This page should give you the information necessary to successfully use Docker Secrets with your Passbolt installation.
Supported environment variables
List of environment variables that can be received as Docker secret and the matching Docker secret path environment variable:
|PASSBOLT ENV VAR||DOCKER SECRET ENV VAR|
Supported secret files
List of file that contains secret data and the matching Docker secret path environment variable:
|FILE PATH||DOCKER SECRET ENV VAR|
Inject DATASOURCES_DEFAULT_PASSWORD variable usign Docker secrets
Following the Docker secrets documentation for Docker compose we have the following docker-compose.yaml example:
services: passbolt: ... environment: DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/db_password secrets: - db_password ... secrets: db_password: file: db_password.txt
In this example we want to inject the contents of ‘db_password.txt’ in the DATASOURCES_DEFAULT_PASSWORD environment variable inside the Passbolt container.
To do so we create the secret and call it db_password in this snippet:
secrets: db_password: file: db_password.txt
Once we have this, we use this secret on the Passbolt service:
services: passbolt: ... secrets: - db_password ...
Finally, we have to check which environment variable we have to set in order to get the contents of the secret file in the DATASOURCES_DEFAULT_PASSWORD var. So we check in the Supported environment variables section to get the correct variable (DATASOURCES_DEFAULT_PASSWORD_FILE in this case) and set it on the Passbolt container environment with the path that points to the secret name:
services: passbolt: ... environment: DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/db_password
Inject /etc/ssl/certs/certificate.pem file using Docker secrets
services: passbolt: ... environment: PASSBOLT_SSL_SERVER_CERT_FILE: /run/secrets/ssl_cert secrets: - ssl_cert ... secrets: ssl_cert: file: ssl_cert.pem
In this example we want to inject the contents of ‘ssl_cert.pem’ in the ‘/etc/ssl/certs/certificate.pem’ file inside the Passbolt container.
To do so, we create a Docker secret and call it ssl_cert with the contents of ssl_cert.pem:
secrets: ssl_cert: file: ssl_cert.pem
Then we inject the secret in the Passbolt service:
services: passbolt: ... secrets: - ssl_cert ...
And finally, we go to the supported secret files section to get which environment variable is the one that points to the path I want to fill ( PASSBOLT_SSL_SERVER_CERT_FILE which points to ‘/etc/ssl/certs/certificate.crt’):
services: passbolt: ... environment: PASSBOLT_SSL_SERVER_CERT_FILE: /run/secrets/ssl_cert
Create secret outside of compose file
You can also create secrets directly so that you don’t have to retain the file with the secret. This example will show you how to do that.
The first step here is to create the secret:
docker secret create gpg-public public.key
You will then need to modify your compose file to designate this as an external secret:
secrets: gpg-public: external: true
Finally you will need to make sure this secret is used by the Passbolt service:
services: passbolt: ... environment: PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE: /run/secrets/gpg-public secrets: - gpg-public ...
Other frequently asked questions in the same category
- How to install passbolt server
- How to make passbolt backups
- How can I update my passbolt server?
- What are the minimum server requirements?
- Does passbolt provide hosting?
- Where can I get help for installation issues?
- Why do I see an unsafe mode banner in the footer?
- Why are my emails not being sent?
- Why should I install haveged on virtual environments?
- How to update my subscription key
- Why am I getting ldap synchronization issues?
- How to increase auto logout time?
- Firewall rules
- How to generate JWT key pair manually
- Troubleshoot Docker
- How to migrate from HTTP to HTTPS
- How to use docker rootless images
- How to import SSL certificate on mobile application
- Troubleshoot SSL
- How to rotate server GPG keys
- iOS / Android Mobile FAQ
- How to install passbolt in non-interactive mode?
- Troubleshoot Helm
- How to set up NTP
- Docker Secrets