Help Search

Install Passbolt CE on Debian 11 (Bullseye)


For this tutorial, you will need:

  • A minimal Debian 11 server.

  • A domain / host name pointing to your server, or at least being able to reach your server through a static IP address.

The recommended server requirements are:

  • 2 cores
  • 2GB of RAM

Please note: It is important that you use a vanilla server with no other services or tools already installed on it. The install scripts could potentially damage any existing data on your server.

1. Install the server components

1.1. Package repository setup

For easier installation and update tasks Passbolt provides a package repository that you need to setup before you download Passbolt CE and install it.

These steps assume you have already installed sudo and added your user to the sudo group.

Step 1. Update the apt indexes and install packages to allow apt to use https repositories:

sudo apt update
sudo apt install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \

Step 2. Let’s Encrypt

Install certbot if you plan to manage your SSL certificates with Let’s Encrypt:

sudo apt install certbot python3-certbot-nginx

Step 3. Add Passbolt package official GnuPG key from

gpg --keyserver hkps:// --recv-keys 0xDE8B853FC155581D 

Or alternatively from hkps:// or hkps://

Step 4. Check that the GPG fingerprint matches 3D1A 0346 C8E1 802F 774A EF21 DE8B 853F C155 581D

gpg --list-key --with-fingerprint 0xDE8B853FC155581D

Must return:

pub   rsa2048 2020-05-18 [SC] [expires: 2022-05-18]
      3D1A 0346 C8E1 802F 774A  EF21 DE8B 853F C155 581D
uid           [ unknown] Passbolt SA package signing key <[email protected]>
sub   rsa2048 2020-05-18 [E] [expires: 2022-05-18]

Step 5. Create GPG package keyring

gpg --export 0xDE8B853FC155581D | sudo tee \
  /usr/share/keyrings/passbolt-repository.gpg >/dev/null

Step 6. Add passbolt repository:

cat << EOF | sudo tee /etc/apt/sources.list.d/passbolt.sources > /dev/null
Types: deb
Suites: buster
Components: stable
Signed-By: /usr/share/keyrings/passbolt-repository.gpg

Step 7. Update the apt indexes with the new passbolt apt repository:

sudo apt update

1.2. Install passbolt

By default, passbolt Debian package will install Passbolt server component, mariadb-server, php-fpm and nginx as dependencies.

There are two main ways to install the passbolt Debian package:

  • Interactive: the package will guide the user through a set of questions to setup mariadb and nginx. If you are going to use existing SSL certs for the web server, they need to be created and installed to the location of your choosing before beginning. The user will be asked for the path and name of the certificate and key.
  • Non-interactive: no questions will be asked. Useful for users with specific needs or users that want to automate the installation. Read this FAQ page to know more

Install passbolt package

Install the main passbolt server component:

sudo apt install passbolt-ce-server

Configure mariadb

If not instructed otherwise passbolt debian package will install mariadb-server locally. This step will help you create an empty mariadb database for passbolt to use.

Configure mariadb dialog fig. Configure mariadb dialog

The configuration process will ask you for the credentials of the mariadb admin user to create a new database. By default in most installations the admin username would be root and the password would be empty.

Mariadb admin user dialog fig. Mariadb admin user dialog
Mariadb admin user pass dialog fig. Mariadb admin user pass dialog

Now we need to create a mariadb user with reduced permissions for passbolt to connect. These values will also be requested later on the webconfiguration tool of passbolt so please keep them in mind.

Mariadb passbolt user dialog fig. Mariadb passbolt user dialog
Mariadb passbolt user pass dialog fig. Mariadb passbolt user pass dialog

Lastly we need to create a database for passbolt to use, for that we need to name it:

Mariadb database name dialog fig. Mariadb database name dialog

Configure nginx for serving HTTPS

Depending on your needs there are two different options to setup nginx and SSL using the Debian package:

2. Configure passbolt

Before you can use the application, you need to configure it. Point your browser to the hostname / ip where passbolt can be reached. You will reach a getting started page.

passbolt welcome page before configuration fig. passbolt welcome page before configuration

2.1. Healthcheck

The first page of the wizard will tell you if your environment is ready for passbolt. Solve issues if any and click on “Start configuration” when ready.

wizard - healthcheck fig. wizard - healthcheck

2.2. Database

This step is about telling passbolt which database to use. Enter the host name, port number, database name, username and password.

wizard - database fig. wizard - database

2.3. GPG key

In this section you can either generate or import a GPG key pair. This key pair will be used by passbolt API to authenticate itself during the login handshake process.

Generate a key if you don’t have one.

wizard - generate a key pair fig. wizard - generate a key pair

Optional: Import a key if you already have one and you want your server to use it.

Do not set a passphrase or an expiration date The php-gnupg module does not support using passphrase at the moment. Make sure you do not set one. Similarly do not set an expiration date. Otherwise all your users will need to perform an account recovery when you will eventually need to update the key.

To create a new GnuPG key without passphrase:

gpg --batch --no-tty --gen-key <<EOF
  Key-Type: default
  Key-Length: 2048
  Subkey-Type: default
  Subkey-Length: 2048
  Name-Real: John Doe
  Name-Email: [email protected]
  Expire-Date: 0

Feel free to replace Name-Real and Name-Email with your own.

To display your new key:

gpg --armor --export-secret-keys [email protected]
wizard - import a key pair fig. wizard - import a key pair

2.4. Mail server (SMTP)

At this stage, the wizard will ask you to enter the details of your SMTP server.

wizard - smtp mail server details fig. wizard - smtp mail server details

You can also test that your configuration is correct by using the test email feature at the right of your screen. Enter the email address at which you want the wizard to send you a test email and click on “Send test email”.

wizard - test smtp settings fig. wizard - test smtp settings

2.5. Preferences

The wizard will then ask you what preferences you prefer for your instance of passbolt. The recommended defaults are already pre-populated but you can also change them if you know what you are doing.

wizard - preferences fig. wizard - preferences

2.6. First user creation

You need to create the first admin user account. This first admin user is probably you, so enter your details and click on next.

wizard - first user fig. wizard - first user

2.7. Installation

That’s it. The wizard has now enough information to proceed with the configuration of passbolt. Sit back and relax for a few seconds while the configuration process is going on.

wizard - installation fig. wizard - installation

Your user account is now created. You will see a redirection page for a few second and then will be redirected to the user setup process so that you can configure your user account.

wizard - completion and redirection fig. wizard - completion and redirection

3. Configure your administrator account

3.1. Download the plugin

Before continuing passbolt will require you to download its plugin. If you already have it installed you can go to the next step.

download the browser extension fig. download the browser extension

3.2. Create a new key

Passbolt will ask you to create or import a key that will be later use to identify you and encrypt your passwords. Your key needs to be protected by a password. Choose it wisely, it will be the gatekeeper to all your other passwords.

generate a key fig. generate a key

3.3. Download your recovery kit

This step is essential. Your key is the only way to access your account and passwords. If you lose this key (by breaking or losing your computer and not having a backup for example), your encrypted data will be lost even if you remember your passphrase.

download the recovery kit fig. download the recovery kit

3.4. Define your security token

Choosing a color and a three characters token is a secondary security mechanism that helps you to mitigate phishing attacks. Each time you are performing a sensitive operation on passbolt, you should see this token.

define your security token fig. define your security token

3.5. That’s it!

Your administrator account is configured. You will be redirected to the login page of passbolt. Enjoy!

Last updated

This article was last updated on November 24th, 2021.

Are you experiencing issues when installing passbolt?

Ask the community!

Stay informed of the next releases!

Star Passbolt CE on github
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!