Passbolt
Team password manager with sharing capabilities.
Overview
Passbolt is an open-source password manager built specifically for teams and organizations, featuring end-to-end GPG encryption and collaborative password sharing. Unlike traditional password managers designed for individual use, Passbolt enables secure password sharing through user groups, role-based permissions, and granular access controls while maintaining zero-knowledge architecture where the server never sees plaintext passwords. This stack combines Passbolt's web application with MariaDB as the backend database, providing a self-hosted alternative to cloud-based password managers with complete control over your sensitive credential data. The architecture leverages MariaDB's robust transaction handling and data integrity features to store encrypted password metadata, user permissions, and sharing relationships while Passbolt handles all cryptographic operations client-side through browser extensions. This combination is ideal for security-conscious organizations that need collaborative password management without relying on third-party services, offering features like password inheritance, audit trails, and administrative oversight that aren't available in consumer password managers.
Key Features
- End-to-end GPG encryption with client-side cryptographic operations ensuring zero-knowledge architecture
- Browser extension requirement providing seamless auto-fill and secure password capture across web applications
- Team-based password sharing with granular permissions and group management capabilities
- Administrative user registration and management through Passbolt's built-in CLI tools
- SMTP integration for user invitations, password recovery notifications, and security alerts
- Persistent GPG key storage and JWT token management with dedicated Docker volumes
- MariaDB backend optimized for encrypted metadata storage and complex permission queries
- Audit trails and activity logging for compliance and security monitoring requirements
Common Use Cases
- 1Development teams sharing database credentials, API keys, and service account passwords across projects
- 2IT departments managing shared administrator passwords with role-based access and rotation tracking
- 3Small to medium businesses replacing shared spreadsheets or insecure password sharing practices
- 4Compliance-focused organizations requiring auditable password access and detailed security logs
- 5Remote teams needing secure credential sharing without relying on cloud-based password managers
- 6Organizations with data sovereignty requirements keeping all password data on-premises
- 7Security teams implementing zero-trust password policies with centralized management and monitoring
Prerequisites
- Minimum 1GB RAM for MariaDB operations and Passbolt's cryptographic processing
- Available ports 80 and 443 for Passbolt web interface and SSL termination
- SMTP server configuration details for user invitations and password recovery functionality
- SSL certificate for the configured APP_FULL_BASE_URL domain (self-signed acceptable for testing)
- Compatible browser with Passbolt extension support (Chrome, Firefox, Edge)
- Understanding of GPG key management and backup procedures for disaster recovery
For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms
docker-compose.yml
docker-compose.yml
1services: 2 passbolt: 3 image: passbolt/passbolt:latest-ce4 container_name: passbolt5 restart: unless-stopped6 environment: 7 APP_FULL_BASE_URL: https://passbolt.local8 DATASOURCES_DEFAULT_HOST: db9 DATASOURCES_DEFAULT_DATABASE: passbolt10 DATASOURCES_DEFAULT_USERNAME: passbolt11 DATASOURCES_DEFAULT_PASSWORD: ${DB_PASSWORD}12 EMAIL_DEFAULT_FROM: no-reply@example.com13 EMAIL_TRANSPORT_DEFAULT_HOST: smtp.example.com14 volumes: 15 - passbolt_gpg:/etc/passbolt/gpg16 - passbolt_jwt:/etc/passbolt/jwt17 ports: 18 - "443:443"19 - "80:80"20 depends_on: 21 - db2223 db: 24 image: mariadb:1025 container_name: passbolt-db26 restart: unless-stopped27 environment: 28 MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}29 MYSQL_DATABASE: passbolt30 MYSQL_USER: passbolt31 MYSQL_PASSWORD: ${DB_PASSWORD}32 volumes: 33 - passbolt_db:/var/lib/mysql3435volumes: 36 passbolt_gpg: 37 passbolt_jwt: 38 passbolt_db: .env Template
.env
1DB_PASSWORD=changemeUsage Notes
- 1Docs: https://help.passbolt.com/
- 2Create admin: docker exec passbolt su -c 'bin/cake passbolt register_user -u admin@example.com -f Admin -l User -r admin' -s /bin/sh www-data
- 3Configure SMTP for user invitations and password recovery
- 4Browser extension required - no web-only access
- 5Uses GPG for end-to-end encryption - keys in /etc/passbolt/gpg
- 6Team features: sharing, groups, folders for organizing passwords
Individual Services(2 services)
Copy individual services to mix and match with your existing compose files.
passbolt
passbolt:
image: passbolt/passbolt:latest-ce
container_name: passbolt
restart: unless-stopped
environment:
APP_FULL_BASE_URL: https://passbolt.local
DATASOURCES_DEFAULT_HOST: db
DATASOURCES_DEFAULT_DATABASE: passbolt
DATASOURCES_DEFAULT_USERNAME: passbolt
DATASOURCES_DEFAULT_PASSWORD: ${DB_PASSWORD}
EMAIL_DEFAULT_FROM: no-reply@example.com
EMAIL_TRANSPORT_DEFAULT_HOST: smtp.example.com
volumes:
- passbolt_gpg:/etc/passbolt/gpg
- passbolt_jwt:/etc/passbolt/jwt
ports:
- "443:443"
- "80:80"
depends_on:
- db
db
db:
image: mariadb:10
container_name: passbolt-db
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}
MYSQL_DATABASE: passbolt
MYSQL_USER: passbolt
MYSQL_PASSWORD: ${DB_PASSWORD}
volumes:
- passbolt_db:/var/lib/mysql
Quick Start
terminal
1# 1. Create the compose file2cat > docker-compose.yml << 'EOF'3services:4 passbolt:5 image: passbolt/passbolt:latest-ce6 container_name: passbolt7 restart: unless-stopped8 environment:9 APP_FULL_BASE_URL: https://passbolt.local10 DATASOURCES_DEFAULT_HOST: db11 DATASOURCES_DEFAULT_DATABASE: passbolt12 DATASOURCES_DEFAULT_USERNAME: passbolt13 DATASOURCES_DEFAULT_PASSWORD: ${DB_PASSWORD}14 EMAIL_DEFAULT_FROM: no-reply@example.com15 EMAIL_TRANSPORT_DEFAULT_HOST: smtp.example.com16 volumes:17 - passbolt_gpg:/etc/passbolt/gpg18 - passbolt_jwt:/etc/passbolt/jwt19 ports:20 - "443:443"21 - "80:80"22 depends_on:23 - db2425 db:26 image: mariadb:1027 container_name: passbolt-db28 restart: unless-stopped29 environment:30 MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}31 MYSQL_DATABASE: passbolt32 MYSQL_USER: passbolt33 MYSQL_PASSWORD: ${DB_PASSWORD}34 volumes:35 - passbolt_db:/var/lib/mysql3637volumes:38 passbolt_gpg:39 passbolt_jwt:40 passbolt_db:41EOF4243# 2. Create the .env file44cat > .env << 'EOF'45DB_PASSWORD=changeme46EOF4748# 3. Start the services49docker compose up -d5051# 4. View logs52docker compose logs -fOne-Liner
Run this command to download and set up the recipe in one step:
terminal
1curl -fsSL https://docker.recipes/api/recipes/passbolt/run | bashTroubleshooting
- Browser shows 'Passbolt extension not detected': Install the official Passbolt browser extension and refresh the page
- User registration fails with database connection error: Verify DB_PASSWORD environment variable matches between passbolt and db services
- SMTP errors preventing user invitations: Check EMAIL_TRANSPORT_DEFAULT_HOST configuration and firewall rules for outbound mail
- GPG key generation fails on container startup: Ensure sufficient entropy by installing haveged on the Docker host system
- SSL certificate warnings in browser: Update APP_FULL_BASE_URL to match your actual domain and configure proper SSL certificates
- MariaDB fails to start with permission errors: Check that Docker has write permissions to the volume mount points and sufficient disk space
Community Notes
Loading...
Loading notes...
Download Recipe Kit
Get all files in a ready-to-deploy package
Includes docker-compose.yml, .env template, README, and license
Ad Space
Shortcuts: C CopyF FavoriteD Download