Install and Configure Passbolt Team Password Manager on Ubuntu 20.04
This tutorial exists for these OS versions
- Ubuntu 22.04 (Jammy Jellyfish)
- Ubuntu 20.04 (Focal Fossa)
On this page
Passbolt is a free, open-source, self-hosted and extensible password manager that helps you to securely share and store login credentials, such as password of the router, website, Wi-Fi, and more. It is different from other password managers. it is focused on team usage rather than individuals. It is available in both community and paid edition. It offers a lot of features some of them are listed below:
- Provides Firefox and Google Chrome extensions.
- Use OpenPGP to encrypt the password.
- Simple and user-friendly web interface.
- Allows to import and export passwords.
- Allows adding login credentials manually.
In this tutorial, we will explain how to install Passbolt Password manager with Apache and Let's Encrypt on Ubuntu 20.04.
Prerequisites
- A server running Ubuntu 20.04.
- A valid domain name pointed with your server IP.
- A root password is configured the server.
Install LAMP Server
First, you will need to install Apache and MariaDB server in your system. You can install them with the following command:
apt-get install apache2 mariadb-server -y
After installing the above packages, you will also need to install PHP and other required packages in your system.
By default, Ubuntu 20.04 comes with PHP7.4 in its default repository. However, Passbolt does not support PHP7.4. So you will need to add the PHP repository in your system.
First, install required packages with the following command:
apt-get install software-properties-common gnupg -y
Next, add the PHP repository with the following command:
add-apt-repository ppa:ondrej/php --yes
Next, install the PHP version 7.3 with Composer and other required extensions with the following command:
apt-get install php7.3 php7.3-mysql libapache2-mod-php7.3 php7.3-intl php7.3-mbstring php7.3-gd php7.3-imagick php7.3-xml php7.3-common php7.3-curl php7.3-json php7.3-ldap php7.3-gnupg zlib1g unzip git composer curl -y
Once all the packages are installed, you can proceed to the next step.
Configure MariaDB Database
First, you will need to secure the MariaDB installation and set the MariaDB root password. You can do it with the following command:
mysql_secure_installation
This script will set the MariaDB root password, remove anonymous users, disallow root login remotely and remove test database and access to it as shown below:
Enter current password for root (enter for none): OK, successfully used password, moving on... Set root password? [Y/n] Y Remove anonymous users? [Y/n] Y Disallow root login remotely? [Y/n] Y Remove test database and access to it? [Y/n] Y Reload privilege tables now? [Y/n] Y
Once the MariaDB is secured, log in to the MariaDB shell with the following command:
mysql -u root -p
Provide your root password when prompt then create a database and user for Passbolt with the following command:
MariaDB [(none)]> CREATE DATABASE passboltdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
MariaDB [(none)]> GRANT ALL on passboltdb.* to passbolt@localhost identified by 'password';
Next, flush the privileges and exit from the MariaDB with the following command:
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;
Once you are finished, you can proceed to the next step.
Download and Configure Passbolt
In this section, we will learn how to download and configure passbolt:
Download Passbolt
First, download the latest version of the Passbolt to the Apache web root directory with the following command:
mkdir /var/www/passbolt
git clone https://github.com/passbolt/passbolt_api.git /var/www/passbolt
Once downloaded, change the ownership of the passbolt to www-data with the following command:
chown -R www-data:www-data /var/www/
Next, change the directory to passbolt and install required dependencies with the following command:
cd /var/www/passbolt
sudo -u www-data composer install --no-dev
You should get the following output:
> Cake\Composer\Installer\PluginInstaller::postAutoloadDump 9 packages you are using are looking for funding. Use the `composer fund` command to find out more! thadafinser/package-info: Generating class... thadafinser/package-info: ...generating class > App\Console\Installer::postInstall Created `config/app.php` file Created `/var/www/passbolt/logs` directory Created `/var/www/passbolt/tmp/cache/models` directory Created `/var/www/passbolt/tmp/cache/persistent` directory Created `/var/www/passbolt/tmp/cache/views` directory Created `/var/www/passbolt/tmp/sessions` directory Created `/var/www/passbolt/tmp/tests` directory Set Folder Permissions ? (Default to Y) [Y,n]? Y
Type Y and hit Enter to set the folder permissions.
Generate OpenPGP Key
Next, you will need to generate OpenPGP key to authenticate and sign outgoing JSON requests. You can generate it with the following command:
cd /var/www/passbolt
gpg --full-generate-key
During the process, you will be asked for the passphrase, simply press the Tab key, select OK and confirm that you don’t want to set it., because the php-gnupg module doesn’t support using passphrase at the moment.
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (14) Existing key from card Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Hitesh Email address: [email protected] Comment: Hi You selected this USER-ID: "Hitesh (Hi) <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 2DA8E7FB8E23B2FD marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/9622291A72D99A4EC78ABCB92DA8E7FB8E23B2FD.rev' public and secret key created and signed. pub rsa4096 2020-07-25 [SC] D2394A45B7CBBAB7F00CC79B23D4750486780854 uid Hitesh (Hi) <[email protected]> sub rsa4096 2020-07-25 [E]
Please remember the above public key fingerprint as it will be needed later in the setup.
Next, export the public and private key to the '/var/www/passbolt' directory with the following commands:
gpg --armor --export-secret-keys [email protected] > /var/www/passbolt/config/gpg/serverkey_private.asc
gpg --armor --export [email protected] > /var/www/passbolt/config/gpg/serverkey.asc
Next, you will need to initialize keyring of gpg key for the Apache user. You can do it with the following command:
sudo su -s /bin/bash -c "gpg --list-keys" www-data
You should get the following output:
gpg: directory '/var/www/.gnupg' created gpg: keybox '/var/www/.gnupg/pubring.kbx' created gpg: /var/www/.gnupg/trustdb.gpg: trustdb created
Configure Passbolt
First, copy the sample Passbolt configuration file with the following command:
cp /var/www/passbolt/config/passbolt{.default,}.php
Next, edit the Passbolt configuration file with the following command::
nano /var/www/passbolt/config/passbolt.php
Define your fullbaseurl, database and public key fingerprint as shown below:
'fullBaseUrl' => 'https://passbolt.linuxbuz.com', // Database configuration. 'Datasources' => [ 'default' => [ 'host' => 'localhost', //'port' => 'non_standard_port_number', 'username' => 'passbolt', 'password' => 'password', 'database' => 'passboltdb', 'serverKey' => [ // Server private key fingerprint. 'fingerprint' => 'D2394A45B7CBBAB7F00CC79B23D4750486780854', 'public' => CONFIG . 'gpg' . DS . 'serverkey.asc', 'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',
Save and close the file when you are finished.
If you don't remember your public key fingerprint you can fetch it with the following command:
gpg --list-keys --fingerprint | grep -i -B 2 [email protected]
You should get the following output:
gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub rsa4096 2020-07-25 [SC] D239 4A45 B7CB BAB7 F00C C79B 23D4 7504 8678 0854 uid [ultimate] Hitesh (Hi) <[email protected]>
Configure Apache for Passbolt
Next, you will need to create an Apache virtual host configuration file for Passbolt. You can create it with the following command:
nano /etc/apache2/sites-available/passbolt.conf
Add the following lines:
<VirtualHost *:80> ServerName passbolt.linuxbuz.com DocumentRoot /var/www/passbolt ErrorLog ${APACHE_LOG_DIR}/passbolt_error.log CustomLog ${APACHE_LOG_DIR}/passbolt_access.log combined <Directory /var/www/passbolt/> Options FollowSymLinks MultiViews AllowOverride All Require all granted </Directory> </VirtualHost>
Save and close the file then activate the virtual host file and restart the Apache service with the following command:
a2ensite passbolt
systemctl restart apache2
When you are finished, you can proceed to the next step.
Secure Passbolt with Let's Encrypt
In order to secure your website with Let's Encrypt SSL, you will need to install the Certbot client utility in your system to manage the SSL certificate.
You can install it with the following command:
apt-get install python3-certbot-apache -y
Once installed, run the following command to secure your website with Let's Encrypt SSL:
certbot --apache -d passbolt.linuxbuz.com
You will be asked to provide your email and accept the term of service as shown below:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Performing the following challenges: http-01 challenge for passbolt.linuxbuz.com Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/passbolt-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/passbolt-le-ssl.conf Enabling available site: /etc/apache2/sites-available/passbolt-le-ssl.conf
Next, select whether or not to redirect HTTP traffic to HTTPS as shown below:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Type 2 and hit Enter to install the Let's Encrypt SSL for your website:
Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/passbolt.conf to ssl vhost in /etc/apache2/sites-available/passbolt-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://passbolt.linuxbuz.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=passbolt.linuxbuz.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/passbolt.linuxbuz.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/passbolt.linuxbuz.com/privkey.pem Your cert will expire on 2020-10-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
At this point, your website is secured with Let's Encrypt SSL.
Install Passbolt
Next, you can install Passbolt by running the Passbolt installation script.
First, change the directory to /var/www/passbolt:
cd /var/www/passbolt
Next, run the Passbolt installation script with the following command:
sudo su -s /bin/bash -c "./bin/cake passbolt install --no-admin" www-data
Once the installation ahs been completed successfully, you should get the following output:
All Done. Took 1.6533s Import the server private key in the keyring --------------------------------------------------------------- Importing /var/www/passbolt/config/gpg/serverkey_private.asc Keyring init OK Passbolt installation success! Enjoy! ?
Next, you will need to finalize the Passbolt setup from the browser. Open your web browser and visit the URL https://passbolt.linuxbuz.com. You should see the following screen:
Here, you will need to download and install a plugin for your browser. Click on Download the plugin to download and install the Passbolt plugin. Once installed, you can proceed to the next step.
Access Passbolt Web Interface
Before starting, you will need to create an admin user and set a password for Passbolt. You can do it with the following command:
cd /var/www/passbolt
sudo su -s /bin/bash -c "./bin/cake passbolt register_user -u [email protected] -f howtoforge -l Demo -r admin" www-data
You should get the following output:
____ __ ____ / __ \____ _____ ____/ /_ ____ / / /_ / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ / ____/ /_/ (__ |__ ) /_/ / /_/ / / / /_/ \__,_/____/____/_.___/\____/_/\__/ Open source password manager for teams --------------------------------------------------------------- User saved successfully. To start registration follow the link provided in your mailbox or here: https://passbolt.linuxbuz.com/setup/install/5bcfb186-3d9f-448f-8388-f705abd855c8/a2ba80dc-5ef2-433a-9138-11282747b377
Now, copy the link from the above output and use it to finalize the setup of Passbolt on the browser. You should see the following screen:
Confirm that the URL and GPG key fingerprint are okay and click on the Next button. You should see the following screen:
Provide Owner name, email and click on the Next button. You should see the following screen:
Set your password and click on the Next button. You should see the following screen:
Download your secret key and click on the Next button. You should see the following screen:
Set a security token and click on the Next button. You should see the following screen:
Provide your username, password and click on the login button. You should see the Passbolt dashboard in the following screen:
Conclusion
Congratulations! you have successfully installed the Passbolt password manager with Let's Encrypt SSL on Ubuntu 20.04 server. You can now store and share your passwords with your teams and individual user. Feel free to ask me if you have any questions.