Breaking News
Home / How To / Install and configure Passbolt Team Password Manager on Ubuntu 20.04

Install and configure Passbolt Team Password Manager on Ubuntu 20.04



Passbolt is a free, open source, self-hosted and extensible password manager that helps you securely share and store login information, such as passwords for the router, website, Wi-Fi and more. It differs from other password managers. it is focused on team use rather than individuals. It is available in both community and paid edition. It offers many features, some of which are listed below:

  • Provides Firefox and Google Chrome extensions.
  • Use OpenPGP to encrypt the password.
  • Simple and user-friendly web interface.
  • Allows importing and exporting passwords.
  • Allows you to add login information manually.

In this tutorial we will explain how to install Passbolt Password manager with Apache and Let’s Encrypt on Ubuntu 20.04.

conditions

  • A server running Ubuntu 20.04.
  • A valid domain name pointed to your server IP.
  • A root password is configured on the server.

Install LAMP Server

First, you need to install Apache and the MariaDB server in your system. You can install them with the following command:

apt-get install apache2 mariadb-server -y

After installing the above packages, you will also need to install PHP and other necessary packages in your system.

By default, Ubuntu 20.04 comes with PHP7.4 in its default repository. However, Passbolt does not support PHP7.4. So you need to add the PHP layer to your system.

First, install the required packages with the following command:

apt-get install software-properties-common gnupg -y

Then add the PHP repository with the following command:

add-apt-repository ppa:ondrej/php --yes

Then install PHP version 7.3 with Composer and other necessary add-ons with the following command:

apt-get install php7.3 php7.3-mysql libapache2-mod-php7.3 php7.3-intl php7.3-mbstring php7.3-gd php7.3-imagick php7.3-xml php7.3-common php7.3-curl php7.3-json php7.3-ldap php7.3-gnupg zlib1g unzip git composer curl -y

Once all the packages have been installed, you can proceed to the next step.

Configure the MariaDB database

First you need to secure the MariaDB installation and set the MariaDB root password. You can do this with the following command:

mysql_secure_installation

This script sets the root password for MariaDB, deletes anonymous users, removes remote root logins and deletes the test database and accesses what is shown below:

Enter current password for root (enter for none): 
OK, successfully used password, moving on...
Set root password? [Y/n] Y
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

Once MariaDB is secured, log in to the MariaDB shell with the following command:

mysql -u root -p

Enter your root password when prompted to create a database and user for Passbolt with the following command:

MariaDB [(none)]> CREATE DATABASE passboltdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
MariaDB [(none)]> GRANT ALL on passboltdb.* to [email protected] identified by 'password';

Then flush the privileges and leave MariaDB with the following command:

MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;

When you are done, you can move on to the next step.

Download and configure Passbolt

In this section we will teach you how to download and configure the pass bolt:

Download Passbolt

First, download the latest version of Passbolt to the Apache Web directory with the following command:

mkdir /var/www/passbolt
git clone https://github.com/passbolt/passbolt_api.git /var/www/passbolt

After downloading, change the ownership of the pass data to www-data with the following command:

chown -R www-data:www-data /var/www/

Then change the directory to passbolt and install the necessary dependencies with the following command:

cd /var/www/passbolt
sudo -u www-data composer install --no-dev

You should get the following output:

> CakeComposerInstallerPluginInstaller::postAutoloadDump
9 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
thadafinser/package-info:  Generating class...
thadafinser/package-info: ...generating class
> AppConsoleInstaller::postInstall
Created `config/app.php` file
Created `/var/www/passbolt/logs` directory
Created `/var/www/passbolt/tmp/cache/models` directory
Created `/var/www/passbolt/tmp/cache/persistent` directory
Created `/var/www/passbolt/tmp/cache/views` directory
Created `/var/www/passbolt/tmp/sessions` directory
Created `/var/www/passbolt/tmp/tests` directory
Set Folder Permissions ? (Default to Y) [Y,n]? Y

Type AND and struck Get on to set folder permissions.

Generate OpenPGP key

Then you need to generate OpenPGP key to verify and sign outgoing JSON requests. You can generate it with the following command:

cd /var/www/passbolt
gpg --full-generate-key

During the process you will be asked to get the passphrase, simply press the Tab key, select OK and confirm that you do not want to set it. because the php-gnupg module does not currently support the use of passphrase.

gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Hitesh
Email address: [email protected]
Comment: Hi
You selected this USER-ID:
    "Hitesh (Hi) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 2DA8E7FB8E23B2FD marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/9622291A72D99A4EC78ABCB92DA8E7FB8E23B2FD.rev'
public and secret key created and signed.

pub   rsa4096 2020-07-25 [SC]
      D2394A45B7CBBAB7F00CC79B23D4750486780854
uid                      Hitesh (Hi) <[email protected]>
sub   rsa4096 2020-07-25 [E]

Remember the above public key fingerprint as it will be needed later in the installation.

Then export the public and private key to the directory ‘/ var / www / passbolt’ using the following commands:Advertisement

gpg --armor --export-secret-keys [email protected] > /var/www/passbolt/config/gpg/serverkey_private.asc
gpg --armor --export [email protected] > /var/www/passbolt/config/gpg/serverkey.asc

Next, you need to initialize the gpg keychain for the Apache user. You can do this with the following command:

sudo su -s /bin/bash -c "gpg --list-keys" www-data

You should get the following output:

gpg: directory '/var/www/.gnupg' created
gpg: keybox '/var/www/.gnupg/pubring.kbx' created
gpg: /var/www/.gnupg/trustdb.gpg: trustdb created

Configure Passbolt

First copy the example Passbolt configuration file with the following command:

cp /var/www/passbolt/config/passbolt{.default,}.php

Then edit the Passbolt configuration file with the following command:

nano /var/www/passbolt/config/passbolt.php

Define your fullbaseurl, database and public key fingerprint as shown below:

        'fullBaseUrl' => 'https://passbolt.linuxbuz.com',
    // Database configuration.

    'Datasources' => [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'passbolt',
            'password' => 'password',
            'database' => 'passboltdb',
            'serverKey' => [
            // Server private key fingerprint.
            'fingerprint' => 'D2394A45B7CBBAB7F00CC79B23D4750486780854',
            'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
            'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',

Save and close the file when you are done.

If you do not remember your public key fingerprint, you can retrieve it with the following command:

gpg --list-keys --fingerprint | grep -i -B 2 [email protected]

You should get the following output:

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa4096 2020-07-25 [SC]
      D239 4A45 B7CB BAB7 F00C  C79B 23D4 7504 8678 0854
uid           [ultimate] Hitesh (Hi) <[email protected]>

Configure Apache for Passbolt

Next, you will need to create an Apache virtual host configuration file for Passbolt. You can create it with the following command:Advertisement

nano /etc/apache2/sites-available/passbolt.conf

Add the following lines:



        ServerName passbolt.linuxbuz.com
        DocumentRoot /var/www/passbolt

        ErrorLog ${APACHE_LOG_DIR}/passbolt_error.log
        CustomLog ${APACHE_LOG_DIR}/passbolt_access.log combined


      
                Options FollowSymLinks MultiViews
                AllowOverride All
                Require all granted
        


Save and close the file, then activate the virtual host file and restart the Apache service with the following command:

a2ensite passbolt
systemctl restart apache2

When you are done, you can move on to the next step.

Secure pass bolt with let’s encrypt

To secure your website with Let’s Encrypt SSL, you need to install the Certbot client tool in your system to manage the SSL certificate.

You can install it with the following command:

apt-get install python3-certbot-apache -y

After installing, run the following command to secure your website with Let’s Encrypt SSL:

certbot --apache -d passbolt.linuxbuz.com

You will be asked to leave your email and accept the service shown below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for passbolt.linuxbuz.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/passbolt-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/passbolt-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/passbolt-le-ssl.conf

Then select whether to redirect HTTP traffic to HTTPS as shown below:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Type 2 and struck Get on to install Let’s Encrypt SSL for your website:

Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/passbolt.conf to ssl vhost in /etc/apache2/sites-available/passbolt-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://passbolt.linuxbuz.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=passbolt.linuxbuz.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/passbolt.linuxbuz.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/passbolt.linuxbuz.com/privkey.pem
   Your cert will expire on 2020-10-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

At this point, your site is secured with Let’s Encrypt SSL.

Install Passbolt

You can then install Passbolt by running the Passbolt installation script.

First change the directory to / var / www / passbolt:

cd /var/www/passbolt

Then run the Passbolt installation script with the following command:

sudo su -s /bin/bash -c "./bin/cake passbolt install --no-admin" www-data

When the installation is completed successfully, you should get the following output:

All Done. Took 1.6533s

Import the server private key in the keyring
---------------------------------------------------------------
Importing /var/www/passbolt/config/gpg/serverkey_private.asc
Keyring init OK

Passbolt installation success! Enjoy! ?

Then you need to complete the Passbolt setting from the browser. Open your browser and visit the URL https://passbolt.linuxbuz.com. The following screen is displayed:

Passbolt download

Here you need to download and install a plugin for your browser. click Download the plugin to download and install the Passbolt plugin. Once installed, you can proceed to the next step.

Access Passbolt Web Interface

Before you begin, you must create an admin user and set a Passbolt password. You can do this with the following command:

cd /var/www/passbolt
sudo su -s /bin/bash -c "./bin/cake passbolt register_user -u [email protected] -f howtoforge -l Demo -r admin" www-data

You should get the following output:

     ____                  __          ____  
    / __ ____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ / __ / / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    __,_/____/____/_.___/____/_/__/   

 Open source password manager for teams
---------------------------------------------------------------
User saved successfully.
To start registration follow the link provided in your mailbox or here: 
https://passbolt.linuxbuz.com/setup/install/5bcfb186-3d9f-448f-8388-f705abd855c8/a2ba80dc-5ef2-433a-9138-11282747b377

Now copy the link from the above output and use it to complete the installation of Passbolt in the browser. The following screen is displayed:

Get the Passbolt plugin

Confirm that the URL and the fingerprint of the GPG key are OK and click Next button. The following screen is displayed:

Create new key

Enter owner name, email and click Next button. The following screen is displayed:

Set passphrase

Set your password and click Next button. The following screen is displayed:

Create backup

Download your secret key and click Next button. The following screen is displayed:

Set the security token

Set a security token and click Next button. The following screen is displayed:

Passbolt login

Enter your username, password and click sign in button. You should see the Passbolt Dashboard on the following screen:

Passbolt team password manager

Conclusion

Congratulations! you have installed the Passbolt password manager with Let’s Encrypt SSL on Ubuntu 20.04 server. You can now store and share your passwords with your teams and individual users. Feel free to ask me if you have any questions.


Source link