How to Install Passbolt Password Manager on Ubuntu 20.04 Server

Passbolt is an open-source self-hosted password manager, which allows you to securely store and share login credentials of website, router password, Wi-Fi password, etc. This tutorial will be showing you how to install Passbolt Community Edition (CE) on Ubuntu 20.04 with Apache or Nginx web server.

Passbolt Features

  • Free & open source
  • Passwords are encrypted with OpenPGP, a proven cryptographic standard.
  • Browser extensions are available for Firefox and Google Chrome.
  • Easily share login credentials with your team without compromising security.
  • Clean, user-friendly interface.
  • Import and export passwords.
  • You can manually add login credentials.

Prerequisites of installing Passbolt on Ubuntu 20.04 Server

Passbolt is written in PHP and relies on MySQL/MariaDB database server. So you need to set up a LAMP stack or LEMP stack before installing Passbolt. If you prefer Apache web server, then set up LAMP stack.

If you prefer Nginx web server, then set up LEMP stack.

You also need a domain name, so you will be able to securely access Passbolt from anywhere with a web browser. I registered my domain name from NameCheap because the price is low and they give whois privacy protection free for life.

After the above requirements are met, follow the instructions below to install Passbolt.

Step 1: Download Passbolt onto Your Ubuntu 20.04 Server

If you go to the official website to download Passbolt, you are required to enter your name and email address. If that’s not what you like, then download the latest stable version from Github by executing the following commands on your server.

sudo apt install git

cd /var/www/

sudo git clone

The files will be saved in passbolt_api directory. We rename it to passbolt.

sudo mv passbolt_api passbolt

Then make the web server user (www-data) as the owner of this directory.

sudo chown -R www-data:www-data /var/www/passbolt

Run the following command to install PHP modules required or recommended by Passbolt

sudo apt install php-imagick php-gnupg php7.4-common php7.4-mysql php7.4-fpm php7.4-ldap php7.4-gd php7.4-imap php7.4-json php7.4-curl php7.4-zip php7.4-xml php7.4-mbstring php7.4-bz2 php7.4-intl php7.4-gmp php7.4-xsl

Then restart Apache. (If you use Nginx, you don’t need to restart Nginx.)

sudo systemctl restart apache2

Change directory.

cd /var/www/passbolt/

Install Composer – the PHP dependency manager.

sudo apt install composer

Create cache directory for Composer.

sudo mkdir /var/www/.composer

Make www-data as the owner.

sudo chown -R www-data:www-data /var/www/.composer

Use Composer to install dependencies.

sudo -u www-data composer install --no-dev

If it asks you to set folder permissions, choose Y.

Step 2: Create a MariaDB Database and User for Passbolt

Log into MariaDB console.

sudo mysql -u root

Next, create a new database for Passbolt using the following command. This tutorial names it passbolt, you can use whatever name you like for the database. We also specify utf8mb4 as the character set to support non-Latin characters and emojis.

CREATE DATABASE passbolt DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;

The following command will create a database user and password, and at the same time grant all permission of the new database to the new user so later on Passbolt can write to the database. Replace red texts with your preferred database name, username, and password.

GRANT ALL ON passbolt.* TO 'passboltuser'@'localhost' IDENTIFIED BY 'password';

Flush privileges table and exit MariaDB console.



Step 3: Generate OpenPGP Key

If you are using a VPS (Virtual Private Server), it’s recommended to install the haveged package to generate enough entropy.

sudo apt install haveged

The haveged.service will automatically start after installation. You can check its status with:

sudo systemctl status haveged

Then run the following command to generate a new key pair.

gpg --gen-key

You will be asked to enter your name and email address. If you are asked to set a passphrase, skip it by pressing the Tab key and selecting OK, because the php-gnupg module doesn’t support using passphrase at the moment.


Copy the private key to the passbolt configuration location. Replace [email protected] with the email address when generating the PGP key.

gpg --armor --export-secret-keys [email protected] | sudo tee /var/www/passbolt/config/gpg/serverkey_private.asc > /dev/null

And copy the public key as well.

gpg --armor --export [email protected] | sudo tee /var/www/passbolt/config/gpg/serverkey.asc > /dev/null

Initialize the www-data user’s keyring.

sudo su -s /bin/bash -c "gpg --list-keys" www-data

Step 4: Configure Passbolt

Make sure you are in /var/www/passbolt/ directory.

cd /var/www/passbolt/

Copy the sample configuration file to a production configuration file.

sudo cp config/passbolt.default.php config/passbolt.php

Edit the configuration file with a command line text editor, such as Nano.

sudo nano config/passbolt.php

First, find the following line.

'fullBaseUrl' => 'https://www.passbolt.test',

Replace the URL with your own URL, like Don’t forget to create DNS A record for this subdomain in your DNS record manager.

In the database configuration section, enter the database name, database username and password you created in step 2.

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'user',
            'password' => 'secret',
            'database' => 'passbolt',

In the email configuration section,

  • Specify the SMTP hostname, port number, login credentials, so your passbolt can send emails. Usually you need to use port 587 to sumbit emails to remote SMTP server. Make sure you set tls to true, so the SMTP transaction will be encrypted.
  • Also set the From: email address and From name.
    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => '',
            'port' => 587,
            'username' => '[email protected]',
            'password' => 'secret',
            // Is this a secure connection? true if yes, null if no.
            'tls' => true,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
    'Email' => [
        'default' => [
            // Defines the default name and email of the sender of the emails.
            'from' => ['[email protected]' => 'Passbolt'],
            //'charset' => 'utf-8',
            //'headerCharset' => 'utf-8',

To easily set up your own email server, please check out the following tutorial.

Note: If passbolt is installed on the same box as your mail server, then you don’t need to specify the username and password in the EmailTransport. Simply use // to comment out these two lines. The following screenshot shows a sample configuration for this scenario.

passbolt send email
In the gpg section, enter the GPG key fingerprint like below. You need to delete all whitespaces in the fingerprint.

'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67E',

You can get your key fingerprint with the following command. Replace [email protected] with your email address when generating the PGP key pair.

gpg --list-keys --fingerprint | grep -i -B 2 '[email protected]'

passbolt gpg key fingerprint

After entering the fingerprint, uncomment the following two lines.

'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',

Save and close the file.

Step 5: Run the Install Script

Run the install script as the www-data user.

sudo su -s /bin/bash -c "./bin/cake passbolt install --force" www-data

During the installation, you will be asked to create an admin account.

install passbolt ubuntu

Once you create an account, you will be provided an URL to finish the installation in web browser. Before doing that, we need to configure the web server using Apache or Nginx.

Step 6: Create Apache Virtual Host or Nginx Config File for Passbolt


If you use Apache web server, create a virtual host for Passbolt.

sudo nano /etc/apache2/sites-available/passbolt.conf

Put the following text into the file. Replace with your real domain name and don’t forget to set DNS A record for it. Also note that the web root for Passbolt is /var/www/passbolt/webroot/, not /var/www/passbolt/.

<VirtualHost *:80>
  DocumentRoot /var/www/passbolt/webroot/

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory />
    Options FollowSymLinks
    AllowOverride All

  <Directory /var/www/passbolt/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all


Save and close the file. Then enable this virtual host with:

sudo a2ensite passbolt.conf

Reload Apache for the changes to take effect.

sudo systemctl reload apache2


If you use Nginx web server, create a virtual host for Passbolt.

sudo nano /etc/nginx/conf.d/passbolt.conf

Put the following text into the file. Replace with your real domain name and don’t forget to set DNS A record for it. Also note that the web root for Passbolt is /var/www/passbolt/webroot/, not /var/www/passbolt/.

server {
   listen 80;
   listen [::]:80;

   root /var/www/passbolt/webroot/;
   error_log /var/log/nginx/passbolt.error;
   access_log /var/log/nginx/passbolt.access;

   index index.php index.html index.htm index.nginx-debian.html;

   location / {
     try_files $uri $uri/ /index.php?$query_string;

   location ~ \.php$ {
     # try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

     fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;

     fastcgi_buffer_size 128k;
     fastcgi_buffers 256 16k;
     fastcgi_busy_buffers_size 256k;
     fastcgi_temp_file_write_size 256k;

    # Don't log favicon
    location = /favicon.ico {
        log_not_found off;
        access_log off;

    # Don't log robots
    location = /robots.txt  {
        access_log off;
        log_not_found off;

    # Deny all attempts to access hidden files/folders such as .htaccess, .htpasswd, .DS_Store (Mac), etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;

    # Deny all grunt, composer files
    location ~* (Gruntfile|package|composer)\.(js|json)$ {
        deny all;
        access_log off;
        log_not_found off;

     # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;

Save and close the file. Then test Nginx configuration.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Step 7: Enabling HTTPS

To encrypt the HTTP traffic, we can enable HTTPS by installing a free TLS certificate issued from Let’s Encrypt. Run the following command to install Let’s Encrypt client (certbot) on Ubuntu 20.04 server.

sudo apt install certbot

If you use Nginx, then you also need to install the Certbot Nginx plugin.

sudo apt install python3-certbot-nginx

Next, run the following command to obtain and install TLS certificate.

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d

If you use Apache, install the Certbot Apache plugin.

sudo apt install python3-certbot-apache

And run this command to obtain and install TLS certificate.

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d


  • --nginx: Use the nginx plugin.
  • --apache: Use the Apache plugin.
  • --agree-tos: Agree to terms of service.
  • --redirect: Force HTTPS by 301 redirect.
  • --hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
  • --staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.

The certificate should now be obtained and automatically installed.

passbolt ubuntu 20.04 https

Step 8: Finish Passbolt Installation in Web Browser

First, you need to install the Passbolt extension on your Firefox or Google Chrome browser.

Now copy the URL you got after running the install script and paste it in your browser’s address bar. You will see the web-based set up wizard. The first step is to make sure your domain and server key fingerprint are correct.


In the second step, simply click Next button to create a new key.


In the third step, create a passphrase.


Then download the encrypted secret key and store it at a safe place. This key can only be decrypted by using your passphrase.


In the 4th step, set a security token.

passbolt security token

Finally, you can login with your passphrase.


Now you can create password, import password from csv or kdbx file.

passbolt import passwords

Step 8: Set Up Cron Job to Automatically Send Emails

To send system emails, run the following command.

sudo -u www-data /var/www/passbolt/bin/cake EmailQueue.sender

You can add the command in www-data user’s Crontab file to automatically process emails.

sudo crontab -u www-data -e

Add the following line in the file to process emails every minute.

* * * * * /var/www/passbolt/bin/cake EmailQueue.sender

Save and close the file.

(Optional) Setting Up ModSecurity

You may also want to set up the ModSecurity web application firewall to protect your PHP web applications from hacking. If you use Apache web server on Debian/Ubuntu, then read the following tutorial.

If you use Nginx web server on Debian/Ubuntu, then read the following tutorial:


If you are trying to create a password, but are stuck at the “take a deep breath and enjoy being in the present moment…” screen, it’s likely because there’s something wroing in your Apache or Nginx configuration file. If you copy the Apache/Nginx configuration from the article, you should have no problem when creating password.

If you enabled ModSecurity web application firewall, and you see the Could not verify the server key error.

passbolt Could not verify the server key

then you need to add the following custom rule exclusion in ModSecurity.

SecRule REQUEST_URI "@streq /auth/verify.json?api-version=v2" "id:1060,phase:2,ctl:ruleRemoveById=942100"

And restart your web server.

sudo systemctl restart apache2


sudo systemctl restart nginx

Wrapping Up

I hope this tutorial helped you install Passbolt on Ubuntu 20.04. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 0 Average: 0]

17 Responses to “How to Install Passbolt Password Manager on Ubuntu 20.04 Server

  • Hi,
    Thank you for the tuto. I can’t skip the passphrase when generating the key, is there a way to skip it ? If I press Enter or just select , it asks me again and again.
    Thank you !

    • It asked me twice to set a passphrase, and I skipped it twice. Then it proceeded to the next step.

      • Thank you, I already tried over 10 and it asks me to enter a passphrase, I can’t skip it. So I’m going to install Bitwarden_rs without Docker.

  • Hi I’m unable to skip the passphrase when I’m generating the key – will this cause a problem later on down – i noticed you mentioned that phpgpg doesn’t support this. However, I cannot find a way to skip this (tried to skip it many times).

  • Numerius
    10 months ago

    I have same problem. Cant skip can’t passphrase 🙁

  • SCP awsb
    9 months ago


    After activating a command:

    “sudo su -s /bin/bash -c “./bin/cake passbolt install –force” www-data”

    I get response:

    “bash: ./bin/cake: No such file or directory”

    Do I need something else? Maybe library? Or update/upgrade smth?
    Can’t really locate this directory on my machine…

  • And you don’t care about sharing your solution?

  • I really enjoy your website and the many self-hosted tutorials. However, I would love to see more tutorials using OpenLitespeed instead of Apache/Nginx.

    Keep up the good work!

  • Or we use the Ubuntu package and the installation/configuration of PHP and MariaDB is resumed in one command?

    sudo apt-get install passbolt-ce-server

    just saying

  • Concombre Masque
    2 months ago

    Just came here to say that the official method to install on Ubuntu is much easier (and better supported):

  • Michael Harris
    2 months ago

    good day,

    /var/www/passbolt$ sudo su -s /bin/bash -c “./bin/cake passbolt install -force” www-data
    results in the following error message:
    PHP parse error: syntax error, unexpected ‘base’ (T_STRING), expecting ‘]’ in /var/www/passbolt/config/passbolt.php on line 51

    the config file looks fine, can not find any error.
    any help would be appreciated

  • Why didnt work???

    [email protected]:/var/www/passbolt# sudo su -s /bin/bash -c “gpg –list-keys” www-data
    gpg: Fatal: can’t create directory ‘/var/www/.gnupg’: Permission denied

    Thanks for u work its amazing blog

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community ( for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here