Using Passbolt pro virtual machine appliance
Passbolt Pro provides a virtual appliance in OVA format. Users can import this appliance on their private virtualization platform and start enjoying Passbolt Pro. The VM includes the following software:
- Debian 9.6
- Passbolt Pro preinstalled
- haveged to fill the entropy pool faster
- Scripts to easy managing SSL setup of the VM
1. Getting started with Passbolt Pro VM
Download the ova and the SHA512SUM.txt:
Import the ova file using virtualbox, vmware (ESXi >= 6.0) or any other platform that supports import OVA files.
Once imported into users should be able to boot the VM and just point to the VM ip address with their web browser to initiate the passbolt install process.
The appliance performs some actions on the first boot:
- Creates ssh host keys
- Enables ssh
- Creates a set of random mariadb credentials for the mariadb server installed on the appliance
- Creates an empty database where passbolt can be installed.
For the first login the appliance comes with the following ssh default credentials:
VM login credentials: username: passbolt password: admin
Mariadb credentials are stored on /root/.mysql_credentials the file should contain:
- Random password for root user
- Empty database name. It follows the pattern passbolt_random_id
- Random user and password with permissions for the passbolt database
1.3. SSL setup process:
On the first login through SSH a script will automatically run to configure SSL that will ask you some questions. Keep in mind that unless you don’t complete all the steps the SSL script will prompt on every login.
Important note: It is recommended to run the SSL setup before running the installation wizard to avoid secrets to be transmitted unencrypted during the installation process.
If you just want to test the appliance or you don’t need SSL:
- Provide a hostname for the script
- Select (3) for ‘none’ on the second question to setup nginx without SSL
- Later on make sure you set PASSBOLT_SECURITY_COOKIE_SECURE environment variable to false if you want to test MFA.
2. Configure passbolt
Before you can use the application, you need to configure it. Point your browser to the hostname / ip where passbolt can be reached. You will reach a getting started page.
Two options are available: Manual configuration and Wizard configuration. Choose Wizard configuration.
This tutorial will guide you through the different steps of the wizard. The manual configuration is not covered in this article.
The first page of the wizard will tell you if your environment is ready for passbolt. Solve any issues and click on “Start configuration” when ready.
2.2. Subscription key
At this step, the wizard will ask you for your subscription key. You should have received it by email soon after your online purchase. Enter it in the box.
This step is about telling passbolt which database to use. Enter the host name, port number, database name, username and password.
2.4. GPG key
In this section you can either generate or import a GPG key pair. This key pair will be used by passbolt API to authentify itself during the authentication handshake process.
Generate a key if you don’t have one.
Import a key if you already have one and you want your server to use it.
2.5. Mail server (SMTP)
At this stage, the wizard will ask you to enter the details of your SMTP server.
You can also test that your configuration is correct by using the test email feature at the right of your screen. Enter the email address at which you want the wizard to send you a test email and click on “Send test email”.
The wizard will then ask you what preferences you prefer for your instance of passbolt. The recommended defaults are already pre-populated but you can also change them if you know what you are doing.
2.7. First user creation
You need to create the first admin user account. This first admin user is probably you, so enter your details and click on next.
That’s it. The wizard has now enough information to proceed with the configuration of passbolt. Sit back and relax for a few seconds while the configuration process is going on.
Your user account is now created. You will see a redirection page for a few second and then will be redirected to the user setup process so that you can configure your user account.
3. Configure your administrator account
3.1. Download the plugin
Before continuing passbolt will require you to download its plugin. If you already have it installed you can go to the next step.
3.2. Check the server identity
Passbolt will ask you to check the URL passbolt is associated with.
If you recognize the domain name, check the checkbox and then click “Next”. It is a formality here, but it is a security mesure that will help later your users to identify you passbolt instance.
3.3. Create a new key
Passbolt will ask you to create or import a key that will be later use to identify you and encrypt your passwords.
3.4. Choose a password
Your key needs to be protected by a password. Choose it wisely, it will be the gatekeeper to all your other passwords.
3.5. Backup your key
This step is essential. Your key is the only way to access your account and passwords. If you lose this key (by breaking or losing your computer and not having a backup for example), your encrypted data will be lost even if you remember your passphrase.
3.6. Define your security token
Choosing a color and a three character token is a secondary security mechanism that helps you to mitigate phishing attacks. Each time you are performing a sensitive operation on passbolt, you should see this token.
3.6. That’s it!
Your administrator account is configured. You will be redirected to the login page of passbolt. Enjoy!
This article was last updated on August 7th, 2019.