Debian 9 - Deploy Passbolt
Passbolt is an open source password manager for teams. It allows you to share/manage passwords with different groups of people. This is especially useful for organizations, rather than individuals.
Minimum Requirements
The documentation recommends the following minimum specs:
- 1 CPU Core
- 2 GB RAM
- 50GB Storage
At the time of writing this, a suitable VPS would cost you $10 a month on Digital Ocean.
Installation Steps
Set up database
sudo apt update && sudo apt install mariadb-server -y
sudo systemctl start mariadb
By default the database is not set up with a root password. Lets fix thiBY creating a random password for the root user.
ROOT_PASSWORD=`openssl rand -base64 14`
sudo mysql --user="root" --execute="GRANT ALL ON *.* to 'root'@'localhost' identified by '$ROOT_PASSWORD';"
echo "Your database's root password is: $ROOT_PASSWORD"
Feel free to run this additional step to perform some security operations such as delete the test database etc.
sudo mysql_secure_installation
Then execute the following snippet that will create a passbolt database for a passbolt user and give you the password.
PASSBOLT_PASSWORD=`openssl rand -base64 14`
mysql --user="root" --password="$ROOT_PASSWORD" --execute="CREATE DATABASE passbolt;"
mysql --user="root" --password="$ROOT_PASSWORD" --execute="GRANT ALL ON *.* TO 'passbolt'@'localhost' IDENTIFIED BY '$PASSBOLT_PASSWORD'"
echo "Your passbolt user's password is $PASSBOLT_PASSWORD"
Install Packages
sudo apt update && sudo apt-get install -y \
apache2 make git-core composer unzip g++ linux-headers-amd64 \
php7.0 php7.0-cli php7.0-common libapache2-mod-php7.0 \
php7.0-json php7.0-readline php7.0-mysqlnd libonig4 \
libqdbm14 php7.0-gd php7.0-intl php7.0-simplexml php7.0-curl \
php7.0-dom php7.0-mbstring libgpgme11-dev php7.0-gnupg composer
Configure Apache
Open up your Apache config file
sudo editor /etc/apache2/sites-enabled/000-default.conf
Replace it with the following contents.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName passbolt.dev
DocumentRoot /var/www/passbolt
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/passbolt>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
passbolt.mydomain.com
Enable url rewriting in apache and restart it.
sudo a2enmod rewrite && sudo systemctl restart apache2
Download Passbolt
sudo chown -R $USER:www-data /var/www
cd /var/www
sudo git clone https://github.com/passbolt/passbolt_api.git ./passbolt
sudo chown $USER:www-data -R /var/www/passbolt
cd /var/www/passbolt
git checkout v2.4
For the next section, we need to set ownership of /var/www to www-data.
sudo chown www-data:www-data -R /var/www
Initialize the Webserver GPG Keyring
In order for passbolt authentication to work your server key needs to be in the keyring used by the web server.
In Debian 9, the home directory of the web server user www-data is /var/www and we need to give ownership of this folder to www-data, since it is not owned by default.
Unfortunately, generating GPG keys as the www-data is not as straightforward as you may hope. We need to make it so that we can SSH into the server as the www-data user.
SEARCH="www-data:/var/www:/usr/sbin/nologin"
REPLACE="www-data:/var/www:/bin/bash"
FILEPATH="/etc/passwd"
sudo sed -i "s;$SEARCH;$REPLACE;" $FILEPATH
Then we need to set a password for the www-data user:
sudo passwd www-data
After doing all that, logout of the server and then SSH in again with the www-data user.
ssh www-data@passbolt.mydomain.com
Generate your GPG key. Make sure not to set a passphrase.
gpg --full-gen-key
For the sake of the rest of the commands, put in the email you specified for the key in the previous step.
EMAIL="my.name@gmail.com"
Output the fingerprint of the key. We will need this later during the installation steps so make a note of it.
gpg --list-keys --fingerprint
It should be something like:
54C6 4738 18D7 DB06 A133 E453 6531 F684 FED9 15E3
However, when you copy it into the config later, you need to take out the spaces so it would look like:
54C6473818D7DB06A133E4536531F684FED915E3
Execute the following commands in order to have the keys put where passbolt is expecting them.
gpg --armor --export-secret-keys $EMAIL > /var/www/passbolt/config/gpg/serverkey_private.asc
gpg --armor --export $EMAIL > /var/www/passbolt/config/gpg/serverkey.asc
chmod 640 /var/www/passbolt/config/gpg/serverkey*
Composer Install
Install dependencies through composer.
cd /var/www/passbolt && composer install --no-dev
Now we need to configure passbolt...
cp config/passbolt.default.php config/passbolt.php
editor config/passbolt.php
Set the following:
- Application full base url (using http:// instead of https:// for now)
- Database configuration
- Server OpenPGP key fingerprint (you noted it down before)
Until you set up SSL, disable the forcing of ssl by adding the ssl section shown below just above the demo configuration.
...
'ssl' => [
'force' => false,
],
/**
* DEMO CONFIGURATION EXAMPLE
*
...
In that configuration file, you will see a section for the email configuration. By default it looks like this:
// Email configuration.
'EmailTransport' => [
'default' => [
'host' => 'localhost',
'port' => 25,
'username' => 'user',
'password' => 'secret',
// Is this a secure connection? true if yes, null if no.
'tls' => null,
//'timeout' => 30,
//'client' => null,
//'url' => null,
],
],
'Email' => [
'default' => [
// Defines the default name and email of the sender of the emails.
'from' => ['passbolt@mydomain.com' => 'Passbolt'],
//'charset' => 'utf-8',
//'headerCharset' => 'utf-8',
],
],
I recommend that you set up SMTP with either Google or AWS.
For google this would be:
// Email configuration.
'EmailTransport' => [
'default' => [
'transport' => 'Smtp',
'host' => 'smtp.gmail.com',
'port' => 587,
'username' => 'username@gmail.com',
'password' => 'xxxxxxxxx',
// Is this a secure connection? true if yes, null if no.
'tls' => true,
'timeout' => 30,
//'client' => null,
//'url' => null,
],
],
'Email' => [
'default' => [
// Defines the default name and email of the sender of the emails.
'from' => ['passbolt@mydomain.com' => 'Passbolt'],
//'charset' => 'utf-8',
//'headerCharset' => 'utf-8',
],
],
For AWS SES (europe) this would be:
// Email configuration.
'EmailTransport' => [
'default' => [
'transport' => 'Smtp',
'host' => 'email-smtp.eu-west-1.amazonaws.com',
'port' => 587,
'username' => 'xxxxxxxxxxxxxxxxxxxx',
'password' => 'xxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
// Is this a secure connection? true if yes, null if no.
'tls' => true,
'timeout' => 30,
//'client' => null,
//'url' => null,
],
],
'Email' => [
'default' => [
// Defines the default name and email of the sender of the emails.
'from' => ['passbolt@mydomain.com' => 'Passbolt'],
//'charset' => 'utf-8',
//'headerCharset' => 'utf-8',
],
],
At this point it would be a good idea to test your configuration with:
./bin/cake passbolt send_test_email --recipient=my.email@my.domain.com
Then check your email. If you didn't get an email, re-check your configuration.
Email Cron
Unfortunately, Passbolt does not immediately fire off emails, instead they get queued up and you have to set up a cron to fire them off. As the www-data user run:
crontab -e
Add the following line
* * * * * /var/www/passbolt/bin/cake EmailQueue.sender >> /var/log/passbolt.log
Migrations
Execute the following command to run migrations etc.
cd /var/www/passbolt
./bin/cake passbolt install
Finally, run a healthcheck to check that everything is fine:
./bin/cake passbolt healthcheck
You should get 1 error for not having set up https, we will sort that out another time.
Now navigate to your web browser to your server's domain.
Click the link to download the plugin.
Once you have installed the plugin, when you go back to your webserver's url, you need to click "recover your existing account".
HTTPS
Copy your certificates over to:
- /etc/ssl/certs/passbolt.crt
- /etc/ssl/certs/ca.crt
- /etc/ssl/certs/passbolt.key
Run the following commands as a non www-data user to set permissions on those certificate files.
sudo chown $USER:www-data /etc/ssl/certs/passbolt.crt
sudo chown $USER:www-data /etc/ssl/certs/ca.crt
sudo chown $USER:www-data /etc/ssl/certs/passbolt.key
chmod 640 /etc/ssl/certs/passbolt.crt
chmod 640 /etc/ssl/certs/ca.crt
chmod 640 /etc/ssl/certs/passbolt.key
Enable SSL in apache
sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl
Now lets edit our apache SSL site configuration.
sudo vim /etc/apache2/sites-enabled/default-ssl.conf
Paste the following into it.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName passbolt.dev
DocumentRoot /var/www/passbolt
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/passbolt.crt
SSLCertificateChainFile /etc/ssl/certs/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/passbolt.key
<Directory /var/www/passbolt>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<FilesMatch “\.(php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch “MSIE [2–6]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17–9]” ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Restart apache for the changes to take effect:
sudo systemctl reload apache2
Now let's configure passbolt to force https...
sudo vim /var/www/passbolt/config/passbolt.php
Find the ssl section we added and change it from false to true.
'ssl' => [
'force' => true,
],
Upgrading
- Please refer here.
References
- Passbolt Docs - Install passbolt from scratch on Debian 9 (Stretch)
- Passbolt Forums - How does passbolt securely share passwords?
First published: 25th October 2018