Migrate an existing Passbolt PRO to a new Debian server
This document describes how to migrate an existing passbolt to a new Debian server.
For this tutorial, you will need:
- Passbolt installed on an old server
- A minimal Debian 10 new server
Backup the existing data
Prior to the migration you will need to backup the existing passbolt instance data. Please refer to the official backup documentations.
Depending on your SSL configuration you might need to copy the certificate and key from the existing instance. If you are using let’s encrypt you can continue you’ll configure it later directly in the new server.
Don’t delete the existing instance yet!
Prepare the new Debian server
1. Install the server components
1.1. Package repository setup
For easier installation and update tasks Passbolt provides a package repository that you need to setup before you download Passbolt PRO and install it.
These steps assume you have already installed sudo and added your user to the sudo group.
Step 1. Update the apt indexes and install packages to allow apt to use https repositories:
sudo apt-get update sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ gnupg-agent \ software-properties-common
Optionally you can install certbot to enable Let’s Encrypt configuration:
sudo apt-get install certbot python3-certbot-nginx
Step 2. Add Passbolt package official GnuPG key From keys.mailvelope.com:
sudo apt-key adv --keyserver hkps://keys.mailvelope.com --recv-keys 0xDE8B853FC155581D
Or from pgp.mit.edu:
sudo apt-key adv --keyserver hkps://pgp.mit.edu --recv-keys 0xDE8B853FC155581D
Or from keys.gnupg.net:
sudo apt-key adv --keyserver hkps://keys.gnupg.net --recv-keys 0xDE8B853FC155581D
Step 3. Check that the GPG fingerprint matches
3D1A 0346 C8E1 802F 774A EF21 DE8B 853F C155 581D
sudo apt-key fingerprint 0xDE8B853FC155581D
pub rsa2048 2020-05-18 [SC] [expires: 2022-05-18] 3D1A 0346 C8E1 802F 774A EF21 DE8B 853F C155 581D uid [ unknown] Passbolt SA package signing key <[email protected]> sub rsa2048 2020-05-18 [E] [expires: 2022-05-18]
Step 4. Add passbolt repository to your apt lists:
echo "deb https://download.passbolt.com/pro/debian buster stable" | \ sudo tee /etc/apt/sources.list.d/passbolt.list
Step 5. Update the apt indexes with the new passbolt apt repository:
sudo apt-get update
1.2. Install passbolt
By default, passbolt Debian package will install Passbolt server component, mariadb-server, php-fpm and nginx as dependencies.
There are two main ways to install the passbolt Debian package:
- Interactive: the package will guide the user through a set of questions to setup mariadb and nginx. If you are going to use existing SSL certs for the web server, they need to be created and installed to the location of your choosing before beginning. The user will be asked for the path and name of the certificate and key.
- Non-interactive: no questions will be asked. Useful for users with specific needs or users that want to automate the installation. Read this FAQ page to know more
Install passbolt package
Install the main passbolt server component:
sudo apt-get install passbolt-pro-server
If not instructed otherwise passbolt debian package will install mariadb-server locally. This step will help you create an empty mariadb database for passbolt to use.
The configuration process will ask you for the credentials of the mariadb admin user to create a new database.
You will find the root password on the server in the file
Now we need to create a mariadb user with reduced permissions for passbolt to connect. For the passbolt database user and password, reuse the ones you have in your backup of passbolt.php.
Lastly we need to create a database for passbolt to use, for that we need to name it:
Configure nginx for serving HTTPS
Depending on your needs there are two different options to setup nginx and SSL using the Debian package:
Migrate the data
Load the backup files into the new Debian server, for the following tasks we will consider that the backup files are in your user home directory
You should have:
Your subscription key
- the private and public GPG key
- Your database dump
- The avatar archive file
passbolt-avatars.tar.gzif you are coming from Passbolt prior to 3.2
Step 1. Create the subscription key file
You received your subscription key by email, copy it as
/etc/passbolt/subscription_key.txt on your server.
Step 2. Restore Passbolt configuration file and ensure rights and ownership are correct:
sudo mv ~/backup/passbolt.php /etc/passbolt sudo chown www-data:www-data /etc/passbolt/passbolt.php sudo chmod 440 /etc/passbolt/passbolt.php
Step 3. Restore GPG public and private keys and ensure rights and ownership are correct:
sudo mv ~/backup/serverkey.asc /etc/passbolt/gpg sudo mv ~/backup/serverkey_private.asc /etc/passbolt/gpg sudo chown www-data: /etc/passbolt/gpg/serverkey_private.asc sudo chown www-data: /etc/passbolt/gpg/serverkey.asc sudo chmod 440 /etc/passbolt/gpg/serverkey.asc sudo chmod 440 /etc/passbolt/gpg/serverkey_private.asc
Step 4. Extract the passbolt-avatars.tar.gz archive and set correct rights (if coming from Passbolt version prior to 3.2)
sudo tar xzf passbolt-avatars.tar.gz -C /usr/share/php/passbolt/ sudo chown -R www-data:www-data /usr/share/php/passbolt/webroot/img/public
Step 5. Load the database
mysql -u PASSBOLT_DATABASE_USER -p PASSBOLT_DATABASE < passbolt-backup.sql
Step 6. Migrate the Passbolt data to the latest version
sudo -H -u www-data /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt migrate"
Step 7. Test passbolt
Try to access your passbolt application with your browser.
If you are encountering any issues, you can run the following command to assess the status of your instance:
sudo -H -u www-data /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
This article was last updated on September 16th, 2021.