Better safe than sorry: I don't rely on cloud services. It comes at a cost, but it's quite rewarding to show the world another way exists.
Disclaimer: I don't give a sh*t about smartphones, so my needs are computer-centric.
In order to store passwords, and more generally speaking "secrets", in such a way that I can access them anywhere/anytime, I've tried Passbolt. Passbolt is an OpenSource self-hosted password manager, written in PHP/Javascript with a database back end. Hence, install and config are not for the average Joe. On the user side it's quite clean and surprisingly stable for alpha software. So once a LAMP admin has finished installing the server part, any non-skilled user can register and start storing passwords.
Enough chit-chat, let's install.
My initial setup was a vanilla FreeBSD 10.3 install, so I've had to make everything. I won't replay every single step here, especially on the configuration side.
Prerequisites:
pkg install apache24 pkg install mod_php56 pkg install php56-gd pkg install pecl-memcached pkg install mysql57-server pkg install pecl-gnupg pkg install git pkg install php56-pdo_mysql pkg install sudo pkg install php56-openssl pkg install php56-ctype pkg install php56-filter
Everything else should come as a dependency.
Tuning:
Apache must allow .htaccess
, so you'll have to put an AllowOverride All
somewhere in your configuration. You must also load the Rewrite module. Also, go now for SSL (letsencrypt is free and supported). Non-SSL install of Passbolt are for demo purpose only.
Apache will also need to execute gnupg commands, meaning the www
user needs an extended $PATH
. The Apache startup script provided on FreeBSD sources Apache environment variables from /usr/local/sbin/envvars
and this very file sources every /usr/local/etc/apache24/envvars.d/*.env
, so I've created mine:
$ cat /usr/local/etc/apache24/envvars.d/path.env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
You also need to tune your MySQL server. If you choose the 5.7, you must edit it's configuration. Just add the following line into [mysqld]
section of /usr/local/etc/mysql/my.cnf
:
sql_mode = 'STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION'
This is due to a bug in Passbolt and could be useless in a not to distant future.
Install recipe:
You can now follow the install recipe at https://www.passbolt.com/help/tech/install.
Generating the GPG key is quite straightforward but you have to keep in mind that Apache's user (www
) will need access to the keyring. So if you create this key and keyring with a different user, you'll have to mv
and chown -R www
the full .gnupg
directory somewhere www
can read it (outside DocumentRoot
is perfectly fine).
Use git to retrieve the application code into appropriate path (according to your Apache config):
cd /usr/local/www git clone https://github.com/passbolt/passbolt.git
Edit php files as per the documentation.
Beware the install script: make sure you chown -R www
the whole passbolt directory before using cake install
.
On FreeBSD you won't be able to use su
to run the install script, because www
's account is locked. You can use sudo
instead:
sudo -u www app/Console/cake install --no-admin
Same for the admin account creation:
sudo -u www app/Console/cake passbolt register_user -u patpro@example.com -f Pat -l Pro -r admin
Follow the end of the install doc, and you should be ok. Install the Firefox passbolt extension into your browser, and point to your server.
I'm pretty happy with passbolt so far. I'll have to install a proper production server, with SSL and all, but features are very appealing, the passbolt team is nice and responsive, and the roadmap is loaded with killing features. Yeah BRING ME 2FA \o/.