Help Search

Migrate an existing Passbolt CE to a new Debian server

This document describes how to migrate an existing passbolt to a new Debian server.


For this tutorial, you will need:

  • Passbolt installed on an old server
  • A minimal Debian 10 new server

Backup the existing data

Prior to the migration you will need to backup the existing passbolt instance data. Please refer to the official backup documentations.

Depending on your SSL configuration you might need to copy the certificate and key from the existing instance. If you are using let’s encrypt you can continue you’ll configure it later directly in the new server.

Don’t delete the existing instance yet!

Prepare the new Debian server

1. Install the server components

1.1. Package repository setup

For easier installation and update tasks Passbolt provides a package repository that you need to setup before you download Passbolt CE and install it.

These steps assume you have already installed sudo and added your user to the sudo group.

Step 1. Update the apt indexes and install packages to allow apt to use https repositories:

sudo apt-get update
sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \

Optionally you can install certbot to enable Let’s Encrypt configuration:

sudo apt-get install certbot python3-certbot-nginx

Step 2. Add Passbolt package official GnuPG key From

sudo apt-key adv --keyserver hkps:// --recv-keys 0xDE8B853FC155581D

Or from

sudo apt-key adv --keyserver hkps:// --recv-keys 0xDE8B853FC155581D

Or from

sudo apt-key adv --keyserver hkps:// --recv-keys 0xDE8B853FC155581D

Step 3. Check that the GPG fingerprint matches 3D1A 0346 C8E1 802F 774A EF21 DE8B 853F C155 581D

sudo apt-key fingerprint 0xDE8B853FC155581D
pub   rsa2048 2020-05-18 [SC] [expires: 2022-05-18]
      3D1A 0346 C8E1 802F 774A  EF21 DE8B 853F C155 581D
uid           [ unknown] Passbolt SA package signing key <[email protected]>
sub   rsa2048 2020-05-18 [E] [expires: 2022-05-18]

Step 4. Add passbolt repository to your apt lists:

echo  "deb buster stable" | \
sudo tee /etc/apt/sources.list.d/passbolt.list

Step 5. Update the apt indexes with the new passbolt apt repository:

sudo apt-get update

1.2. Install passbolt

By default, passbolt Debian package will install Passbolt server component, mariadb-server, php-fpm and nginx as dependencies.

There are two main ways to install the passbolt Debian package:

  • Interactive: the package will guide the user through a set of questions to setup mariadb and nginx. If you are going to use existing SSL certs for the web server, they need to be created and installed to the location of your choosing before beginning. The user will be asked for the path and name of the certificate and key.
  • Non-interactive: no questions will be asked. Useful for users with specific needs or users that want to automate the installation. Read this FAQ page to know more

Install passbolt package

Install the main passbolt server component:

sudo apt-get install passbolt-ce-server

Configure mariadb

If not instructed otherwise passbolt debian package will install mariadb-server locally. This step will help you create an empty mariadb database for passbolt to use.

Configure mariadb dialog fig. Configure mariadb dialog

The configuration process will ask you for the credentials of the mariadb admin user to create a new database. You will find the root password on the server in the file /root/.mysql_credentials.

Mariadb admin user dialog fig. Mariadb admin user dialog
Mariadb admin user pass dialog fig. Mariadb admin user pass dialog

Now we need to create a mariadb user with reduced permissions for passbolt to connect. For the passbolt database user and password, reuse the ones you have in your backup of passbolt.php.

Mariadb passbolt user dialog fig. Mariadb passbolt user dialog
Mariadb passbolt user pass dialog fig. Mariadb passbolt user pass dialog

Lastly we need to create a database for passbolt to use, for that we need to name it:

Mariadb database name dialog fig. Mariadb database name dialog

Configure nginx for serving HTTPS

Depending on your needs there are two different options to setup nginx and SSL using the Debian package:

Migrate the data

Load the backup files into the new Debian server, for the following tasks we will consider that the backup files are in your user home directory ~/backup

You should have:

  • the private and public GPG key
  • Your database dump
  • The avatar archive file passbolt-avatars.tar.gz if you are coming from Passbolt prior to 3.2

Step 1. Restore Passbolt configuration file and ensure rights and ownership are correct:

sudo mv ~/backup/passbolt.php /etc/passbolt
sudo chown www-data:www-data /etc/passbolt/passbolt.php
sudo chmod 440 /etc/passbolt/passbolt.php

Step 2. Restore GPG public and private keys and ensure rights and ownership are correct:

sudo mv ~/backup/serverkey.asc /etc/passbolt/gpg
sudo mv ~/backup/serverkey_private.asc /etc/passbolt/gpg
sudo chown www-data: /etc/passbolt/gpg/serverkey_private.asc
sudo chown www-data: /etc/passbolt/gpg/serverkey.asc
sudo chmod 440 /etc/passbolt/gpg/serverkey.asc
sudo chmod 440 /etc/passbolt/gpg/serverkey_private.asc

Step 3. Extract the passbolt-avatars.tar.gz archive and set correct rights (if coming from Passbolt version prior to 3.2)

sudo tar xzf passbolt-avatars.tar.gz -C /usr/share/php/passbolt/
sudo chown -R www-data:www-data /usr/share/php/passbolt/webroot/img/public

Step 4. Load the database

mysql -u PASSBOLT_DATABASE_USER -p PASSBOLT_DATABASE < passbolt-backup.sql

Step 5. Migrate the Passbolt data to the latest version

sudo -H -u www-data /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt migrate"

Step 6. Test passbolt

Try to access your passbolt application with your browser.

If you are encountering any issues, you can run the following command to assess the status of your instance:

sudo -H -u www-data /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"

Last updated

This article was last updated on September 16th, 2021.

Are you experiencing issues when updating passbolt?

Ask the community!

Something is not accurate in this documentation? You can contribute by opening an issue or making pull requests!

View on github
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!