Using Passbolt CE AWS AMI
Passbolt Amazon Machine Image (AMI) provides a ready to use passbolt image that you can use for free on your Amazon Web Services infrastructure. The AMI includes the following software:
- Debian 10
- Passbolt CE preinstalled
This AMI does not provide an email server preinstalled so users can manually install it or leverage on third party email providers.
1. Getting started with passbolt CE AMI
You can subscribe to passbolt CE on the following AWS marketplace listing. Just click on “continue to subscribe” button on the listing page.
The EULA for the passbolt CE is the AGPL license you have to accept that in order to use this image by just clicking on the “Accept terms” button.
Once the terms are accepted you can click on “Continue to configuration” button. In the next screen you will be able to select which version of the AMI you want to use as well as in which AWS region you want the instance to be launched. Once you have selected your desired configuration just click on “Continue to Launch” button.
On the launch screen you will be able to select:
- How to launch the instance
- Instance type
- Subnet settings
- Security group settings
- Key pair settings
If you do not know what this fields mean just rely on the defaults making sure that they key pair is available on your local machine so you can connect through SSH to the instance. If all the values are good just click on “Launch” button.
1.1 Connect to your instance
As soon as your passbolt instance is ready connect to it using ssh. You can leverage on the automatic AWS DNS that is automatically attached to the instance:
Where ‘my-instance-ip’ would be the public ip address assigned to the instance dash separated. For example
This dynamic DNS name might vary depending on your IP but also on the region you run your instance. More information about AWS public DNS names here
1.2 Retrieve the credentials
admin user is part of
sudo group. There is no root password, so you cannot
login in as root. You can however create a shell as root with the default user:
Mariadb credentials are stored on
/root/.mysql_credentials. You will need to retrieve them for the next step:
sudo cat /root/.mysql_credentials
The file contains:
- Random password for root user
- Empty database name. It follows the pattern passbolt_random_id
- Random user and password with permissions for the passbolt database
root_username = root root_password = "SOME_RANDOM_PASSWORD_HERE" username = "passbolt_usr_l9WIsaQO" password = "SOME_RANDOM_PASSWORD_HERE" database = "passbolt_p5aEMDJ9"
Please note that ‘l9WIsaQO’ is a random generated identifier that might vary from instance to instance.
1.3. Setup HTTPS (optional, but highly recommended):
If you are planning to use this AWS instance in production, it is highly recommended to setup SSL. There are two main methods described below:
2. Configure passbolt
Before you can use the application, you need to configure it. Point your browser to the hostname / ip where passbolt can be reached. You will reach a getting started page.
Two options are available: Manual configuration and Wizard configuration. Choose Wizard configuration.
This tutorial will guide you through the different steps of the wizard. The manual configuration is not covered in this article.
The first page of the wizard will tell you if your environment is ready for passbolt. Solve any issues and click on “Start configuration” when ready.
This step is about telling passbolt which database to use. For the sake of this example we
will use the preinstalled mariadb server that comes with the AMI so hostname is fixed to ‘127.0.0.1’
and the credentials provided in the
- Hostname: 127.0.0.1
- Port number: 3306
- Database name: passbolt_p5aEMDJ9
- Username: passbolt_usr_l9WIsaQO
- Password: SOME_RANDOM_PASSWORD_HERE
2.3. GPG key
In this section you can either generate or import a GPG key pair. This key pair will be used by passbolt API to authentify itself during the authentication handshake process.
Generate a key if you don’t have one.
Import a key if you already have one and you want your server to use it.
2.4. Mail server (SMTP)
At this stage, the wizard will ask you to enter the details of your SMTP server.
You can also test that your configuration is correct by using the test email feature at the right of your screen. Enter the email address at which you want the wizard to send you a test email and click on “Send test email”.
The wizard will then ask the preferences for your passbolt instance. The recommended defaults are already pre-populated but you can also change them if you know what you are doing.
2.6. First user creation
You need to create the first admin user account. This first admin user is probably you, so enter your details and click on next.
That’s it. The wizard has now enough information to proceed with the configuration of passbolt. Sit back and relax for a few seconds while the configuration process is going on.
Your user account is now created. You will see a redirection page for a few second and then will be redirected to the user setup process so that you can configure your user account.
3. Configure your administrator account
3.1. Download the plugin
Before continuing passbolt will require you to download its plugin. If you already have it installed you can go to the next step.
3.2. Check the server identity
Passbolt will ask you to check the URL passbolt is associated with.
If you recognize the domain name, check the checkbox and then click “Next”. It is a formality here, but it is a security mesure that will help later your users to identify you passbolt instance.
3.3. Create a new key
Passbolt will ask you to create or import a key that will be later use to identify you and encrypt your passwords.
3.4. Choose a password
Your key needs to be protected by a password. Choose it wisely, it will be the gatekeeper to all your other passwords.
3.5. Backup your key
This step is essential. Your key is the only way to access your account and passwords. If you lose this key (by breaking or losing your computer and not having a backup for example), your encrypted data will be lost even if you remember your passphrase.
3.6. Define your security token
Choosing a color and a three character token is a secondary security mechanism that helps you to mitigate phishing attacks. Each time you are performing a sensitive operation on passbolt, you should see this token.
3.6. That’s it!
Your administrator account is configured. You will be redirected to the login page of passbolt. Enjoy!
This article was last updated on August 7th, 2019.