Complete Guide: Install Passbolt on Debian step by step

by

Prerequisites and preparation for installing Passbolt on Debian 13

Installing Passbolt on a Debian 13 server requires careful preparation and knowledge of the essential components to ensure a successful setup. Passbolt is an open-source solution dedicated to secure team password management, based on OpenPGP to provide robust encryption. Before starting, it is important to ensure that the Debian system is up-to-date and ready to host this demanding application.

First, connect to your Debian 13 machine via the command line with an account that has sudo privileges or root access. Mastering the command line is essential to follow this tutorial and correctly apply each step.

A key element of this installation is the `curl` tool, used to download files from the internet. Debian does not automatically install curl, so it must be installed: `apt-get update`: updates the list of available packages. `apt-get install curl`: installs curl on the system.

  • Passbolt also requires the installation of MariaDB, which will serve as the local database, and Nginx as the web server.
  • Another essential preliminary step is verifying the system's support for secure TLS connections, as security is central to using Passbolt. While it's possible to add a certificate later, managing a TLS certificate ensures trust and prevents communications between users and the server from being intercepted.

Furthermore, the Debian 13 environment should have at least 2 GB of RAM for smooth operation, especially if multiple users will be accessing the manager simultaneously. In terms of disk space, approximately 10 gigabytes is recommended for storing databases and backups.

Finally, here’s a list of prerequisites for a smooth installation:

Up-to-date Debian 13 accessible via SSH.

Root account or user with sudo privileges.

  • Curl installed.
  • Accessible MariaDB and Nginx web servers.
  • Domain name or public/private IP address configured for server access.
  • Terminal access and basic knowledge of Linux server administration.
  • Plan a data backup strategy.
  • This list forms the foundation for a complete Passbolt installation, a step towards greater autonomy through open source and total control over your password security.
  • Detailed procedure for installing Passbolt on a Debian server: adding repositories and installation

Passbolt Community Edition (CE) can be installed very efficiently using the official repositories provided by the project team. This greatly simplifies managing updates and dependencies using APT. The process begins by downloading a specific script that adds the necessary repository to your Debian package sources list.

The script, `passbolt-repo-setup.ce.sh`, is accessible via curl, along with a SHA512 checksum file to verify the integrity and security of the downloaded files. Using this check is crucial, especially to prevent any compromise when retrieving essential packages.

Download the two files: `curl -LO https://download.passbolt.com/ce/installer/passbolt-repo-setup.ce.sh` `curl -LO https://github.com/passbolt/passbolt-dep-scripts/releases/latest/download/passbolt-ce-SHA512SUM.txt` Verify the integrity and add the repository: `sha512sum -c passbolt-ce-SHA512SUM.txt && bash ./passbolt-repo-setup.ce.sh ||` echo “Bad checksum. Aborting” && rm -f passbolt-repo-setup.ce.sh

  • This command validates the script file using SHA512 hashing, and then executes it only if everything is correct. This prevents the installation of malicious or corrupted packages. When the repository is added, the package list is updated automatically.
  • Next, simply install the Passbolt Community Edition package:
  • `apt install passbolt-ce-server`
  • The installation will offer an interactive wizard. This wizard will ask you for the settings to connect Passbolt to the MariaDB database. The goal is to:

Create a dedicated Passbolt user in MariaDB.

Set a secure password for this user.

  • Create a database used solely to store Passbolt passwords and metadata.

  • The next step is to configure the Nginx web server. Passbolt offers the option to automate this configuration to facilitate deploying the application to the desired domain or IP address.
  • One last important point in this wizard concerns the TLS certificate: you have three options:

none

: skip the TLS configuration; do it later.

  • manual : provide a previously obtained certificate and private key.
  • auto : let the system attempt automatic generation via Let’s Encrypt (requires public access).
  • Choosing the automatic option is an excellent solution if the server is accessible from the public internet. For internal use, manually managing a corporate certificate is often more secure. Finally, don’t forget to secure the MariaDB database with the built-in script mysql_secure_installation

or mariadb-secure-installation , which removes anonymous users and locks access to the root account. https://www.youtube.com/watch?v=6yT4597tjkY

Managing and deploying TLS certificates for optimal security on Passbolt

Ensuring the security of a password manager is fundamental. Using a TLS certificate not only establishes an encrypted connection between the client and the server, but also verifies that communication is indeed with the legitimate server, thus preventing the risk of a Man-in-the-Middle attack.

When installing Passbolt on an internal address, for example,

https://passbolt.it-connect.local , it is best to use a TLS certificate issued by an internal Certificate Authority (CA) – often an Active Directory Certificate Services (AD CS) solution in a corporate environment. This certificate guarantees complete trust and seamless integration with existing infrastructures.Key steps for managing the TLS certificate include:

Generating a Certificate Signing Request (CSR) or retrieving an existing certificate from your CA.

  • Securely transfer the certificate (.cer) and private key (.key) to the Debian server using scp or a tool like WinSCP.
  • Place the files in a secure directory, usually under /etc/ssl/certs and /etc/ssl/private with appropriate permissions.
  • Reconfigure Passbolt to use these files:
  • `dpkg-reconfigure passbolt-ce-server` starts the minimal reinstallation required.
  • Skip the database configuration.
  • Choose manual TLS configuration.
  • Specify the full paths to the certificate and key.

Once the changes are applied, simply reloading the Nginx configuration using `systemctl reload nginx` is sufficient to enable TLS security. It is also possible to accompany this approach with the integration of a reverse proxy equipped with a WAF (Web Application Firewall) or tools like Fail2ban or CrowdSec, in order to add an additional layer against network attacks targeted on Passbolt.

In summary, managing a TLS certificate doesn’t end with simple installation: it’s a comprehensive process that includes regular certificate rotation, vulnerability monitoring, and maintenance of secure access. Passbolt, as an open-source tool, provides this essential flexibility in demanding professional environments.

Finalizing the initial configuration and creating the Passbolt administrator account

After the server installation phase, the initial Passbolt configuration continues directly from the web interface. This step is essential to prepare the password manager for real-world use, particularly for secure collaboration.

To do this, open your browser and go to the address configured for Passbolt, for example:https://passbolt.it-connect.local

  • . You should see a web-based setup wizard that will guide you through the following steps:
  • Database connection: Enter the hostname (usually 127.0.0.1), the previously created username and password, and the database name.
  • Create an OpenPGP server key pair: A name and email address must be provided to generate this key. This key is used to encrypt passwords stored on the server.
  • Validate the access URL: The Passbolt server address is automatically populated but can be modified. It is recommended to enforce the use of SSL.
  • SMTP settings: Configure email notifications (SMTP server name, credentials, sender email address). A test email can be sent within the interface.

Create the administrator account:

Enter the first name, last name, and email address of the future primary administrator. During this process, a crucial element is the creation of a personal master password for the administrator account. This will be the private key to unlock the password database. The strength of this password is imperative, as no one will be able to recover the data without it.

The system also offers the option to install the Passbolt browser extension, essential for generating and using OpenPGP keys on the client side. The recovery file, called

passbolt-recovery-kit.txt

, must be carefully preserved: it contains your encrypted private key, the only way to restore access if you forget it.

We appreciate the visual customization system upon first login, with a color and a three-letter code that visually identify your browser. This measure protects against phishing attempts.

  • Once logged in, the administrator can add passwords to their personal vault, invite users, and manage permissions, ensuring a secure and efficient collaborative environment for the entire team. Best Practices and Tips for Securing and Maintaining a Passbolt Server on Debian Installing Passbolt is just the first step in an ongoing process to best protect your organization’s sensitive data. In 2025, given the increasing sophistication of cyberattacks, it is essential to adopt a comprehensive security strategy for the Debian server hosting this password manager.
  • Here are some essential best practices to follow from the deployment stage:
  • Regularly update Debian and Passbolt: Updates not only provide new features but, more importantly, fixes for critical vulnerabilities.
  • Secure access to the server: Prioritize SSH connections using public keys rather than traditional passwords, and disable root access for direct connections. Install a firewall:
  • UFW or nftables can restrict connections to essential ports, notably 80 and 443 for Nginx, and 22 for SSH. Strengthen the MariaDB database:
  • Continue the hardening process begun with mariadb-secure-installation
  • , by limiting privileges and using strong passwords. Configure Fail2ban or CrowdSec:
  • These tools proactively protect against brute-force attacks on SSH and Nginx. Log monitoring:

Implement a solution like Logwatch or Graylog to monitor events and detect anomalies. Regular backups:Perform daily backups of Passbolt databases and Nginx configurations, with a tested restore strategy.

Limit admin users: