Migrate an existing Passbolt PRO to Virtual Machine
This document describes how to migrate an existing passbolt to a new Virtual Machine Appliance.
For this tutorial, you will need:
- Passbolt installed on an old server
Backup the existing data
Prior to the migration you will need to backup the existing passbolt instance data. Please refer to the official backup documentations.
Depending on your SSL configuration you might need to copy the certificate and key from the existing instance. If you are using let’s encrypt you can continue you’ll configure it later directly in the new server.
Don’t delete the existing instance yet!
Prepare the Virtual Machine Appliance for migration
Passbolt Pro provides a virtual appliance in OVA format. Users can import this appliance on their private virtualization platform and start enjoying Passbolt Pro. The VM includes the following software:
- Debian 10
- Passbolt Pro preinstalled
- haveged to fill the entropy pool faster
1. Getting started with Passbolt Pro VM
Download the ova and the SHA512SUM.txt:
Import the ova file using virtualbox, vmware (ESXi >= 6.0) or any other platform that supports import OVA files.
Once imported into users should be able to boot the VM and just point to the VM ip address with their web browser to initiate the passbolt install process.
The appliance performs some actions on the first boot:
- Creates ssh host keys
- Enables ssh
- Creates a set of random mariadb credentials for the mariadb server installed on the appliance
- Creates an empty database where passbolt can be installed.
For the first login the appliance comes with the following ssh default credentials:
VM login credentials: username: passbolt password: admin
passbolt user is part of
sudo group. There is no root password, so you cannot
login in as root. You can however create a shell as root with the default user:
Configure the OVA Services
Reconfigure the Passbolt package:
sudo dpkg-reconfigure passbolt-pro-server
If not instructed otherwise passbolt debian package will install mariadb-server locally. This step will help you create an empty mariadb database for passbolt to use.
The configuration process will ask you for the credentials of the mariadb admin user to create a new database.
You will find the root password on the server in the file
Now we need to create a mariadb user with reduced permissions for passbolt to connect. For the passbolt database user and password, reuse the ones you have in your backup of passbolt.php.
Lastly we need to create a database for passbolt to use, for that we need to name it:
Depending on your needs there are two different options to setup nginx and SSL using the debian package:
Once you’re done, restart the nginx server:
sudo systemctl restart nginx
Migrate the data
Load the backup files into the new Debian server, for the following tasks we will consider that the backup files are in your user home directory
You should have:
Your subscription key
- the private and public GPG key
- Your database dump
- The avatar archive file
passbolt-avatars.tar.gzif you are coming from Passbolt prior to 3.2
Step 1. Create the subscription key file
You received your subscription key by email, copy it as
/etc/passbolt/subscription_key.txt on your server.
Step 2. Restore Passbolt configuration file and ensure rights and ownership are correct:
sudo mv ~/backup/passbolt.php /etc/passbolt sudo chown www-data:www-data /etc/passbolt/passbolt.php sudo chmod 440 /etc/passbolt/passbolt.php
Step 3. Restore GPG public and private keys and ensure rights and ownership are correct:
sudo mv ~/backup/serverkey.asc /etc/passbolt/gpg sudo mv ~/backup/serverkey_private.asc /etc/passbolt/gpg sudo chown www-data: /etc/passbolt/gpg/serverkey_private.asc sudo chown www-data: /etc/passbolt/gpg/serverkey.asc sudo chmod 440 /etc/passbolt/gpg/serverkey.asc sudo chmod 440 /etc/passbolt/gpg/serverkey_private.asc
Step 4. Extract the passbolt-avatars.tar.gz archive and set correct rights (if coming from Passbolt version prior to 3.2)
sudo tar xzf passbolt-avatars.tar.gz -C /usr/share/php/passbolt/ sudo chown -R www-data:www-data /usr/share/php/passbolt/webroot/img/public
Step 5. Load the database
mysql -u PASSBOLT_DATABASE_USER -p PASSBOLT_DATABASE < passbolt-backup.sql
Step 6. Migrate the Passbolt data to the latest version
sudo -H -u www-data /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt migrate"
Step 7. Test passbolt
Try to access your passbolt application with your browser.
If you are encountering any issues, you can run the following command to assess the status of your instance:
sudo -H -u www-data /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
This article was last updated on September 16th, 2021.