In today’s digital landscape, organizations are increasingly dependent on cloud-based tools to manage credentials and sensitive data.
While convenient, this often means giving up control over your own information to third-party providers. For companies and teams committed to digital sovereignty, self-hosting a password management solution is no longer optional – it’s a necessity.
Passbolt Community Edition (CE) is an open-source password manager built specifically for teams. It combines strong encryption, role-based sharing, and API-based integrations to allow organizations to securely manage credentials without relying on external services. Deploying Passbolt in an LXC container gives you the benefits of isolated environments, fast snapshots for recovery, and full control over your server, database, and cryptographic keys.
This guide walks you through a complete Passbolt deployment on AlmaLinux 9, using your own PKI certificates, ensuring that all data remains under your organization’s control.
Migrating from KeePass to Passbolt
Before switching to Passbolt, many users manage credentials in KeePass. If you have an existing KeePass database (.kdbx), Passbolt allows you to import the credentials so you don’t lose your existing entries. Simply export your KeePass database and follow the Passbolt import procedure to securely migrate your data, including usernames, passwords, and custom notes, into your new Passbolt vault. This ensures a smooth transition without manually re-entering credentials.
Container Resources
For a smooth Passbolt Community Edition experience, allocate the following resources to your LXC container:
| Resource | Recommendation |
|---|---|
| CPU | 1 core |
| RAM | 1 GB + Swap |
| Storage | 20 GB minimum |
| Network | Static IP or accessible hostname (auth.examplecorp.io) |
Pro Tip: LXC snapshots are highly recommended before upgrades or major changes. They allow full recovery in seconds, preserving database and GPG keys.
Container Setup and Repository
After creating your AlmaLinux 9 LXC container, install dependencies and configure the Passbolt repository:
# Inside the container
wget "https://download.passbolt.com/ce/installer/passbolt-repo-setup.ce.sh"
wget https://github.com/passbolt/passbolt-dep-scripts/releases/latest/download/passbolt-ce-SHA512SUM.txt
sha512sum -c passbolt-ce-SHA512SUM.txt && sudo bash ./passbolt-repo-setup.ce.sh || echo "Bad checksum. Aborting" && rm -f passbolt-repo-setup.ce.sh
sudo dnf install passbolt-ce-serverDuring the installation, you will be asked to accept the Passbolt repository GPG key. You must ensure the fingerprint is exactly the same.
Installation
With the release of Passbolt 5.x, the installation process has become significantly more streamlined. The official RPM package now includes a fully guided setup assistant that takes care of nearly all configuration steps automatically.
During the guided installation, you can either generate new SSL/TLS certificates (e.g. via Let’s Encrypt) or provide your own PKI certificates. The wizard configures Nginx, prepares the database, and sets up all essential services in one go — reducing the amount of manual work compared to older 4.x instructions.
This article is based on a modern, non-interactive PKI certificate setup and assumes a clean AlmaLinux 8 environment. If you’re familiar with the older installation guides, you’ll notice that many steps that previously required manual edits are now handled elegantly by the installer.
Passbolt requires a database and sufficient entropy for GPG operations:
sudo /usr/local/bin/passbolt-configure- Configure a local MariaDB instance or connect to an existing one.
================================================================
Do you want to configure a local mariadb server on this machine?
================================================================
1) yes
2) no- Create a Passbolt database and user with strong passwords.
- Install
havegedto ensure enough entropy inside the container.
======
Install Haveged ?
======
1) yes 2) noCustom NGINX adjustments for Passbolt
While Passbolt provides a solid default NGINX configuration, some environments require minor adjustments to optimize performance, enhance security, and support IPv6. The following snippet highlights the customizations applied on top of the standard setup:
# Customizations for Passbolt NGINX
listen [::]:443 ssl http2; # IPv6 support
# Client request limits and timeouts
client_body_buffer_size 100K;
client_header_buffer_size 1k;
client_max_body_size 5M;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
# Custom SSL certificate
ssl_certificate /etc/ssl/passbolt/auth.examplecorp.io.crt;
ssl_certificate_key /etc/ssl/passbolt/auth.examplecorp.io.key;
# TLS protocols and ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;After applying these changes, always test and reload NGINX:
sudo nginx -t
sudo systemctl restart nginxThese adjustments ensure robust request handling, modern TLS security, and proper IPv6 support for your Passbolt instance.
GPG Key Management
Passbolt requires a server-side GPG key for API authentication:
gpg --batch --no-tty --gen-key <<EOF
Key-Type: default
Key-Length: 2048
Subkey-Type: default
Subkey-Length: 2048
Name-Real: Admin
Name-Email: admin@examplecorp.io
Expire-Date: 0
%no-protection
%commit
EOFExport your key for backup:
gpg --armor --export-secret-keys admin@examplecorp.ioImportant: Do not set a passphrase. PHP-GnuPG cannot currently handle passphrase-protected keys in Passbolt.
Admin User and Browser Extension
Create your first admin account. Install the Passbolt browser extension, generate your personal key, and download the recovery kit. Set a security token (color + three characters) to mitigate phishing attacks.
Passbolt Mobile App
Using Passbolt on mobile devices adds flexibility, but it introduces an additional consideration: certificate trust. Unlike browsers, mobile apps (iOS and Android) often reject self-signed certificates unless the Root-CA is explicitly trusted.
https://help.passbolt.com/faq/hosting/mobile-faq
Generating a Self-Signed Certificate for Mobile
To allow your mobile clients to connect securely, you must generate a Root-CA and issue the Passbolt server certificate from it. This certificate ensures that:
- Your browser and mobile apps trust the server.
- End-to-end encryption remains intact.
- You maintain full control of cryptographic material, supporting digital sovereignty.
https://www.passbolt.com/docs/hosting/faq/how-to-import-ssl-certificate-on-mobile-application
Importing the Root-CA on Mobile Devices
- On iOS: Settings → General → About → Certificate Trust Settings → Enable full trust for your Root-CA.
- On Android: Settings → Security → Install from storage → select the Root-CA.
Note: Without installing the Root-CA, the mobile app will fail to connect securely to your Passbolt instance.
Backup and Recovery
Regular backups are essential to ensure quick recovery in case of data loss or corruption. The following script creates daily compressed backups of the Passbolt database, configuration, and PKI files. Old backups are automatically cleaned up after a defined retention period.
Place the script at /opt/passbolt-backup.sh and make it executable:
sudo nano /opt/passbolt-backup.sh
sudo chmod +x /opt/passbolt-backup.shExample script:
#!/bin/bash
# Simple Passbolt backup script
BACKUP_PATH="/opt/passbolt-backup-repo/"
BACKUP_LOG="passbolt-backup.log"
BACKUP_RETENTION=7
PASSBOLT_DB="passbolt"
PASSBOLT_CONFIG="/etc/passbolt /etc/ssl/passbolt /etc/pki/tls /etc/nginx/conf.d"
mkdir -p $BACKUP_PATH
exec > >(tee $BACKUP_PATH/$BACKUP_LOG) 2>&1
echo "----------- BACKUP $(date '+%Y-%m-%d %H:%M') --------------"
mysqldump ${PASSBOLT_DB} -v | gzip > ${BACKUP_PATH}/database_${PASSBOLT_DB}_$(date '+%Y%m%d_%H%M').sql.gz
find ${BACKUP_PATH} -name "database_*.gz" -mtime +${BACKUP_RETENTION} -type f -delete
tar cvfz ${BACKUP_PATH}/config_$(date '+%Y%m%d_%H%M').tar.gz ${PASSBOLT_CONFIG}
find ${BACKUP_PATH} -name "config_*.tar.gz" -mtime +${BACKUP_RETENTION} -type f -deleteCronjob for Nightly Backups
Add the following line to /etc/crontab to run the backup every night at 2:30 AM as root:
sudo nano /etc/crontabInsert:
30 2 * * * root /opt/passbolt-backup.sh >/dev/null 2>&1Backups are stored under /opt/passbolt-backup-repo/ and include database dumps, configuration files, and PKI material. Make sure this location is included in your regular offsite or snapshot backup strategy.
Upgrade Procedure
Keeping Passbolt and the underlying system up to date is essential for security and stability. Upgrades should be performed during a maintenance window and always preceded by a valid backup.
Stop Web Services
sudo systemctl stop nginxUpdate the System
Apply all available OS and package updates.
sudo dnf updateClear Passbolt Cache
Run the cache clear command as the nginx user to avoid permission issues.
sudo -H -u nginx bash -c "/usr/share/php/passbolt/bin/cake cache clear_all"Restart Services
sudo systemctl start nginxRun Health Check
Verify the installation state after the upgrade.
sudo -H -u nginx bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" ...
[PASS] No error found. Nice one, sparky!If the health check reports no critical issues, the upgrade is complete. Always review release notes before applying updates to check for breaking changes or required migrations.
Digital Sovereignty
Running Passbolt in an LXC container using PKI certificates gives you:
- Full control over credentials and infrastructure.
- The ability to isolate the environment and revert via snapshots.
- End-to-end encryption under your own PKI, avoiding reliance on public CAs.
- A secure foundation for teams to collaborate without exposing sensitive passwords to third-party services.
Self-hosted Passbolt becomes more than a tool – it’s a pillar of your organization’s digital independence.
