Trying out Passbolt (with Docker)

I want to find a good (and not overly expensive) password management app for teams. I've decided to give Passbolt a try. If you just want to get it up and running to fool around in, the official docs have everything you need.

However, I've wanted a bit more control, and Passbolt's (and more to the point, its docker container's) docs are less than perfect, so here I'm documenting what I did. This should get you up and running - from a fresh Ubuntu 18.04 LTS installation to the point where you have a running Passbolt instance with a free Let's Encrypt cert. I went for the simplest option, so no docker-compose or swarm setup required

Notes and preparation

I use this setup to evaluate Passbolt. It's not necessarily production-ready. Also, the usual caveats about running a stranger's code you've found online apply, though to the best of my knowledge all of this works and is harmless.

I run the server in the Azure cloud. That means one important thing: The Ubuntu Firewall is turned off by default and Azure's FW is used. Configuration of the firewall is out of scope for this article. But the only thing you need to do is keep your ports for SSH, HTTP and HTTPS open.

More specifically, that means:

  • Port 22 so you can SSH into your VM to do the actual installation
  • Port 80 for HTTP. You shouldn't run Passbolt over plaintext HTTP, but you still need this port open for Let's Encrypt's Certbot to work.
  • Port 443 for HTTPS - here the actual Passbolt instance will be available.

In Azure, set Inbound security rules for your Network Security Group. If you're not in Azure, it's up to you. You might need to configure rules for Ubuntu Firewall. (Tip: if you're unsure whether it's active on your system, run sudo ufw status.)

So let's get to it.

Installation and configuration

Instead of a ton of superfluous text, have some annotated code. 😀

# Add the Fish, Docker and Certbot repositories.
sudo apt-add-repository -y ppa:fish-shell/release-2 
curl -fsSL | sudo apt-key add - 
sudo add-apt-repository "deb [arch=amd64] "$(lsb_release -cs)" stable"
sudo add-apt-repository ppa:certbot/certbot

# Install everything
sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common rng-tools fish docker-ce docker-ce-cli mariadb-client nginx python-certbot-nginx

# Create and run the database container
docker run --name mariadbtest -e MYSQL_ROOT_PASSWORD=dbRootPassword -d --restart always mariadb/server:10.3

# Connect to the running MariaDB container
mysql -h -u root -p

Enter the dbRootPassword when prompted.
When you're connected to the DB, create a user and a database for Passbolt.

CREATE USER 'passbolt';
CREATE DATABASE passbolt CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
GRANT ALL PRIVILEGES ON passbolt.* TO passbolt@'%' IDENTIFIED BY 'dbUserPassword';

Next, let's set up nginx as a reverse proxy to terminate our SSL connections. (Seems to me there is a way to either make the Passbolt docker use an existing cert, or maybe to make it play along with certbot; but I've given it a while and thought I can make this work behind nginx quicker than if I wasted time fiddling with docker containers.)

Save this config to /etc/nginx/sites-available/

server {
    listen 443 default ssl;

    client_max_body_size 10m;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_redirect off;

Then in bash again:

cd /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/ .  # Enable the site 
sudo nginx -t # Test the config. Do not continue if it shows errors!
sudo service nginx restart 

sudo certbot --nginx -d # Get the Let's Encrypt cert for your domain
sudo certbot renew --dry-run # You can run this to check everything's worked

Now for the actual Passbolt.


  • You can skip the EMAIL settings, but I think Passbolt is way less usable without working mail notifications. If you're not using TLS, skip the EMAIL_TRANSPORT_DEFAULT_TLS.
  • I'm changing the default ports so they aren't exposed. We want our traffic to only go through nginx which will proxy requests to Passbolt.
  • Mind the EMAIL_TRANSPORT_DEFAULT_TLS. By default it's turned off, so Passbolt doesn't send any data unencrypted. This will enable it on the port 80 as well. Nginx accepts a secured connection and then forwards the request to Passbolt on port 40080, which is mapped to the container's internal HTTP port, 80.
docker run --name passbolt  -p 40080:80  -p 40443:443  -e DATASOURCES_DEFAULT_HOST=  -e DATASOURCES_DEFAULT_PASSWORD=dbUserPassword  -e DATASOURCES_DEFAULT_USERNAME=passbolt  -e DATASOURCES_DEFAULT_DATABASE=passbolt  -e APP_FULL_BASE_URL= -e -e -e -e EMAIL_TRANSPORT_DEFAULT_PASSWORD=mailUserPassword -e EMAIL_TRANSPORT_DEFAULT_TLS=true -e PASSBOLT_SSL_FORCE=false -d --restart always  passbolt/passbolt

When everything is up and running, register your first user by executing:

docker exec passbolt su -m -c "/var/www/passbolt/bin/cake passbolt register_user -u -f Name -l Surname -r admin" -s /bin/sh www-data

Then just follow on-screen instructions: you will be told to open a URL and complete the registration there.

If everything went well, you should have a working Passbolt site now.