Passbolt CE is an open-source, end-to-end encrypted password manager built for teams, with browser extensions and a web interface for secure credential sharing. This guide deploys Passbolt with a MariaDB backend using Docker Compose, with Traefik handling automatic HTTPS, then registers the first administrator. By the end, you'll have Passbolt running securely at your domain with the first admin account ready.
Set Up the Directory Structure
1. Create the project directory structure:
$ mkdir -p ~/passbolt/{db,gpg,letsencrypt}
$ sudo chown -R 33:33 ~/passbolt/gpg
$ cd ~/passbolt
2. Create the environment file:
$ nano .env
DOMAIN=passbolt.example.com
LETSENCRYPT_EMAIL=admin@example.com
MYSQL_USER=passbolt
MYSQL_PASSWORD=STRONG_DB_PASSWORD
MYSQL_DATABASE=passbolt
Deploy with Docker Compose
1. Add your user to the Docker group:
$ sudo usermod -aG docker $USER
$ newgrp docker
2. Create the Docker Compose manifest:
$ nano docker-compose.yml
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
environment:
DOCKER_API_VERSION: "1.44"
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--certificatesresolvers.le.acme.httpchallenge=true"
- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL}"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
db:
image: mariadb:latest
container_name: passbolt-db
restart: unless-stopped
environment:
- MYSQL_RANDOM_ROOT_PASSWORD=yes
- MYSQL_DATABASE=${MYSQL_DATABASE}
- MYSQL_USER=${MYSQL_USER}
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
volumes:
- ./db:/var/lib/mysql
passbolt:
image: passbolt/passbolt:latest-ce
container_name: passbolt
restart: unless-stopped
depends_on:
- db
environment:
- APP_FULL_BASE_URL=https://${DOMAIN}
- DATASOURCES_DEFAULT_HOST=db
- DATASOURCES_DEFAULT_USERNAME=${MYSQL_USER}
- DATASOURCES_DEFAULT_PASSWORD=${MYSQL_PASSWORD}
- DATASOURCES_DEFAULT_DATABASE=${MYSQL_DATABASE}
volumes:
- ./gpg:/etc/passbolt/gpg
labels:
- "traefik.enable=true"
- "traefik.http.routers.passbolt.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.passbolt.entrypoints=websecure"
- "traefik.http.routers.passbolt.tls=true"
- "traefik.http.routers.passbolt.tls.certresolver=le"
- "traefik.http.services.passbolt.loadbalancer.server.port=80"
3. Start the services:
$ docker compose up -d
4. Verify the services are running:
$ docker compose ps
Create the First Administrator
Register the first admin account using Passbolt's CLI inside the container:
$ docker compose exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u admin@example.com -f FIRSTNAME -l LASTNAME -r admin" -s /bin/sh www-data
The command prints a one-time setup URL. Open it in a browser, install the Passbolt browser extension, and complete the account creation flow.
Next Steps
Passbolt is running and served securely over HTTPS. From here you can:
- Invite team members and organize credentials into shared groups
- Configure SMTP for invitation and notification emails
- Enable MFA (TOTP, YubiKey, or DUO) for admin and team accounts
For the full guide with additional tips, visit the original article on Vultr Docs.
Top comments (0)