passbolt ubuntu 18.04
Ubuntu 18.04

Also need:


php + libraries
git – git-core – installed by default
make – needs to be installed
composer – needs to be installed
unzip – needs to be installed
SSL cert – already have


PassBolt is a super awesome open-source project using cakephp – along the lines of lastpass, but more like Thycoctic’s Secret Server with on-prem (ce and enterprise) as well as hosted solutions

They require a Pro account or higher to have access to install scripts and some support on various platforms. They do not support Ubuntu installs… so I thought it would be a perfect time to learn 18.04! Take a step back and figure out what it needs – from the source code install documentation, it requires a Web Server (nginx, apache, IIS if you want to develop a drinking problem) a Database (MariaDB or MySQL) PHP (7 with some pretty specific libraries which can be found for ubuntu if you know the correct repo to add + cakephp), SSL certificate (take a peek at my lets encrypt walkthrough for wildcard ssl) PassBolt itself, SMTP server (yes I know you can register users directly on the localhost… but that’s cheating) and then all the other random stuff (git, make, composer, unzip and I’m sure I’m missing one)

sudo apt-get install apache2

sudo apt-get install mariadb-server -y
#make sure it’s started
systemctl start mariadb
#harden mysql database

Add new mysql user because we don’t use root

$ mysql -u root -p
mysql > create database passbolt;
mysql > create user passbolt;
mysql > grant all on passbolt.* to ‘passbolt’@’localhost’ identified by ‘PAAAAAAAAAAAASSWORD’;
#if you want to remotely connect to the db – don’t forget to grant all on passbolt.* to ‘passbolt@ with the same password
mysql > flush privileges;
mysql > quit;

need to add php repo
sudo LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php
sudo apt-get install php-intl
sudo apt-get install php-curl
sudo apt-get install php-xml
sudo apt-get install php-dom
sudo apt-get install php-imagick
sudo apt-get install php-mysql

sudo apt-get install php7.0-gd php7.0-intl php7.0-simplexml php7.0-curl php7.0-dom php7.0-mbstring -y

sudo apt-get install libgpgme11-dev php7.0-gnupg -y

systemctl restart apache2

Generate GPG key
had issues with generating a key without a passphrase – on the computer you are staring at now:
nano genkey-batch
Key-Type: default
Subkey-Type: default
Name-Real: Nate Emslander
Expire-Date: 0

run this to generate new key without a passphrase
gpg –batch –gen-key genkey-batch

set permissions on web server path for gpg export
sudo chown -R emzyadmin:emzyadmin /var/www/passbolt
gpg –armor –export-secret-keys > /var/www/passbolt/config/gpg/serverkey_private.asc

install composer
sudo apt-get install curl php-cli php-mbstring git unzip
* cd ~
* curl -sS -o composer-setup.php
sudo php composer-setup.php –install-dir=/usr/local/bin –filename=composer

$ composer

/ ____/___ ____ ___ ____ ____ ________ _____
/ / / __ \/ __ `__ \/ __ \/ __ \/ ___/ _ \/ ___/
/ /___/ /_/ / / / / / / /_/ / /_/ (__ ) __/ /
\____/\____/_/ /_/ /_/ .___/\____/____/\___/_/
Composer version 1.1.1 2016-05-17 12:25:44

command [options] [arguments]

-h, –help Display this help message
-q, –quiet Do not output any message
-V, –version Display this application version
–ansi Force ANSI output
–no-ansi Disable ANSI output
-n, –no-interaction Do not ask any interactive question
–profile Display timing and memory usage information
–no-plugins Whether to disable plugins.
. . .

sudo su -s /bin/bash “composer install” www-data

$ cd /var/www/passbolt
$ composer install

$ cp config/passbolt.default.php config/passbolt.php
$ nano config/passbolt.php


    ‘App’ => [

        ‘fullBaseUrl’ => ‘’,


    // Database configuration.

    ‘Datasources’ => [

        ‘default’ => [

            ‘host’ => ‘localhost’,

            ‘username’ => ‘passbolt’,

            ‘password’ => ‘your_password’,

            ‘database’ => ‘passbolt’,



    ‘passbolt’ => [

        ‘ssl’ => [

            ‘force’ => false,


        ‘gpg’ => [

            // Main server key.

            ‘serverKey’ => [

                // Server private key fingerprint.

                ‘fingerprint’ => ‘1C765F5273EC9AF56300BC6F6C76DA6B9F23C8BB’, #Absolutely fake – use your own one

                //’public’ => CONFIG . ‘gpg’ . DS . ‘serverkey.asc’,

                //’private’ => CONFIG . ‘gpg’ . DS . ‘serverkey_private.asc’,





Force SSL to be false for now – we need to configure HTTPS bindings with a non-snakeoil key/cert

Install Passbolt

$ ./bin/cake passbolt install

Check the health of passbolt

$ ./bin/cake passbolt healthcheck

Ta-Da! Just kidding – we need SMTP and HTTPS otherwise we can’t use it and it won’t be secure.

SMTP Setup

I cheated – I’m on comcast consumer – block outgoing 25 “to prevent spam generation”….

I used gmails smtp to send the initial activation emails from my gmail account

$nano config/passbolt.php

// Email configuration.

    ‘EmailTransport’ => [

        ‘default’ => [

            ‘host’ => ‘’,

            ‘port’ => 25,

            ‘username’ => ‘’,

            ‘password’ => ‘password’,

            // Is this a secure connection? true if yes, null if no.

            ‘tls’ => true,

            //’timeout’ => 30,

            //’client’ => null,

            //’url’ => null,



    ‘Email’ => [

        ‘default’ => [

            // Defines the default name and email of the sender of the emails.

            ‘from’ => [‘’ => ‘Passbolt’],

            //’charset’ => ‘utf-8’,

            //’headerCharset’ => ‘utf-8’,



#this will add a test email to the smtp queue
$ ./bin/cake passbolt send_test_email

#this will actually send it – it only sends when this command is called (by www-data) so add it to crontab
$ ./bin/cake EmailQueue.sender

* * * * * su -c “/var/www/passbolt/bin/cake EmailQueue.sender >> /var/log/passbolt.log” -s /bin/bash www-data

Dump SSL keys to passbolt server

Do it – then square up permissions

$ chown root:www-data /etc/ssl/certs/passbolt.crt
$ chown root:www-data /etc/ssl/certs/passbolt.key
$ chmod 640 /etc/ssl/certs/passbolt.crt
$ chmod 640 /etc/ssl/certs/passbolt.key

enable apache ssl, headers – enable default ssl site

$ a2enmod ssl
$ a2enmod headers
$ a2ensite default-ssl

#this is from passbolt’s documentation – I disagree with using the default conf
$ nano /etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>

    <VirtualHost _default_:443>

        ServerAdmin webmaster@localhost


        DocumentRoot /var/www/passbolt

        ErrorLog ${APACHE_LOG_DIR}/error.log

        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on

        SSLCertificateFile /etc/ssl/certs/passbolt.crt

        SSLCertificateKeyFile /etc/ssl/certs/passbolt.key

        <Directory /var/www/passbolt>

            Options FollowSymLinks

            AllowOverride All

            Require all granted



        <FilesMatch “\.(php)$”>

            SSLOptions +StdEnvVars


        BrowserMatch “MSIE [2–6]” \

          nokeepalive ssl-unclean-shutdown \

          downgrade-1.0 force-response-1.0

        BrowserMatch “MSIE [17–9]” ssl-unclean-shutdown



Restart Apache

$ systemctl reload apache2

change passbolt conf to force ssl

nano /var/www/passbolt/config/passbolt.php


‘App’ => [

    ‘fullBaseUrl’ => ‘’,



‘ssl’ => [

    ‘force’ => true,


Open Chrome/Firefox

Download the Passbolt Extension

Open and activate the passbolt invitation email – you have 24 hours to get all your other devices setup with this activation key.


Last note – there’s a command to force a reinstall / resend the activation email should you try to move forward without having smtp properly configured….

I just can’t remember it or find it – something along the lines of

$ ./bin/cake passbolt install –force


Author: Nathan Emslander