DEV Community

Cover image for Deploying Passbolt - An Open-Source Password Management Tool on Ubuntu 24.04
Sanskriti Harmukh for Vultr

Posted on with Aashish Chaurasiya • Originally published at docs.vultr.com

Deploying Passbolt - An Open-Source Password Management Tool on Ubuntu 24.04

Passbolt is an open-source password manager built around end-to-end encryption with OpenPGP and browser extensions for Chrome and Firefox. It supports login automation, role-based access control, and credential sharing across teams. This guide deploys Passbolt CE on Ubuntu 24.04 using the official APT installer, configures Nginx and Let's Encrypt during install, and walks through the web-based setup wizard. By the end, you'll have Passbolt managing encrypted credentials securely at your domain.

Prerequisite: Ubuntu 24.04 server (also works on Debian 12, Rocky Linux 9, Alma Linux 9 — see notes below), non-root sudo user, and a domain A record pointing at the server.


Open the Firewall

$ sudo ufw allow 80,443/tcp
Enter fullscreen mode Exit fullscreen mode

Install Passbolt CE (Ubuntu 24.04 / Debian 12)

1. Download the installer and the checksum file:

$ curl -LO https://download.passbolt.com/ce/installer/passbolt-repo-setup.ce.sh
$ curl -LO https://github.com/passbolt/passbolt-dep-scripts/releases/latest/download/passbolt-ce-SHA512SUM.txt
Enter fullscreen mode Exit fullscreen mode

2. Verify the installer checksum:

$ sha512sum -c passbolt-ce-SHA512SUM.txt
Enter fullscreen mode Exit fullscreen mode

3. Add the Passbolt repository:

$ sudo bash ./passbolt-repo-setup.ce.sh
Enter fullscreen mode Exit fullscreen mode

4. Install the server:

$ sudo apt install passbolt-ce-server
Enter fullscreen mode Exit fullscreen mode

Answer the interactive prompts:

  • Create a new database: Yes
  • Database admin username: root
  • Database admin password: (set a strong value)
  • Passbolt database user / password / name: create a dedicated user
  • Configure Nginx: Yes
  • SSL certificate option: Auto (Let's Encrypt)
  • Domain name: passbolt.example.com
  • Let's Encrypt email: your email

The installer issues a Let's Encrypt certificate, wires Nginx, and starts the application.


Install Passbolt CE (Rocky Linux 9 / Alma Linux 9)

$ curl -LO https://download.passbolt.com/ce/installer/passbolt-repo-setup.ce.sh
$ curl -LO https://github.com/passbolt/passbolt-dep-scripts/releases/latest/download/passbolt-ce-SHA512SUM.txt
$ sha512sum -c passbolt-ce-SHA512SUM.txt
$ sudo bash ./passbolt-repo-setup.ce.sh
$ sudo dnf install passbolt-ce-server
$ sudo /usr/local/bin/passbolt-configure
Enter fullscreen mode Exit fullscreen mode

Answer the prompts:

  • Install local MariaDB: 1
  • MariaDB root password / Passbolt DB user / password / DB name
  • Hostname: passbolt.example.com
  • SSL certificate generation: 2 (Auto)
  • Let's Encrypt email

Complete the Web Setup

  1. Open https://passbolt.example.com and click Get Started → Start configuration.
  2. Enter the database connection details (host localhost, the user, password, and database name from the install).
  3. Configure the server OpenPGP key (server name + email; keep RSA-DSA, 3072 bits).
  4. Set the full base URL and enable Force SSL.
  5. Configure SMTP (sender name, sender email, SMTP host, credentials).
  6. Create the administrator account (first name, last name, username).
  7. Set a strong passphrase and store it offline.
  8. Download the recovery kit when prompted — without it, the account is unrecoverable.
  9. Choose a security token color.
  10. Install the Passbolt browser extension when prompted.
  11. The dashboard loads, ready for credentials.

Create Folders and Credentials

  1. Dashboard → Create → Folder — name it (e.g. Infrastructure), save.
  2. Open the folder → Create → Password — enter name, URL, username, and the secret. Save.
  3. Browse to the matching login page — the extension autofills via the registered passphrase.

Next Steps

Passbolt is running with HTTPS at your domain. From here you can:

  • Invite team members from Users → Add user with per-role permissions
  • Configure single sign-on (SSO) with SAML or OIDC
  • Enable MFA (TOTP, YubiKey, DUO) for admin accounts
  • Schedule encrypted backups of /etc/passbolt/gpg plus the MySQL database

For the full guide with additional tips, visit the original article on Vultr Docs.

Top comments (0)