Help Search

Migrate an existing Passbolt CE to a new openSUSE server

This document describes how to migrate an existing passbolt to a new openSUSE server.


For this tutorial, you will need:

  • Passbolt installed on an old server
  • A minimal openSUSE Leap 15 new server

Backup the existing data

Prior to the migration you will need to backup the existing passbolt instance data. Please refer to the official backup documentations.

Depending on your SSL configuration you might need to copy the certificate and key from the existing instance. If you are using let’s encrypt you can continue you’ll configure it later directly in the new server.

Don’t delete the existing instance yet!

Prepare the new openSUSE server

Package repository setup

For easier installation and update tasks Passbolt provides a package repository that you need to setup before you download Passbolt CE and install it.

Step 1. Download our dependencies installation script:

wget ""

Step 2. Download our SHA512SUM for the installation script:


Step 3. Ensure that the script is valid and execute it:

sha512sum -c passbolt-ce-SHA512SUM.txt && sudo bash ./  || echo \"Bad checksum. Aborting\" && rm -f

Install passbolt official linux package

sudo zypper install passbolt-ce-server

During the installation, you will be asked to accept passbolt GPG repository key. You must ensure the fingerprint is exactly the same as the one below:

  Repository:       Passbolt Server
  Key Fingerprint:  3D1A 0346 C8E1 802F 774A EF21 DE8B 853F C155 581D
  Key Name:         Passbolt SA package signing key <[email protected]>
  Key Algorithm:    RSA 2048

If the fingerprint matches, trust always by answering a to this question:

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r):

Then, you will be asked for PHP repository GPG key, ensure the fingerprint is correct and trust it always:

  Repository:       php
  Key Fingerprint:  55CF 98B4 BB5B C6CC 2E24 748F 82EE 4011 CBCA 8BB5
  Key Name:         devel:languages:php OBS Project <devel:languages:[email protected]>
  Key Algorithm:    DSA 1024

Finally, verify and trust openSUSE PHP extensions repository GPG key:

  Repository:       php-extensions-x86_64
  Key Fingerprint:  A85C D7EF 5242 1152 9A7F 994A 9B41 A048 1AF1 B065
  Key Name:         server:php:extensions OBS Project <server:php:[email protected]>
  Key Algorithm:    RSA 2048

MariaDB / Nginx / SSL settings

Passbolt CE RPM package on openSUSE Leap 15 come with a configuration helper tool to prepare MariaDB, Nginx and SSL settings.

You must prepare beforehand your SSL certificates before launching the tool. Be sure to write down the full path to your cert/key combo, as it will be needed in the nginx configuration process.

Please, notice that for security matters we highly recommend to setup SSL to serve passbolt.

Launch passbolt-configure tool and answer to the questions:

sudo /usr/local/bin/passbolt-configure


Do you want to configure a local mariadb server on this machine?
1) yes
2) no

Answer 1 for yes if you want to configure a local MariaDB database, otherwise 2 for no if you plan to use an existing one.

If you chose yes, answer the questions:

Please enter a new password for the root database user:
MariaDB Root Password: ****
MariaDB Root Password (verify): ****
Please enter a name for the passbolt database username
Passbolt database user name:passboltuser
Please enter a new password for the mysql passbolt user
MariaDB passbolt user password: ****
MariaDB passbolt user password (verify): ****
Please enter a name for the passbolt database:
Passbolt database name:passboltdb


On virtualized environments GnuPG happen to find not enough entropy to generate a key. Therefore, Passbolt will not run properly.

You should consider to install Haveged to speed up the entropy generation. Please check our FAQ page about this for more informations.

Install Haveged ?
1) yes
2) no


Please enter the domain name under which passbolt will run.

Note this hostname will be used as server_name for nginx and as the domain name to register a SSL certificate with let’s encrypt if you don’t have your own SSL certificates.

If you don’t have a domain name and you do not plan to use let’s encrypt please enter the ip address to access this machine.

Hostname: passbolt.domain.tld

SSL configuration

3 available choices for SSL configuration:

  • manual: Prompts for the path of user uploaded ssl certificates and set up nginx
  • auto: Will issue a free SSL certificate with and set up nginx
  • none: Do not setup HTTPS at all
Setting up SSL...
1) manual
2) auto
3) none

If you choose 1, you will be prompted for the full path of your certificates:

Enter the path to the SSL certificate: /path/to/certs/cert.pem
Enter the path to the SSL privkey: /path/to/certs/key.pem

Nginx and MariaDB are now on the way to be configured. You will be notified at the end of the process to connect to the Passbolt web interface to finish the configuration.

Installation is almost complete. Please point your browser to
  https://passbolt.domain.tld to complete the process

Migrate data

Load the backup files into the new openSUSE server, for the following tasks we will consider that the backup files are in your user home directory ~/backup

You should have:

  • the private and public GPG key
  • Your database dump
  • The avatar archive file passbolt-avatars.tar.gz if you are coming from Passbolt prior to 3.2

Step 1. Restore Passbolt configuration file and ensure rights and ownership are correct:

sudo mv ~/backup/passbolt.php /etc/passbolt
sudo chown wwwrun:wwwrun /etc/passbolt/passbolt.php
sudo chown wwwrun:wwwrun /etc/passbolt/subscription_key.txt
sudo chmod 440 /etc/passbolt/passbolt.php

Step 2. Restore GPG public and private keys and ensure rights and ownership are correct:

sudo mv ~/backup/serverkey.asc /etc/passbolt/gpg
sudo mv ~/backup/serverkey_private.asc /etc/passbolt/gpg
sudo chown wwwrun:wwwrun /etc/passbolt/gpg/serverkey_private.asc
sudo chown wwwrun:wwwrun /etc/passbolt/gpg/serverkey.asc
sudo chmod 440 /etc/passbolt/gpg/serverkey.asc
sudo chmod 440 /etc/passbolt/gpg/serverkey_private.asc

Step 3. Extract the passbolt-avatars.tar.gz archive and set correct rights (if coming from Passbolt version prior to 3.2)

sudo tar xzf passbolt-avatars.tar.gz -C /usr/share/php/passbolt/
sudo chown -R wwwrun:wwwrun /usr/share/php/passbolt/webroot/img/public

Step 4. Load the database

mysql -u PASSBOLT_DATABASE_USER -p PASSBOLT_DATABASE < passbolt-backup.sql

Step 5. Import the server key

sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc"  wwwrun

Step 6. Migrate passbolt to the latest version

sudo -H -u wwwrun /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt migrate"

Step 7. Test passbolt

Try to access your passbolt application with your browser.

If you are encountering any issues, you can run the following command to assess the status of your instance:

sudo -H -u wwwrun /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"

Last updated

This article was last updated on February 11th, 2022.

Are you experiencing issues when updating passbolt?

Ask the community!

Something is not accurate in this documentation? You can contribute by opening an issue or making pull requests!

View on github
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!