restart apache2

Change directory.

cd /var/www/passbolt/

Install Composer – the PHP dependency manager.

sudo apt install composer

Create cache directory for Composer.

sudo mkdir /var/www/.composer

Make www-data as the owner.

sudo chown -R www-data:www-data /var/www/.composer

Use Composer to install dependencies.

sudo -u www-data composer install --no-dev

If it asks you to set folder permissions, choose Y.

Step 2: Create a MariaDB Database and User for Passbolt

Log into MariaDB console.

sudo mysql -u root

Next, create a new database for Passbolt using the following command. This tutorial names it passbolt, you can use whatever name you like for the database. We also specify utf8mb4 as the character set to support non-Latin characters and emojis.

CREATE DATABASE passbolt DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;

The following command will create a database user and password, and at the same time grant all permission of the new database to the new user so later on Passbolt can write to the database. Replace red texts with your preferred database name, username, and password.

GRANT ALL ON passbolt.* TO 'passboltuser'@'localhost' IDENTIFIED BY 'password';

Flush privileges table and exit MariaDB console.

FLUSH PRIVILEGES;

EXIT;

Step 3: Generate OpenPGP Key

If you are using a VPS (Virtual Private Server), it’s recommended to install the haveged package to generate enough entropy.

sudo apt install haveged

The haveged.service will automatically start after installation. You can check its status with:

sudo systemctl status haveged

Then run the following command to generate a new key pair.

sudo -u www-data gpg --quick-gen-key --pinentry-mode=loopback 'first_name last_name <[email protected]>' default default never

• Enter your first name and last name.
• Replace [email protected] with your real email address.
• Don’t leave out the angle bracket.

Like this:

sudo -u www-data gpg --quick-gen-key --pinentry-mode=loopback 'Xiao Guoan <[email protected]>' default default never

If you are asked to set a passphrase, skip it by pressing Enter, because the php-gnupg module doesn’t support using passphrase at the moment.

Copy the private key to the passbolt configuration location.

sudo -u www-data gpg --armor --export-secret-keys [email protected] | sudo tee /var/www/passbolt/config/gpg/serverkey_private.asc > /dev/null

And copy the public key as well.

sudo -u www-data gpg --armor --export [email protected] | sudo tee /var/www/passbolt/config/gpg/serverkey.asc > /dev/null

Initialize the www-data user’s keyring.

sudo su -s /bin/bash -c "gpg --list-keys" www-data

Step 4: Configure Passbolt

Make sure you are in /var/www/passbolt/ directory.

cd /var/www/passbolt/

Copy the sample configuration file to a production configuration file.

sudo cp config/passbolt.default.php config/passbolt.php

Edit the configuration file with a command-line text editor, such as Nano.

sudo nano config/passbolt.php

First, find the following line.

'fullBaseUrl' => 'https://www.passbolt.test',

Replace the URL with your own URL, like https://passbolt.yourdomain.com. Don’t forget to create DNS A record for this subdomain in your DNS zone editor.

In the database configuration section, enter the database name, database username and password you created in step 2.

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'user',
            'password' => 'secret',
            'database' => 'passbolt',
        ],
    ],

In the email configuration section,

• Specify the SMTP hostname, port number, login credentials, so your passbolt can send emails. Usually, you need to use port 587 to sumbit emails to remote SMTP server. Make sure you set tls to true, so the SMTP transaction will be encrypted. If you use the free Sendinblue SMTP relay service, then enter your Sendinblue credentials here.
• Also set the From: email address and From name.

    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => 'smtp-relay.sendinblue.com',
            'port' => 587,
            'username' => 'smtp_username',
            'password' => 'smtp_password',
            // Is this a secure connection? true if yes, null if no.
            'tls' => true,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
        ],
    ],
    'Email' => [
        'default' => [
            // Defines the default name and email of the sender of the emails.
            'from' => ['[email protected]' => 'Passbolt'],
            //'charset' => 'utf-8',
            //'headerCharset' => 'utf-8',
        ],
    ],

Follow the tutorial linked below to set up SMTP relay on Ubuntu.

• How to Set Up Postfix SMTP Relay on Ubuntu with Sendinblue

Hint #1: If passbolt is installed on the same box as your mail server, then you don’t need to specify the username and password in the EmailTransport. Simply use // to comment out these two lines. The following screenshot shows a sample configuration for this scenario.

Hint #2: Don’t forget to add Passbolt Cron job in step 9, or Passbolt won’t send emails.

In the gpg section, enter the GPG key fingerprint like below. You need to delete all whitespaces in the fingerprint.

'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67E',

You can get your key fingerprint with the following command. Replace [email protected] with your email address when generating the PGP key pair.

sudo su -s /bin/bash -c "gpg --list-keys" www-data

After entering the fingerprint, uncomment the following two lines.

'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',

Save and close the file.

Step 5: Run the Install Script

Run the install script as the www-data user.

sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt install --force" www-data

During the installation, you will be asked to create an admin account.

Once you create an account, you will be provided an URL to finish the installation in web browser. Before doing that, we need to configure the web server using Apache or Nginx.

Step 6: Create Apache Virtual Host or Nginx Config File for Passbolt

Apache

If you use Apache web server, create a virtual host for Passbolt.

sudo nano /etc/apache2/sites-available/passbolt.conf

Put the following text into the file. Replace passbolt.example.com with your real domain name and don’t forget to set DNS A record for it. Also note that the web root for Passbolt is /var/www/passbolt/webroot/, not /var/www/passbolt/.

<VirtualHost *:80>
  ServerName passbolt.exmaple.com
  DocumentRoot /var/www/passbolt/webroot/

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory />
    Options FollowSymLinks
    AllowOverride All
  </Directory>

  <Directory /var/www/passbolt/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

</VirtualHost>

Save and close the file. Then enable this virtual host with:

sudo a2ensite passbolt.conf

Reload Apache for the changes to take effect.

sudo systemctl reload apache2

Nginx

If you use Nginx web server, create a virtual host for Passbolt.

sudo nano /etc/nginx/conf.d/passbolt.conf

Put the following text into the file. Replace passbolt.example.com with your real domain name and don’t forget to set DNS A record for it. Also note that the web root for Passbolt is /var/www/passbolt/webroot/, not /var/www/passbolt/.

server {
   listen 80;
   listen [::]:80;
   server_name passbolt.example.com;

   root /var/www/passbolt/webroot/;
   error_log /var/log/nginx/passbolt.error;
   access_log /var/log/nginx/passbolt.access;

   index index.php index.html index.htm index.nginx-debian.html;

   location / {
     try_files $uri $uri/ /index.php?$query_string;
   }

   location ~ \.php$ {
     # try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

     fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;

     fastcgi_buffer_size 128k;
     fastcgi_buffers 256 16k;
     fastcgi_busy_buffers_size 256k;
     fastcgi_temp_file_write_size 256k;
   }

    # Don't log favicon
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # Don't log robots
    location = /robots.txt  {
        access_log off;
        log_not_found off;
    }

    # Deny all attempts to access hidden files/folders such as .htaccess, .htpasswd, .DS_Store (Mac), etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all grunt, composer files
    location ~* (Gruntfile|package|composer)\.(js|json)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

     # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;
  }
}

Save and close the file. Then test Nginx configuration.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Step 7: Enabling HTTPS

To encrypt the HTTP traffic, we can enable HTTPS by installing a free TLS certificate issued from Let’s Encrypt. Run the following command to install Let’s Encrypt client (certbot) on Ubuntu 22.04 server.

sudo apt install certbot

If you use Nginx, then you also need to install the Certbot Nginx plugin.

sudo apt install python3-certbot-nginx

Next, run the following command to obtain and install TLS certificate.

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d passbolt.example.com

If you use Apache, install the Certbot Apache plugin.

sudo apt install python3-certbot-apache

And run this command to obtain and install TLS certificate.

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d passbolt.example.com

Where

• --nginx: Use the nginx plugin.
• --apache: Use the Apache plugin.
• --agree-tos: Agree to terms of service.
• --redirect: Force HTTPS by 301 redirect.
• --hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
• --staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.

The certificate should now be obtained and automatically installed.

Step 8: Finish Passbolt Installation in Web Browser

First, you need to install the Passbolt extension on your Firefox or Google Chrome browser.

• Passbolt extension for Firefox
• Passbot extension for Google Chrome

Now copy the URL you got after running the install script and paste it in your browser’s address bar. You will see the web-based set up wizard.

The first step is to create a passphrase.

Then download the recovery kit.

Next, create a custom security token.

Now Passbolt is installed successfully, you can create password, import password from csv or kdbx file.

Step 9: Set Up Cron Job to Automatically Send Emails

To send system emails, run the following command.

sudo -u www-data /var/www/passbolt/bin/cake EmailQueue.sender

You can add the command in www-data user’s Crontab file to automatically process emails.

sudo crontab -u www-data -e

Add the following line in the file to process emails every minute.

* * * * * /var/www/passbolt/bin/cake EmailQueue.sender

Save and close the file.

(Optional) Setting Up ModSecurity

You may also want to set up the ModSecurity web application firewall to protect your PHP web applications from hacking. If you use Apache web server on Debian/Ubuntu, then read the following tutorial.

• How to Set Up ModSecurity with Apache on Debian/Ubuntu

If you use Nginx web server on Debian/Ubuntu, then read the following tutorial:

• How to Set Up ModSecurity with Nginx on Debian/Ubuntu

TroubleShooting

If you are trying to create a password, but are stuck at the “take a deep breath and enjoy being in the present moment…” screen, it’s likely because there’s something wroing in your Apache or Nginx configuration file. If you copy the Apache/Nginx configuration from the article, you should have no problem when creating password.

If you enabled ModSecurity web application firewall, and you see the Could not verify the server key error.

then you need to add the following custom rule exclusion in ModSecurity.

SecRule REQUEST_URI "@streq /auth/verify.json?api-version=v2" "id:1060,phase:2,ctl:ruleRemoveById=942100"

And restart your web server.

sudo systemctl restart apache2

or

sudo systemctl restart nginx

How to Upgrade Passbolt

Check the current version.

sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt version" www-data

Change to the passbolt directory.

cd /var/www/passbolt

Get new tags from the Github repository.

sudo -u www-data git fetch --tags

Back up the Passbolt configuration file to your home directory.

sudo cp config/passbolt.php ~

Commit local changes.

sudo -u www-data git stash

Switch to the latest version.

sudo -u www-data git checkout v3.9.0

Use Composer to install dependencies.

sudo -u www-data composer install --no-dev

If it asks you to set folder permissions, choose Y.

Migrate database.

sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt migrate" www-data

Check the current version.

sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt version" www-data

Perform a health check.

sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt healthcheck --verbose" www-data

If there’s an error in health check, Passbolt will give you a hint [help] on how to solve it. For example, if there’s no valid JWT key pair, then it will instruct you to run the following command to fix it.

sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt create_jwt_keys" www-data

If your GPG private/public key pair expired, you need to extend the expiration date.

Wrapping Up

I hope this tutorial helped you install Passbolt on Ubuntu 22.04. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂