How to Install Passbolt Password Manager on Ubuntu 18.04 Server

Passbolt is an open-source self-hosted password manager, which allows you to securely share and store login credentials of website, router password, Wi-Fi password, etc. This tutorial will be showing you how to install Passbolt Community Edition (CE) on Ubuntu 18.04 with Apache or Nginx web server.

Passbolt Features

  • Free & open source
  • Passwords are encrypted with OpenPGP, a proven cryptographic standard.
  • Browser extensions available for Firefox and Google Chrome.
  • Easily share login credentials with your team without compromising security.
  • Clean, user-friendly interface.
  • Import and export passwords.
  • You can manually add login credentials.

You may have heard of other self-hosted password manager like Bitwarden, but it requires Docker to install, so it only works on 64 bit computers. This Passbolt tutorial works on both 32 bit and 64 bit computers.

Prerequisites of installing Passbolt on Ubuntu 18.04 Server

Passbolt is written in PHP and relies on MySQL/MariaDB database server. So you need to set up a LAMP stack or LEMP stack. If you prefer Apache web server, then set up LAMP stack.

If you prefer Nginx web server, then set up LEMP stack.

You also need a domain name, so you will be able to access Passbolt from anywhere with a web browser. I registered my domain name from NameCheap because the price is low and they give whois privacy protection for free.

Step 1: Download Passbolt onto Your Ubuntu 18.04 Server

If you go to the official website to download Passbolt, you are required to enter your name and email address. If that’s not what you like, then download the latest stable version from Github by executing the following command on your server.

sudo apt install git
cd /var/www/
sudo git clone https://github.com/passbolt/passbolt_api.git

The files will be saved in passbolt_api directory. We rename it to passbolt.

sudo mv passbolt_api passbolt

Then make the web server user (www-data) as the owner of this directory.

sudo chown -R www-data:www-data /var/www/passbolt/

Change directory.

cd /var/www/passbolt/

Install Composer – the PHP dependency manager.

sudo apt install composer

Use Composer to install dependencies.

sudo -u www-data composer install --no-dev

If it asks you to set folder permissions, choose Y.
passbolt-ubuntu-18.04-folder-permissions-linux

Step 2: Create a MariaDB Database and User for Passbolt

Now we need to log in to MariaDB console and create a database and user for Passbolt. By default, the MaraiDB package on Ubuntu uses unix_socket to authenticate user login, which basically means you can use username and password of the OS to log into MariaDB console. So you can run the following command to login without providing MariaDB root password.

sudo mysql -u root

Next,create a new database for Passbolt using the following command. This tutorial names it passbolt, you can use whatever name you like for the database. We also specify utf8mb4 as the character set to support non-Latin characters and emojis.

CREATE DATABASE passbolt DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;

The following command will create a database user and password, and at the same time grant all permission of the new database to the new user so later on Passbolt can write to the database. Replace red texts with your preferred database name, username and password.

GRANT ALL ON passbolt.* TO 'passboltuser'@'localhost' IDENTIFIED BY 'password';

Flush privileges table and exit MariaDB console.

FLUSH PRIVILEGES;

EXIT;

Step 3: Install Required and Recommended PHP Modules.

Run the following command to install PHP modules required or recommended by Passbolt

sudo apt install php-imagick php-gnupg php7.2-common php7.2-mysql php7.2-fpm php7.2-ldap php7.2-gd php7.2-imap php7.2-json php7.2-curl php7.2-zip php7.2-xml php7.2-mbstring php7.2-bz2 php7.2-intl php7.2-gmp php7.2-xsl

Then restart Apache. (If you use Nginx, you don’t need to restart Nginx.)

sudo systemctl restart apache2

Step 4: Generate OpenPGP Key

If you are using a VPS (Virtual Private Server), it’s recommended to install the haveged package to generate enough entropy.

sudo apt install haveged

Then run the following command to generate a new key pair.

gpg --gen-key

You will asked to enter your name and email address.  If you are asked to set a passphrase, simply press the Tab key and select OK, because the php-gnupg module doesn’t support using passphrase at the moment.

passbolt-pgp-key-passphrase-php-gnupg

Copy the private key to the passbolt configuration location:

gpg --armor --export-secret-keys [email protected] | sudo tee /var/www/passbolt/config/gpg/serverkey_private.asc > /dev/null

And copy the public key as well.

gpg --armor --export [email protected] | sudo tee /var/www/passbolt/config/gpg/serverkey.asc > /dev/null

Initialize the www-data user’s keyring.

sudo su -s /bin/bash -c "gpg --list-keys" www-data

Step 5: Configure Passbolt

Make sure you are in /var/www/passbolt/ directory.

cd /var/www/passbolt/

Copy the sample configuration file to a production configuration file.

sudo cp config/passbolt.default.php config/passbolt.php

Edit the configuration file with a command line text editor, such as Nano.

sudo nano config/passbolt.php

First, find the following line.

'fullBaseUrl' => 'https://www.passbolt.test',

Replace the URL with your own URL, like https://passbolt.yourdomain.com. Don’t forget to create DNS A record for this subdomain in your DNS record manager.

In the database configuration section, enter the database name, database username and password you created earlier.

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'user',
            'password' => 'secret',
            'database' => 'passbolt',
        ],
    ],

In the email configuration section,

  • Specify the SMTP hostname, port number, login credentials, so your passbolt can send emails.  Usually you need to use port 587 to sumbit emails to remote SMTP server. Make sure you set tls to true, so the SMTP transaction will be encrypted.
  • Also set the From: email address and From name.
    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => 'mail.yourdomain.com',
            'port' => 587,
            'username' => '[email protected]',
            'password' => 'secret',
            // Is this a secure connection? true if yes, null if no.
            'tls' => true,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
        ],
    ],
    'Email' => [
        'default' => [
            // Defines the default name and email of the sender of the emails.
            'from' => ['[email protected]_organization.com' => 'Passbolt'],
            //'charset' => 'utf-8',
            //'headerCharset' => 'utf-8',
        ],
    ],

To easily set up your own email server, please check out the following tutorial.

Note: If passbolt is installed on the same box as your mail server, then you don’t need to specify the username and password in the EmailTransport. Simply use // to comment out these two lines. The following screenshot shows a sample configuration for this scenario.

passbolt send email
In the gpg section, enter the GPG key fingerprint like below. You need to delete all whitespaces.

'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67E',

You can get your key fingerprint with the following command. Replace [email protected] with your email address when generating the PGP key pair.

sudo gpg --list-keys --fingerprint | grep -i -B 2 '[email protected]'

After entering the fingerprint, uncomment the following two lines.

'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',

save and close the file.

Step 6: Run the Install Script

Run the install script as the www-data user.

sudo su -s /bin/bash -c "./bin/cake passbolt install --force" www-data

During the installation, you will be asked to create an admin account.

install passbolt ubuntu

Once you create an account, you will be provided an URL to finish the installation in web browser. Before doing that, we need to configure the web server using Apache or Nginx.

Step 7: Create Apache Virtual Host or Nginx Config File for Passbolt

Apache

If you use Apache web server, create a virtual host for Passbolt.

sudo nano /etc/apache2/sites-available/passbolt.conf

Put the following text into the file. Replace passbolt.example.com with your real domain name and don’t forget to set DNS A record for it. Also note that the web root for Passbolt is /var/www/passbolt/webroot/, not /var/www/passbolt/.

<VirtualHost *:80>
  ServerName passbolt.exmaple.com
  DocumentRoot /var/www/passbolt/webroot/

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory />
    Options FollowSymLinks
    AllowOverride All
  </Directory>

  <Directory /var/www/passbolt/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

</VirtualHost>

Save and close the file. Then enable this virtual host with:

sudo a2ensite passbolt.conf

Reload Apache for the changes to take effect.

sudo systemctl reload apache2

Nginx

If you use Nginx web server, create a virtual host for Passbolt.

sudo nano /etc/nginx/conf.d/passbolt.conf

Put the following text into the file. Replace passbolt.example.com with your real domain name and don’t forget to set DNS A record for it. Also note that the web root for Passbolt is /var/www/passbolt/webroot/, not /var/www/passbolt/.

server {
   listen 80;
   server_name passbolt.example.com;

   root /var/www/passbolt/webroot/;
   error_log /var/log/nginx/passbolt.error;
   access_log /var/log/nginx/passbolt.access;

   index index.php index.html index.htm index.nginx-debian.html;

   location / {
     try_files $uri $uri/ /index.php?$query_string;
   }

   location ~ \.php$ {
     # try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

     fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;

     fastcgi_buffer_size 128k;
     fastcgi_buffers 256 16k;
     fastcgi_busy_buffers_size 256k;
     fastcgi_temp_file_write_size 256k;
   }

    # Don't log favicon
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # Don't log robots
    location = /robots.txt  {
        access_log off;
        log_not_found off;
    }

    # Deny all attempts to access hidden files/folders such as .htaccess, .htpasswd, .DS_Store (Mac), etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all grunt, composer files
    location ~* (Gruntfile|package|composer)\.(js|json)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

     # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;
  }
}

Save and close the file. Then test Nginx configuration.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Step 8: Enabling HTTPS

To encrypt the HTTP traffic, we can enable HTTPS by installing a free TLS certificate issued from Let’s Encrypt. Run the following command to install Let’s Encrypt client (certbot) on Ubuntu 18.04 server.

sudo apt install certbot

If you use Nginx, then you also need to install the Certbot Nginx plugin.

sudo apt install python3-certbot-nginx

Next, run the following command to obtain and install TLS certificate.

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d passbolt.example.com

If you use Apache, install the Certbot Apache plugin.

sudo apt install python3-certbot-apache

And run this command to obtain and install TLS certificate.

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d passbolt.example.com

Where

  • --nginx: Use the nginx plugin.
  • --apache: Use the Apache plugin.
  • --agree-tos: Agree to terms of service.
  • --redirect: Force HTTPS by 301 redirect.
  • --hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
  • --staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.

The certificate should now be obtained and automatically installed.

passbot self hosted password manager

Step 9: Finish Passbolt Installation in Web Browser

First, you need to install the Passbolt extension on your Firefox or Google Chrome browser.

Now copy the URL you got after running the install script and paste it in your browser’s address bar. You will see the web-based set up wizard. The first step is to make sure your domain and server key fingerprint are correct.

passbolt-install-wizard-password-manager

In the second step, simply click Next button to import the existing key.

passbolt-import-private-key-ubuntu

In the third step, create a passphrase.

passbolt-login-passphrase-ubuntu

Then download the encrypted secret key and store it at a safe place. This key can only be decrypted by using your passphrase.

backup-passbolt-secret-key-ubuntu

In the 4th step, set a security token.

passbolt security token

Finally, you can login with your passphrase.

passbolt-nginx-config-encrypt-password

Now you can create password, import password from csv or kdbx file.

passbolt import passwords

Set Up Cron Job to Automatically Send Emails

To send system emails, run the following command.

sudo -u www-data /var/www/passbolt/bin/cake EmailQueue.sender

You can add the command in www-data user’s Crontab file to automatically process emails.

sudo crontab -u www-data -e

Add the following line in the file to process emails every minute.

* * * * * /var/www/passbolt/bin/cake EmailQueue.sender

Save and close the file.

TroubleShooting

If you are trying to create password, but are stuck at the “take a deep breath and enjoy being in the present moment…” screen, it’s likely because there’s something wroing in your Apache or Nginx configuration file. If you copy the Apache/Nginx configuration from the article, you should have no problem when creating password.

Wrapping Up

I hope this tutorial helped you install Passbolt on Ubuntu 18.04. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 4 Average: 4.8]

10 Responses to “How to Install Passbolt Password Manager on Ubuntu 18.04 Server

  • vanhussen
    1 week ago

    [email protected]:/var/www/passbolt$ sudo -u www-data composer install –no-dev

    Cannot create cache directory /home/username/.composer/cache/repo/https—packagist.org/, or directory is not writable. Proceeding without cache
    Cannot create cache directory /home/username/.composer/cache/files/, or directory is not writable. Proceeding without cache

    Please help

    • vanhussen
      1 week ago

      [email protected]:/var/www/passbolt$ sudo gpg –list-keys –fingerprint | grep -i -B 2 ‘[email protected]

      gpg: WARNING: unsafe ownership on homedir ‘/home/username/.gnupg’
      pub rsa3072 2019-10-05 [SC] [expires: 2021-10-04]
      5D72 418A 3A4A B0EB 8D6C 93DD A3E3 185E 793A 977D
      uid [ultimate] IMRON HS

      [email protected]:/var/www/passbolt$

      Is that ok?

    • vanhussen
      1 week ago

      [email protected]:/var/www/passbolt/config$ gpg –armor –export-secret-keys [email protected] | sudo tee /var/www/passbolt/config/gpg/serverkey_private.asc > /dev/null
      gpg: WARNING: nothing exported

      [email protected]:/var/www/passbolt/config$

      any ideas?

    • You can ignore the first two warnings.

    • Regarding the 3rd warning, make sure you have generated a GPG key pair before exporting the key. You can list keys in the keyring with the following command.

      gpg --list-keys
      • vanhussen
        1 week ago

        Ok, now get error with:

        [email protected]:/var/www/passbolt$ sudo su -s /bin/bash -c “./bin/cake passbolt install –force” www-data
        PHP Warning: require(/var/www/passbolt/vendor/autoload.php): failed to open stream: No such file or directory in /var/www/passbolt/bin/cake.php on line 5
        PHP Fatal error: require(): Failed opening required ‘/var/www/passbolt/vendor/autoload.php’ (include_path=’.:/usr/share/php’) in /var/www/passbolt/bin/cake.php on line 5

        Please help

      • vanhussen
        7 days ago

        Ok friend, now everything is good. Thank you so much!

        My Passbolt:
        https://passbolt.rsudpbari.com

  • vanhussen
    2 days ago

    Hi friend, when I try to use:
    sudo -u www-data /var/www/passbolt/bin/cake EmailQueue.sender

    Get notification error:
    PHP Warning: Use of undefined constant yes – assumed ‘yes’ (this will throw an Error in a future version of PHP) in /var/www/passbolt/config/passbolt.php on line 73

    Why?

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • If you ask me more than 5 questions, I expect you to make a donation, or I would stop answering your questions.