Arthur Duarte CC-BY-SA-4.0
Password managers, or password safes, are an important thing these days. With the constant pressure we (IT people) put our users under to setup a different password for every single registration/application/web site, it's the best, if not only, way to keep track of these secrets. On one hand, the isolated client-side software can be really powerful and/or well integrated with the OS or the software ecosystem of the user, but it lacks the modern touch of "cloud" that makes your data available anywhere and anytime. On the other hand, a full commercial package will come with client for every device you own, and a monthly fee for cloud synchronization, but you have absolutely no control over your data (just imagine that tomorrow the company you rely on goes bankrupt).
Better safe than sorry: I don't rely on cloud services. It comes at a cost, but it's quite rewarding to show the world another way exists.
Disclaimer: I don't give a sh*t about smartphones, so my needs are computer-centric.
Enough chit-chat, let's install.
My initial setup was a vanilla FreeBSD 10.3 install, so I've had to make everything. I won't replay every single step here, especially on the configuration side.
pkg install apache24
pkg install mod_php56
pkg install php56-gd
pkg install pecl-memcached
pkg install mysql57-server
pkg install pecl-gnupg
pkg install git
pkg install php56-pdo_mysql
pkg install sudo
pkg install php56-openssl
pkg install php56-ctype
pkg install php56-filter
Everything else should come as a dependency.
Apache must allow
.htaccess, so you'll have to put an
AllowOverride All somewhere in your configuration. You must also load the Rewrite module. Also, go now for SSL (letsencrypt is free and supported). Non-SSL install of Passbolt are for demo purpose only.
Apache will also need to execute gnupg commands, meaning the
www user needs an extended
$PATH. The Apache startup script provided on FreeBSD sources Apache environment variables from
/usr/local/sbin/envvars and this very file sources every
/usr/local/etc/apache24/envvars.d/*.env, so I've created mine:
$ cat /usr/local/etc/apache24/envvars.d/path.env
You also need to tune your MySQL server. If you choose the 5.7, you must edit it's configuration. Just add the following line into
[mysqld] section of
sql_mode = 'STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION'
This is due to a bug in Passbolt and could be useless in a not to distant future.
You can now follow the install recipe at https://www.passbolt.com/help/tech/install.
Generating the GPG key is quite straightforward but you have to keep in mind that Apache's user (
www) will need access to the keyring. So if you create this key and keyring with a different user, you'll have to
chown -R www the full
.gnupg directory somewhere
www can read it (outside
DocumentRoot is perfectly fine).
Use git to retrieve the application code into appropriate path (according to your Apache config):
git clone https://github.com/passbolt/passbolt.git
Edit php files as per the documentation.
Beware the install script: make sure you
chown -R www the whole passbolt directory before using
On FreeBSD you won't be able to use
su to run the install script, because
www's account is locked. You can use
sudo -u www app/Console/cake install --no-admin
Same for the admin account creation:
sudo -u www app/Console/cake passbolt register_user -u firstname.lastname@example.org -f Pat -l Pro -r admin
Follow the end of the install doc, and you should be ok. Install the Firefox passbolt extension into your browser, and point to your server.
I'm pretty happy with passbolt so far. I'll have to install a proper production server, with SSL and all, but features are very appealing, the passbolt team is nice and responsive, and the roadmap is loaded with killing features. Yeah BRING ME 2FA \o/.