Setup Passbolt

Note

I ended up using BitWarden instead...

Passbolt is an open source password manager: https://github.com/passbolt.

You'll need a MySQL server to run Passbolt.

Note

This guide will not setup using HTTPS and will thus be running in "unsafe mode" for evaluation purposes only - I suggest you use Traefik & Let's Encrypt.

MySQL

This uses my mysql-basic-auth patched container... see MySQL Docker Setup.

docker volume create passbolt_mysql

docker run -d --name passbolt-mysql \
  -e MYSQL_RANDOM_ROOT_PASSWORD=true \
  -e MYSQL_ONETIME_PASSWORD=true \
  --mount src=passbolt_mysql,dst=/var/lib/mysql/ \
  mysql-basic-auth

Insepct the logs, and reset the root password... also create the passbolt user:

sleep 10
docker logs passbolt-mysql 2>&1 | grep 'GENERATED ROOT PASSWORD:'
docker exec -it passbolt-mysql mysql -u root -p
ALTER USER 'root'@'localhost' IDENTIFIED BY '${NEW_PASS}';

CREATE USER 'passbolt'@'%' IDENTIFIED BY '${PASSWORD}';
CREATE DATABASE `passbolt`;
GRANT ALL PRIVILEGES ON `passbolt`.* TO 'passbolt'@'%';

Passbolt

Note

${HOSTNAME} must be a full and valid domain name... see this

docker volume create passbolt_img
docker volume create passbolt_gpg

docker run -it --name passbolt \
  --link passbolt-mysql \
  -p ${PORT}:80/tcp \
  -e APP_FULL_BASE_URL=http://${HOSTNAME}:${PORT} \
  -e DATASOURCES_DEFAULT_HOST=passbolt-mysql \
  -e DATASOURCES_DEFAULT_USERNAME=passbolt \
  -e DATASOURCES_DEFAULT_PASSWORD=${PASSWORD} \
  -e DATASOURCES_DEFAULT_DATABASE=passbolt \
  --mount src=passbolt_img,dst=/var/www/passbolt/webroot/img/ \
  --mount src=passbolt_gpg,dst=/var/www/passbolt/config/gpg/ \
  passbolt/passbolt:latest

Once up and running, detach with ^P, ^Q.

Register Your First User

docker exec -u www-data passbolt \
  /var/www/passbolt/bin/cake passbolt register_user \
  -u ${EMAIL} \
  -f ${FIRSTNAME} -l ${LASTNAME} \
  -r admin

Follow the provided link, install the browser extension, and continue setup from there.

You'll need to:

  • Provide a valid GPG Ecryption key
    • See add subkey
    • "RSA (encrypt only)" worked for me
  • Remember a "Security Token", i.e: a color and three letters
    • This will be shown to you when you login, as proof of identity

Remember, the "passphrase" you are propted for is to unlock the GPG key you generated or provided.

IMPORTANT: The user's GPG key is stored only in the browser... therefore you must back it up and keep it safe.