Introduction #
At AI Media Group, managing sensitive data securely is paramount. As our team grew, so did the complexity of managing passwords and credentials across various platforms and services. The solution? Implementing Passbolt, a self-hosted, open-source password manager tailored specifically for teams. In this post, I’ll walk you through how we successfully deployed Passbolt using Docker, highlighting the benefits and learning curves we encountered along the way.
Why Passbolt? #
Before diving into the technical details, it’s essential to understand why we chose Passbolt over other password management solutions. Our primary criteria were security, ease of use, and scalability. Passbolt stood out due to its open-source nature, offering transparency and robust security features. It is designed for teams, making it easy to share credentials securely within our organization. Moreover, being self-hosted, it provided us full control over our data.
Preparing for Deployment #
Passbolt Documentation #
Passbolt offers versatile deployment options suitable for various hosting preferences. Users can choose to self-host on a home server or within an on-premise infrastructure in a small business, or opt for cloud deployment hosted by Passbolt for ease and convenience. The platform features a free tier for self-hosting as well as paid tiers for enhanced services and managed hosting. To facilitate setup and troubleshooting, Passbolt provides comprehensive documentation, ensuring users can get up and running smoothly regardless of the chosen deployment method.
Visit Passbolt's WebsiteSystem Requirements #
We opted to deploy Passbolt on a virtual server running Debian 12. Here are the minimum requirements we ensured we had much more before starting:
- A server with Debian 12
- 2 cores from CPU
we used 8
- 2GB of RAM
we used 16GB
- 20GB of hard drive storage
we used 500GB
- Docker and Docker Compose installed
Installation of Docker and Docker Compose #
Firstly, we needed Docker and Docker Compose on our server. Docker simplifies deployment by containerizing the application and its environment.
Before installing Docker we need to update the server
sudo apt update && sudo apt upgrade -y
Install Docker and Dock er-Compose
sudo apt install docker.io docker-compose -y
To confirm docker is installed run:
docker --version
For more information on Docker and the work I have done with it view my Docker Project
Deploying Passbolt #
With Docker ready, deploying Passbolt was straightforward. We used the wget
command to retrieve the docker-compose-ce.yml
file from the
docs:
Make a new directory just for passbolt
sudo mkdir passbolt
cd passbolt
Add the files to the new directory called passbolt
wget https://download.passbolt.com/ce/docker/docker-compose-ce.yaml
wget https://github.com/passbolt/passbolt_docker/releases/latest/download/docker-compose-ce-SHA512SUM.txt
Ensure the file has not been corrupted by verifying its shasum
sha512sum -c docker-compose-ce-SHA512SUM.txt
The output should then be something similar to this: docker-compose-ce.yaml: OK
Change Variables in yaml file #
Original docker-compose-ce.yaml
file:
version: "3.9"
services:
db:
image: mariadb:10.11
restart: unless-stopped
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: "passbolt"
MYSQL_USER: "passbolt"
MYSQL_PASSWORD: "P4ssb0lt"
volumes:
- database_volume:/var/lib/mysql
passbolt:
image: passbolt/passbolt:latest-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
- db
environment:
APP_FULL_BASE_URL: https://passbolt.local
DATASOURCES_DEFAULT_HOST: "db"
DATASOURCES_DEFAULT_USERNAME: "passbolt"
DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
DATASOURCES_DEFAULT_DATABASE: "passbolt"
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"db:3306",
"--",
"/docker-entrypoint.sh",
]
ports:
- 80:80
- 443:443
#Alternatively for non-root images:
# - 80:8080
# - 443:4433
volumes:
database_volume:
gpg_volume:
jwt_volume:
Variable | What to Change |
---|---|
restart |
Change this variable in db from unless-stopped to always this insures if crashed it will restart |
MYSQL_USER |
Create a username of your choice |
MYSQL_PASSWORD |
This is where you will input a password of your choice |
restart |
Change this variable in passbolt from unless-stopped to always this insures if crashed it will restart |
APP_FULL_BASE_URL |
Change this to your domain you will access this under |
DATASOURCES_DEFAULT_USERNAME |
Create a username of your choice |
DATASOURCES_DEFAULT_PASSWORD |
This is where you will input a password of your choice |
docker-compose-ce.yaml
to docker-compose.yaml
To change the filename simply rename it using mv
:
sudo mv docker-compose-ce.yaml docker-compose.yaml
Launching Passbolt #
After configuring docker-compose.yml
, starting Passbolt was as simple as running:
docker-compose up -d
ip add
Once running, we can confirm it is accessible through the browser at the specified URL we set.
Post-Deployment Configuration #
Now that Passbolt is up and running they ask you setup a SMTP email server for user registration and notifications. This setup is crucial as it handles all outgoing communications from Passbolt to its users, including registration links and notification alerts.
If you’re not ready to set up an SMTP server just yet, or if you prefer a more hands-on method, adding users via the command line is a great alternative. This method is particularly useful during initial setup phases or when managing a small number of users. Here’s how to do it:
Add your first user this is the account you will access passbolt on
docker exec -it passbolt_passbolt_1 su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u EMAIL -f FIRST NAME -l LAST NAME -r admin" -s /bin/sh www-data
Variable | What to Change |
---|---|
passbolt_passbolt_1 |
This is the name of your docker container only change this if yours is different |
EMAIL |
Change this to reflect the users email address |
FIRST NAME |
Change this to reflect the users first name |
LAST NAME |
Change this to reflect the users last name |
-r admin |
Add or remove this depending on if you want the user to have admin permissions |
Conclusion #
Deploying Passbolt has significantly improved our team’s ability to manage passwords securely and efficiently. The process was a learning curve, especially tweaking the configurations for optimal performance. Looking forward, we plan to explore more of Passbolt’s features, such as user groups and permissions, to further tailor the tool to our needs.
In conclusion, Passbolt has proven to be a robust solution for team-based password management. Deploying it using Docker streamlined the process, making it manageable and scalable. We recommend Passbolt to any team looking for a secure, self-hosted password management solution.