How To Install Passbolt Password Manager on Ubuntu 24.04 LTS

In this tutorial, we will show you how to install Passbolt Password Manager on Ubuntu 24.04 LTS. With the increasing number of online accounts and services, keeping track of complex passwords without compromising security presents a significant challenge. Passbolt offers an elegant solution to this problem, providing a robust, open-source password management system that emphasizes security and team collaboration. This comprehensive guide will walk you through the complete process of installing Passbolt Password Manager on Ubuntu 24.04 LTS, ensuring your passwords remain secure and accessible.

What is Passbolt Password Manager?

Passbolt is an open-source, self-hosted password manager specifically designed for teams and organizations. Unlike many commercial password managers that store your data on third-party servers, Passbolt gives you complete control by allowing you to host the solution on your own infrastructure. This approach significantly enhances security and privacy while providing flexible deployment options.

Passbolt uses strong security mechanisms, including GPG encryption, to protect sensitive credentials. The Community Edition (CE), which we’ll be installing in this guide, offers a comprehensive set of features at no cost. Passbolt CE includes:

• Team-based password sharing with fine-grained permissions
• GPG-based encryption for maximum security
• Self-hosting capabilities for complete data control
• Browser extensions for major browsers (Chrome, Firefox, Edge)
• API-driven architecture for integration with other systems
• User management features

The open-source nature of Passbolt ensures transparency and continuous improvement through community contributions, making it an excellent choice for security-conscious individuals and organizations.

Prerequisites for Installing Passbolt

Before beginning the installation process, ensure your system meets the following requirements:

• A fresh installation of Ubuntu 24.04 LTS
• Minimum system specifications:
  • 2 CPU cores
  • 2GB RAM (recommended for optimal performance)
  • At least 10GB of available storage space
• A domain name pointing to your server (e.g., passbolt.yourdomain.com)
• A non-root user with sudo privileges for security purposes
• Access to a working SMTP server for email notifications
• A properly configured NTP service to prevent GPG authentication issues
• Ports 80 and 443 open in your firewall for web access

It’s important to start with a clean Ubuntu 24.04 installation to avoid conflicts with existing services. The installation scripts could potentially interfere with other applications, so a dedicated server or VM is recommended.

Preparing Your Ubuntu 24.04 System

The first step is to update your system and install essential packages. This ensures that all system packages are current and that your server has the necessary tools for the installation process.

sudo apt update
sudo apt upgrade -y
sudo apt install -y curl gnupg unzip apt-transport-https wget software-properties-common

Next, configure your server’s firewall to allow the necessary connections. If you’re using UFW (Uncomplicated Firewall), enable it and allow SSH, HTTP, and HTTPS traffic:

sudo apt install -y ufw
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Setting the correct timezone and ensuring NTP is working properly is crucial to prevent GPG authentication issues:

sudo timedatectl set-timezone Your/Timezone
sudo apt install -y ntp
sudo systemctl enable ntp
sudo systemctl start ntp

Replace “Your/Timezone” with your actual timezone (e.g., “America/New_York” or “Europe/London”).

Installing Dependencies

Passbolt requires a web server, database server, and PHP to function properly. You can choose between the LAMP (Linux, Apache, MySQL, PHP) or LEMP (Linux, Nginx, MySQL, PHP) stack. We’ll cover both options:

Option 1: Setting Up LAMP Stack

Install Apache web server:

sudo apt install -y apache2
sudo systemctl enable apache2
sudo systemctl start apache2

Install MariaDB (a MySQL fork) for the database:

sudo apt install -y mariadb-server
sudo systemctl enable mariadb
sudo systemctl start mariadb

Secure your MariaDB installation:

sudo mysql_secure_installation

During this process, you’ll be prompted to:

• Set a root password (if not already set)
• Remove anonymous users
• Disallow root login remotely
• Remove test database and access
• Reload privilege tables

Install PHP and required extensions:

sudo apt install -y php php-cli php-common php-curl php-gd php-intl php-json php-mbstring php-mysql php-xml php-zip php-bcmath php-gnupg

Option 2: Setting Up LEMP Stack

Install Nginx web server:

sudo apt install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx

Install MariaDB as in the LAMP stack option.

Install PHP-FPM and required extensions:

sudo apt install -y php-fpm php-cli php-common php-curl php-gd php-intl php-json php-mbstring php-mysql php-xml php-zip php-bcmath php-gnupg

Configure PHP-FPM to work with Nginx by editing the www.conf file:

sudo nano /etc/php/8.2/fpm/pool.d/www.conf

Ensure the listen directive is set to use a Unix socket:

listen = /run/php/php8.2-fpm.sock

Also, verify that the group settings are correct:

listen.group = www-data

Save the file and restart PHP-FPM:

sudo systemctl restart php8.2-fpm

Additional dependencies for both stacks:

sudo apt install -y certbot python3-certbot-nginx

This installs Certbot for obtaining Let’s Encrypt SSL certificates.

Installing Passbolt Repository

Passbolt provides an official repository and setup script to simplify the installation process. Follow these steps to add the Passbolt repository to your system:

1. Download the Passbolt repository setup script:

   curl -LO https://download.passbolt.com/ce/installer/passbolt-repo-setup.ce.sh

2. Download the SHA512 checksum file for verification:

   curl -LO https://github.com/passbolt/passbolt-dep-scripts/releases/latest/download/passbolt-ce-SHA512SUM.txt

3. Verify the integrity of the script and execute it:

   sha512sum -c passbolt-ce-SHA512SUM.txt && sudo bash ./passbolt-repo-setup.ce.sh || echo "Bad checksum. Aborting" && rm -f passbolt-repo-setup.ce.sh

This command checks the script’s integrity before executing it. If the checksum verification fails, the script will not run, protecting you from potentially malicious modifications.

If you encounter GPG key errors during repository setup, you may need to manually import the key:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys DE8B853FC155581D

Installing Passbolt CE

After successfully setting up the repository, you can install Passbolt Community Edition:

sudo apt update
sudo apt install passbolt-ce-server

During the installation, you’ll be prompted to configure several aspects of your Passbolt installation:

1. Database Configuration: You’ll need to provide database credentials:
   • Database name: typically ‘passbolt’
   • Database user: a dedicated user for Passbolt
   • Database password: a strong password for the database user
2. Web Server Configuration: Choose whether to automatically configure your web server (Apache or Nginx).
3. SSL Configuration: Decide whether to use SSL (highly recommended) and how to obtain certificates.

The installer will guide you through these steps with interactive prompts. For a more controlled installation, you can choose to handle certain configurations manually.

Database Configuration

If you chose not to let the installer configure the database automatically, you’ll need to set it up manually. Here’s how:

1. Log in to MySQL/MariaDB:

   sudo mysql -u root -p

2. Create a database and user for Passbolt:

   CREATE DATABASE passbolt_db;
   CREATE USER 'passbolt_user'@'localhost' IDENTIFIED BY 'StrongPassword';
   GRANT ALL PRIVILEGES ON passbolt_db.* TO 'passbolt_user'@'localhost';
   FLUSH PRIVILEGES;
   EXIT;

Be sure to replace ‘StrongPassword’ with a secure password of your choice. Store this password safely as you’ll need it during the Passbolt configuration.

Web Server Configuration

Depending on your choice of web server, you’ll need to configure it to serve Passbolt:

Apache Configuration

If you’re using Apache, create a virtual host configuration:

sudo nano /etc/apache2/sites-available/passbolt.conf

Add the following configuration, replacing “passbolt.yourdomain.com” with your actual domain:

<VirtualHost *:80>
    ServerName passbolt.yourdomain.com
    DocumentRoot /usr/share/php/passbolt
    
    <Directory /usr/share/php/passbolt>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    
    ErrorLog ${APACHE_LOG_DIR}/passbolt_error.log
    CustomLog ${APACHE_LOG_DIR}/passbolt_access.log combined
</VirtualHost>

Enable the virtual host and necessary Apache modules:

sudo a2ensite passbolt.conf
sudo a2enmod rewrite
sudo systemctl reload apache2

Nginx Configuration

For Nginx, create a server block configuration:

sudo nano /etc/nginx/sites-available/passbolt

Add the following configuration, replacing “passbolt.yourdomain.com” with your actual domain:

server {
    listen 80;
    server_name passbolt.yourdomain.com;
    
    root /usr/share/php/passbolt/webroot;
    index index.php;
    
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
    }
    
    location ~ /\.ht {
        deny all;
    }
}

Enable the configuration:

sudo ln -s /etc/nginx/sites-available/passbolt /etc/nginx/sites-enabled/
sudo systemctl reload nginx

SSL Configuration

For better security, obtain and configure SSL certificates. Let’s Encrypt provides free SSL certificates:

sudo certbot --nginx -d passbolt.yourdomain.com

Or, if you’re using Apache:

sudo certbot --apache -d passbolt.yourdomain.com

Follow the prompts to complete the SSL certificate setup. Certbot will automatically configure your web server to use the certificates.

Initial Passbolt Setup

After installing and configuring the server components, you need to perform the initial Passbolt setup:

1. Access the Passbolt health check to verify your installation:

   sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data

   This command runs a comprehensive check of your Passbolt installation, verifying that all components are properly configured.

2. If you haven’t completed the installation setup during the package installation, run:

   sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt install --force" www-data

3. Visit your Passbolt URL in a web browser (https://passbolt.yourdomain.com).
4. You should see the Passbolt health check page, confirming that the environment is properly configured.
5. Click “Start Configuration” to proceed with the setup.

Setting Up Administrator Account

The next step is to create the first administrator user:

1. When prompted, provide the following information:
   • Email address (username)
   • First name
   • Last name
2. After submitting this information, you’ll receive a setup link either via email or displayed on the screen.
3. Click the setup link to continue the registration process.
4. Install the Passbolt browser extension when prompted. The setup wizard will detect your browser and provide the appropriate extension link.
5. Create a strong passphrase that will be used to encrypt your GPG key. This passphrase is crucial for accessing your account, so make sure it’s both secure and memorable.
6. Download the recovery kit when prompted. This is a critical backup file that contains information needed to recover your account if you lose access. Store it in a secure location.
7. Set up your security token by choosing a color and symbol. This token helps prevent phishing attacks by appearing whenever you enter your password.

Once these steps are completed, you’ll have access to the Passbolt dashboard as an administrator. From here, you can add users, create and share passwords, and configure additional settings.

Browser Extension Setup

The Passbolt browser extension is essential for accessing your passwords securely:

1. During the administrator setup, you should have already installed the extension for your browser.
2. If you need to install it for additional browsers, visit the extension store for your browser:
   • Chrome: Chrome Web Store
   • Firefox: Firefox Add-ons
   • Edge: Microsoft Edge Add-ons
3. Search for “Passbolt” and install the official extension.
4. After installation, the extension will guide you through the setup process.
5. If you’re setting up a new device, you’ll need your recovery kit or your private key and passphrase.
6. The extension will connect to your Passbolt server, allowing you to securely access and manage your passwords.

The browser extension handles the client-side encryption and decryption of your passwords, ensuring that sensitive data is never transmitted or stored in plaintext.

Security Best Practices

To maintain the security of your Passbolt installation, follow these best practices:

1. Regular Updates: Keep your Passbolt installation, Ubuntu system, and all components updated:

   sudo apt update && sudo apt upgrade

2. Backup Regularly: Create regular backups of your Passbolt data, especially:
   • The database
   • GPG keys in /etc/passbolt/gpg/
   • Configuration files in /etc/passbolt/
3. Firewall Configuration: Ensure your firewall only allows necessary connections.
4. Monitoring: Set up monitoring to detect unusual activities or attempts to access your server.
5. Strong Passwords: Use strong, unique passwords for all system accounts, especially database users.
6. Two-Factor Authentication: Enable 2FA for all Passbolt users when possible.
7. SSL/TLS: Maintain up-to-date SSL certificates and configure them properly.
8. User Management: Regularly review user accounts and remove access for users who no longer need it.

Implementing these practices will significantly enhance the security of your Passbolt installation and protect your stored passwords.

Additional Features and Customization

Passbolt offers various features and customization options:

1. Two-Factor Authentication: Enable 2FA to add an extra layer of security:

   sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt enable_plugin -p MfaAuthenticationPlugin" www-data

2. User Groups: Create and manage groups to simplify password sharing among teams.
3. API Integration: Passbolt provides a comprehensive API for integrating with other systems.
4. Email Notifications: Customize email templates and notification settings.
5. Theming: Customize the appearance of your Passbolt instance.
6. Password Policies: Set up password complexity requirements and expiration policies.
7. Command-Line Interface: Use the Passbolt CLI for automation and management tasks:

   sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt help" www-data

These features allow you to tailor Passbolt to your specific needs and workflows.

Troubleshooting Common Issues

If you encounter problems during installation or usage, here are some common issues and their solutions:

1. Repository Key Issues: If you see “NO_PUBKEY” errors:

   sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys DE8B853FC155581D

2. Database Connection Problems: Verify your database credentials in /etc/passbolt/passbolt.php.
3. Web Server Issues: Check web server logs:
   • Apache: /var/log/apache2/error.log
   • Nginx: /var/log/nginx/error.log
4. Permission Problems: Ensure proper ownership and permissions:

   sudo chown -R www-data:www-data /usr/share/php/passbolt
   sudo chmod -R 750 /usr/share/php/passbolt

5. GPG Key Errors: Verify GPG key permissions:

   sudo chown -R root:www-data /etc/passbolt/gpg
   sudo chmod -R 750 /etc/passbolt/gpg

6. Email Delivery Issues: Test your SMTP configuration:

   sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt send_test_email your_email@example.com" www-data

For more complex issues, consult the Passbolt documentation or community forums.

Upgrading and Maintenance

To keep your Passbolt installation secure and up-to-date, follow these maintenance practices:

1. Regular Updates: Update Passbolt regularly:

   sudo apt update
   sudo apt upgrade

2. Backup Before Upgrading: Always back up your data before upgrading:

   # Backup database
   mysqldump -u root -p passbolt_db > passbolt_backup.sql
   
   # Backup configuration
   sudo cp -r /etc/passbolt /etc/passbolt.bak

3. Check for Breaking Changes: Review the release notes before upgrading.
4. Test Upgrades: Consider testing upgrades in a staging environment first.
5. Monitor System Health: Regularly check system logs and run health checks:

   sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data

6. Database Maintenance: Perform regular database maintenance:

   sudo mysql -u root -p -e "OPTIMIZE TABLE passbolt_db.*"

Following these maintenance practices will ensure your Passbolt installation remains secure, reliable, and performs optimally.

Congratulations! You have successfully installed Passbolt. Thanks for using this tutorial for installing the Passbolt open-source password manager on the Ubuntu 24.04 LTS system. For additional help or useful information, we recommend you check the official Passbolt website.