Install Passbolt CE on CentOS 7

This tutorial describes how to install Passbolt CE on a minimal CentOS 7 server. The installation procedure is based on install scripts that will do the heavy lifting for you. They will configure your operating system to be passbolt ready and will take care of installing and configuring the web server (Nginx), database (MariaDb), PHP, SSL and GPG keyring.

Installation time: 10 minutes.

If you prefer to install passbolt manually please refer to this documentation: Install passbolt from source.

Prerequisites

For this tutorial, you will need:

• A minimal CentOS 7 server.
• A domain / host name pointing to your server, or at least being able to reach your server through a static IP address.
• a working SMTP server for email notifications
• a working NTP service to avoid GPG authentication issues

The recommended server requirements are:

• 2 cores
• 2GB of RAM

FAQ pages:

• Set up NTP
• Firewall rules
• Considerations about entropy

1. Configure your server

Download and execute the installation script

Note that you can find the source code of the install scripts on our git repository.

The script will take care of installing all the services required by passbolt. It will ask you a few questions in order to adapt the environment to your needs.

curl -L -o passbolt-ce-installer-centos-7.tar.gz https://www.passbolt.com/ce/download/installers/centos/latest
curl -L -o passbolt-installer-checksum https://www.passbolt.com/ce/download/installers/centos/latest-checksum
sha512sum -c passbolt-installer-checksum
tar -xzf passbolt-ce-installer-centos-7.tar.gz
sudo ./passbolt_ce_centos_installer.sh

fig. execute the install script

Do you want to install a local mariadb server on this machine?

• Yes: if you are not planning on using an external mysql / mariadb server.
• No: if you have a mysql / mariadb server installed somewhere else and want to use it for passbolt.

The script will then ask you for the database details: root user password, non-root user name, non-root user password, database name, and database password.

Hostname

To configure your webserver, the script needs to know under which hostname or ip it is going to run. Enter here the address (domain, hostname or ip) at which you are planning to access your passbolt after installation.

example: my-passbolt.acme.com

SSL Setup

Because passbolt is designed to run with HTTPS by default it is best to try to setup passbolt with SSL even if this is just a test instance.

• manual: (recommended) choose manual if you have your own ssl certificates.
• auto: this option will issue a SSL certificate automatically through Let’s Encrypt. Use this option only if you have a domain name that is reachable by the outside world, or it will not work.
• none: choose this option if you don’t want your webserver to run https. This is not recommended.

Important: if you choose ‘none’ and want to test the MFA, later on you will need to set PASSBOLT_SECURITY_COOKIE_SECURE environment variable to false. This is to prevent a misconfigured server with both HTTP and HTTPS enabled from leaking sensitive cookie.

Common GnuPG issues

On virtualized environments GnuPG will most likely not be able to find enough entropy to generate a key. Therefore, Passbolt will not run properly. The script needs to know if you want to help fix this issue by installing Haveged.

Haveged is a useful tool to fix entropy issues, however it can have security implications. Make sure you understand the risks before answering yes to this question.

To create a new GnuPG key without passphrase:

gpg --batch --no-tty --gen-key <<EOF
  Key-Type: default
  Key-Length: 2048
  Subkey-Type: default
  Subkey-Length: 2048
  Name-Real: John Doe
  Name-Email: [email protected]
  Expire-Date: 0
  %no-protection
  %commit
EOF

Feel free to replace Name-Real and Name-Email with your own.

To display your new key:

gpg --armor --export-secret-keys [email protected]

For each question, depending on your answer, some more precisions can be asked. Just answer the questions and go with the flow.

Your environment is now ready to support passbolt.

fig. completion of the install script

2. Configure passbolt

Before you can use the application, you need to configure it. Point your browser to the hostname / ip where passbolt can be reached. You will reach a getting started page.

fig. passbolt welcome page before configuration

2.1. Healthcheck

The first page of the wizard will tell you if your environment is ready for passbolt. Solve issues if any and click on “Start configuration” when ready.

fig. wizard - healthcheck

2.2. Database

This step is about telling passbolt which database to use. Enter the host name, port number, database name, username and password.

fig. wizard - database

2.3. GPG key

In this section you can either generate or import a GPG key pair. This key pair will be used by passbolt API to authenticate itself during the login handshake process.

Generate a key if you don’t have one.

fig. wizard - generate a key pair

Optional: Import a key if you already have one and you want your server to use it.

To create a new GnuPG key without passphrase:

gpg --batch --no-tty --gen-key <<EOF
  Key-Type: default
  Key-Length: 2048
  Subkey-Type: default
  Subkey-Length: 2048
  Name-Real: John Doe
  Name-Email: [email protected]
  Expire-Date: 0
  %no-protection
  %commit
EOF

Feel free to replace Name-Real and Name-Email with your own.

To display your new key:

gpg --armor --export-secret-keys [email protected]

fig. wizard - import a key pair

2.4. Mail server (SMTP)

At this stage, the wizard will ask you to enter the details of your SMTP server.

fig. wizard - smtp mail server details

You can also test that your configuration is correct by using the test email feature at the right of your screen. Enter the email address at which you want the wizard to send you a test email and click on “Send test email”.

fig. wizard - test smtp settings

2.5. Preferences

The wizard will then ask you what preferences you prefer for your instance of passbolt. The recommended defaults are already pre-populated but you can also change them if you know what you are doing.

fig. wizard - preferences

2.6. First user creation

You need to create the first admin user account. This first admin user is probably you, so enter your details and click on next.

fig. wizard - first user

2.7. Installation

That’s it. The wizard has now enough information to proceed with the configuration of passbolt. Sit back and relax for a few seconds while the configuration process is going on.

fig. wizard - installation

Your user account is now created. You will see a redirection page for a few second and then will be redirected to the user setup process so that you can configure your user account.

fig. wizard - completion and redirection

3. Configure your administrator account

3.1. Download the plugin

Before continuing passbolt will require you to download its plugin. If you already have it installed you can go to the next step.

fig. download the browser extension

3.2. Create a new key

Passbolt will ask you to create or import a key that will be later use to identify you and encrypt your passwords. Your key needs to be protected by a password. Choose it wisely, it will be the gatekeeper to all your other passwords.

fig. generate a key

3.3. Download your recovery kit

This step is essential. Your key is the only way to access your account and passwords.

fig. download the recovery kit

3.4. Define your security token

Choosing a color and a three characters token is a secondary security mechanism that helps you to mitigate phishing attacks. Each time you are performing a sensitive operation on passbolt, you should see this token.

fig. define your security token

3.5. That’s it!

Your administrator account is configured. You will be redirected to the login page of passbolt. Enjoy!

Frequently asked questions

• Why are my emails not being sent?
• How to I increase auto logout timeout?
• How do I make backups