Debian 9 - Deploy Passbolt
Passbolt is an open source password manager for teams. It allows you to share/manage passwords with different groups of people. This is especially useful for organizations, rather than individuals.
Minimum Requirements
The documentation recommends the following minimum specs:
- 1 CPU Core
- 2 GB RAM
- 50GB Storage
At the time of writing this, a suitable VPS would cost you $10 a month on Digital Ocean.
Related Posts
Installation Steps
Set up database
By default the database is not set up with a root password. Lets fix thiBY creating a random password for the root user.
Feel free to run this additional step to perform some security operations such as delete the test database etc.
Then execute the following snippet that will create a passbolt database for a passbolt user and give you the password.
Install Packages
Configure Apache
Open up your Apache config file
Replace it with the following contents.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName passbolt.dev
DocumentRoot /var/www/passbolt
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/passbolt>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
passbolt.mydomain.com
Enable url rewriting in apache and restart it.
Download Passbolt
For the next section, we need to set ownership of /var/www to www-data.
Initialize the Webserver GPG Keyring
In order for passbolt authentication to work your server key needs to be in the keyring used by the web server.
In Debian 9, the home directory of the web server user www-data
is /var/www
and we need to give ownership of this folder to www-data
, since it is not owned by default.
Unfortunately, generating GPG keys as the www-data is not as straightforward as you may hope. We need to make it so that we can SSH into the server as the www-data user.
Then we need to set a password for the www-data user:
After doing all that, logout of the server and then SSH in again with the www-data user.
Generate your GPG key. Make sure not to set a passphrase.
For the sake of the rest of the commands, put in the email you specified for the key in the previous step.
Output the fingerprint of the key. We will need this later during the installation steps so make a note of it.
It should be something like:
54C6 4738 18D7 DB06 A133 E453 6531 F684 FED9 15E3
However, when you copy it into the config later, you need to take out the spaces so it would look like:
54C6473818D7DB06A133E4536531F684FED915E3
Execute the following commands in order to have the keys put where passbolt is expecting them.
Composer Install
Install dependencies through composer.
Now we need to configure passbolt...
Set the following:
- Application full base url (using http:// instead of https:// for now)
- Database configuration
- Server OpenPGP key fingerprint (you noted it down before)
Until you set up SSL, disable the forcing of ssl by adding the ssl section shown below just above the demo configuration.
In that configuration file, you will see a section for the email configuration. By default it looks like this:
I recommend that you set up SMTP with either Google or AWS.
For google this would be:
For AWS SES (europe) this would be:
At this point it would be a good idea to test your configuration with:
Then check your email. If you didn't get an email, re-check your configuration.
Email Cron
Unfortunately, Passbolt does not immediately fire off emails, instead they get queued up and you have to set up a cron to fire them off. As the www-data user run:
Add the following line
* * * * * /var/www/passbolt/bin/cake EmailQueue.sender >> /var/log/passbolt.log
Migrations
Execute the following command to run migrations etc.
Finally, run a healthcheck to check that everything is fine:
You should get 1 error for not having set up https, we will sort that out another time.
Now navigate to your web browser to your server's domain.
Click the link to download the plugin.
Once you have installed the plugin, when you go back to your webserver's url, you need to click "recover your existing account".
HTTPS
Copy your certificates over to:
- /etc/ssl/certs/passbolt.crt
- /etc/ssl/certs/ca.crt
- /etc/ssl/certs/passbolt.key
Run the following commands as a non www-data user to set permissions on those certificate files.
Enable SSL in apache
Now lets edit our apache SSL site configuration.
Paste the following into it.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName passbolt.dev
DocumentRoot /var/www/passbolt
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/passbolt.crt
SSLCertificateChainFile /etc/ssl/certs/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/passbolt.key
<Directory /var/www/passbolt>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<FilesMatch “\.(php)$â€>
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch “MSIE [2–6]†\
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17–9]†ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Restart apache for the changes to take effect:
Now let's configure passbolt to force https...
Find the ssl section we added and change it from false
to true
.
Upgrading
- Please refer here.
References
- Passbolt Docs - Install passbolt from scratch on Debian 9 (Stretch)
- Passbolt Forums - How does passbolt securely share passwords?
First published: 25th October 2018