Help Search

Migrate passbolt CE from install scripts to Debian package

A Debian package has been created to increase the ease of installing and upgrading passbolt.


For this tutorial, you will need:

  • A minimal Debian 10 server.
  • Passbolt installed with the Debian install script.

1. Take down your site

It is generally a good idea to stop running the site prior to the upgrade. This is to avoid having side effects such as active users corrupting the data in the middle of an upgrade.

$ sudo systemctl stop nginx

2. Backup your instance

First things first, as this is a sensitive operation a backup of the instance must be performed to prevent any data loss. You can follow our backup process.

3. Upgrade your system

Passbolt requires PHP 7.3 and supports PHP 7.4.

A full system upgrade to Debian 10 is necessary before installing the passbolt Debian package. Here is the official Debian guide to upgrade your system with a step by step tutorial.

4. Install the package

4.1. Setup the package repository

For easier installation and update tasks Passbolt provides a package repository that you need to setup before you download Passbolt CE and install it.

These steps assume you have already installed sudo and added your user to the sudo group.

Step 1. Update the apt indexes and install packages to allow apt to use https repositories:

sudo apt-get update
sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \

Step 2. Add Passbolt package official GnuPG key


sudo apt-key adv --keyserver --recv-keys 0xDE8B853FC155581D

Or from hkps://

sudo apt-key adv --keyserver hkps:// --recv-keys 0xDE8B853FC155581D

Step 3. Check that the GPG fingerprint matches 3D1A 0346 C8E1 802F 774A EF21 DE8B 853F C155 581D

sudo apt-key fingerprint 0xDE8B853FC155581D
pub   rsa2048 2020-05-18 [SC] [expires: 2022-05-18]
      3D1A 0346 C8E1 802F 774A  EF21 DE8B 853F C155 581D
uid           [ unknown] Passbolt SA package signing key <[email protected]>
sub   rsa2048 2020-05-18 [E] [expires: 2022-05-18]

Step 4. Add passbolt repository to your apt lists:

echo  "deb buster stable" | \
sudo tee /etc/apt/sources.list.d/passbolt.list

Step 5. Update the apt indexes with the new passbolt apt repository:

sudo apt-get update

4.2. Install the package

Install the main passbolt server component:

sudo apt-get install passbolt-ce-server

It is recommended at this point to select:

  • No for mysql configuration as it is already configured
  • No to nginx configuration as we will do it at the end

5. Copy existing configuration to the new location

5.1. Copy the server keys

Copy the GPG server keys as following:

sudo cp -a /var/www/passbolt/config/gpg/* /etc/passbolt/gpg/
sudo chown -R root:www-data /etc/passbolt/gpg
sudo chmod g-w /etc/passbolt/gpg

5.2. Copy the passbolt configuration

Copy passbolt configuration as following:

sudo cp /var/www/passbolt/config/passbolt.php /etc/passbolt/passbolt.php
sudo chown root:www-data /etc/passbolt/passbolt.php
sudo chmod g-w /etc/passbolt/passbolt.php

If you are running mysql 8, please change the quoteIdentifiers setting of the passbolt.php as follow:

'quoteIdentifiers' => true


Notice: The above examples show using PHP 7.3 - if your server has PHP 7.4 adjust these examples accordingly.

Edit /etc/php/7.3/fpm/pool.d/www.conf and look for the line that looks like this:

listen =

Change it to look like this:

listen = /run/php/php7.3-fpm.sock

Due to a bug on the install scripts some installations might need to do an additional substitution on /etc/php/7.3/fpm/pool.d/www.conf:

Look for the line containing: = _WWW_GROUP_

And change it to look like: = www-data

7. Nginx

Now you can remove all the old nginx configuration files from /etc/nginx/conf.d/

sudo rm /etc/nginx/conf.d/passbolt.conf
sudo rm /etc/nginx/conf.d/passbolt_ssl.conf

Then you can reconfigure the Debian package using:

sudo dpkg-reconfigure passbolt-ce-server

Answer the following way:

  • No to mysql configuration
  • Yes to nginx configuration

You can then select the SSL method that suits best your needs.

8. Run the database migrations

Now it is time to run the migrations to upgrade the database schemas:

sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt migrate"

9. Cleanup

After you have checked you can access your new setup with the Debian package make a backup of /var/www/passbolt and then you can delete it:

sudo rm -rf /var/www/passbolt

You may also want to check for the old CRON job that may need to be removed:

sudo crontab -u www-data -e

10. Take your site back up

Finally take passbolt back up:

sudo systemctl start nginx
sudo systemctl restart php7.3-fpm

Last updated

This article was last updated on February 3rd, 2021.

Are you experiencing issues when updating passbolt?

Ask the community!

Something is not accurate in this documentation? You can contribute by opening an issue or making pull requests!

View on github
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!