____ __ ____ .-.
/ __ \____ _____ ____/ /_ ____ / / /_ .--./ / _.---.,
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ '-, (__..-` \
/ ____/ /_/ (__, __ ) /_/ / /_/ / / /_ \, /_/ \__,_/____/____/_,___/\____/_/\__/ `,.__. ^___.-/
`-./ .'...--`
The open source password manager for teams `'
(c) 2018 Passbolt SARL
https://www.passbolt.com
What is passbolt?
Passbolt is a free and open source password manager that allows team members to
store and share credentials securely.
Requirements:
- rng-tools or haveged are required on host machine to speed up entropy generation on containers.
This way gpg key creation on passbolt container will be faster. - mariadb/mysql >= 5.0
Usage
Users are encouraged to use official docker image from the docker hub.
Start passbolt instance
Passbolt requires mysql to be running. The following example use mysql official
docker image with the default passbolt credentials.
$ docker run -e MYSQL_ROOT_PASSWORD=<root_password> \
-e MYSQL_DATABASE=<mariadb_database> \
-e MYSQL_USER=<mariadb_user> \
-e MYSQL_PASSWORD=<mariadb_password> \
mariadb
Then you can start passbolt just by providing the database container ip in the
db_host environment variable.
$ docker run --name passbolt \
-p 80:80 \
-p 443:443 \
-e DATASOURCES_DEFAULT_HOST=<mariadb_container_host> \
-e DATASOURCES_DEFAULT_PASSWORD=<mariadb_password> \
-e DATASOURCES_DEFAULT_USERNAME=<mariadb_user> \
-e DATASOURCES_DEFAULT_DATABASE=<mariadb_database> \
-e APP_FULL_BASE_URL=https://mydomain.com \
passbolt/passbolt:develop-debian
Once the container is running create your first admin user:
$ docker exec passbolt su -m -c "/var/www/passbolt/bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data
This registration command will return a single use url required to continue the
web browser setup and finish the registration. Your passbolt instance should be
available browsing https://yourdomain.com
Configure passbolt
Environment variables reference
Passbolt docker image provides several environment variables to configure different aspects:, Variable name, Description, Default value, -----------------------------------, --------------------------------, -------------------, APP_BASE, it allows people to specify the base subdir the application is running in, null, APP_FULL_BASE_URL, Passbolt base url, false, DATASOURCES_DEFAULT_HOST, Database hostname, localhost, DATASOURCES_DEFAULT_PORT, Database port, 3306, DATASOURCES_DEFAULT_USERNAME, Database username, '', DATASOURCES_DEFAULT_PASSWORD, Database password, '', DATASOURCES_DEFAULT_DATABASE, Database name, '', DATASOURCES_DEFAULT_SSL_KEY, Database SSL Key, '', DATASOURCES_DEFAULT_SSL_CERT, Database SSL Cert, '', DATASOURCES_DEFAULT_SSL_CA, Database SSL CA, '', DATASOURCES_QUOTE_IDENTIFIER, Enable database quoting (needed for for MySQL 8+), false, EMAIL_TRANSPORT_DEFAULT_CLASS_NAME, Email classname, Smtp, EMAIL_DEFAULT_FROM, From email address, you@localhost, EMAIL_DEFAULT_TRANSPORT, Sets transport method, default, EMAIL_TRANSPORT_DEFAULT_HOST, Server hostname, localhost, EMAIL_TRANSPORT_DEFAULT_PORT, Server port, 25, EMAIL_TRANSPORT_DEFAULT_TIMEOUT, Timeout, 30, EMAIL_TRANSPORT_DEFAULT_USERNAME, Username for email server auth, null, EMAIL_TRANSPORT_DEFAULT_PASSWORD, Password for email server auth, null, EMAIL_TRANSPORT_DEFAULT_CLIENT, Client, null, EMAIL_TRANSPORT_DEFAULT_TLS, Set tls, null, EMAIL_TRANSPORT_DEFAULT_URL, Set url, null, GNUPGHOME, path to gnupghome directory, /home/www-data/.gnupg, PASSBOLT_KEY_LENGTH, Gpg desired key length, 2048, PASSBOLT_SUBKEY_LENGTH, Gpg desired subkey length, 2048, PASSBOLT_KEY_NAME, Key owner name, Passbolt default user, PASSBOLT_KEY_EMAIL, Key owner email address, passbolt@yourdomain.com, PASSBOLT_KEY_EXPIRATION, Key expiration date, 0, never expires, PASSBOLT_GPG_SERVER_KEY_FINGERPRINT, GnuPG fingerprint, null, PASSBOLT_GPG_SERVER_KEY_PUBLIC, Path to GnuPG public server key, /var/www/passbolt/config/gpg/serverkey.asc, PASSBOLT_GPG_SERVER_KEY_PRIVATE, Path to GnuPG private server key, /var/www/passbolt/config/gpg/serverkey_private.asc, PASSBOLT_PLUGINS_EXPORT_ENABLED, Enable export plugin, true, PASSBOLT_PLUGINS_IMPORT_ENABLED, Enable import plugin, true, PASSBOLT_REGISTRATION_PUBLIC, Defines if users can register, false, PASSBOLT_SSL_FORCE, Redirects http to https, true, PASSBOLT_SECURITY_SET_HEADERS, Send CSP Headers, true, SECURITY_SALT, CakePHP security salt, SALT, For more env variables supported please check default.php
and app.default.php
Configuration files
What if you already have a set of gpg keys and custom configuration files for passbolt?
It it possible to mount the desired configuration files as volumes.
- /var/www/passbolt/config/app.php
- /var/www/passbolt/config/passbolt.php
- /var/www/passbolt/config/gpg/serverkey.asc
- /var/www/passbolt/config/gpg/serverkey_private.asc
- /var/www/passbolt/webroot/img/public/images
SSL certificate files
It is also possible to mount a ssl certificate on the following paths:
- /etc/ssl/certs/certificate.crt
- /etc/ssl/certs/certificate.key
Database SSL certificate files
If Database SSL certs provided, you must mount mysql/mariadb specific conf on the following paths:
- /etc/mysql/conf.d # if using mysql
- /etc/mysql/mariadb.conf.d/ #if using mariadb
Example:
[client]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
docker-compose
Usage:
$ docker-compose up
CLI healthcheck
In order to run the healtcheck from the CLI on the container:
$ su -c "source /etc/environment; bin/cake passbolt healthcheck" -s /bin/bash www-data
Requirements:
- rng-tools or haveged are required on host machine to speed up entropy generation on containers.
This way gpg key creation on passbolt container will be faster. - mariadb/mysql >= 5.6