Skip to content
Klutch.sh Docs

Deploying Passbolt

Introduction

Passbolt is a self-hosted, open-source password manager designed specifically for team collaboration. Unlike consumer password managers, Passbolt focuses on secure credential sharing within organizations, using end-to-end encryption with OpenPGP (GPG) keys to ensure that only authorized users can access shared passwords.

Built with security as the primary concern, Passbolt has undergone multiple third-party security audits and is trusted by organizations worldwide for managing sensitive credentials.

Key highlights of Passbolt:

  • End-to-End Encryption: All passwords are encrypted using OpenPGP, ensuring only authorized users can decrypt them
  • GPG Key Authentication: Users authenticate with their GPG private keys, not just passwords
  • Team Sharing: Share passwords with individuals, groups, or the entire organization
  • Fine-Grained Permissions: Control who can view, edit, or manage each credential
  • Browser Extensions: Available for Chrome, Firefox, Edge, and Brave
  • Mobile Apps: Native apps for iOS and Android
  • LDAP/AD Integration: Sync users from your directory service (Pro/Cloud)
  • MFA Support: Additional security with multi-factor authentication
  • Audit Logs: Track who accessed what and when
  • Self-Hosted: Complete control over your password data
  • Open Source: Community Edition is AGPLv3 licensed

This guide walks through deploying Passbolt on Klutch.sh using Docker, configuring the application for secure credential management, and setting up your team for collaborative password sharing.

Why Deploy Passbolt on Klutch.sh

Deploying Passbolt on Klutch.sh provides several advantages for team password management:

Simplified Deployment: Klutch.sh automatically detects your Dockerfile and builds Passbolt without complex orchestration. Push to GitHub, and your password manager deploys automatically.

Data Sovereignty: Host your passwords on your own infrastructure with complete control over data location and access.

HTTPS by Default: Klutch.sh provides automatic SSL certificates, essential for secure password transmission.

Persistent Storage: Attach persistent volumes for your database and GPG keyring. Your passwords survive container restarts and redeployments.

Environment Variable Management: Securely store database credentials and security keys through Klutch.sh’s environment variable system.

Custom Domains: Use your organization’s domain for a professional, branded password management portal.

Prerequisites

Before deploying Passbolt on Klutch.sh, ensure you have:

  • A Klutch.sh account
  • A GitHub account with a repository for your Passbolt configuration
  • Basic familiarity with Docker and containerization concepts
  • A MySQL or MariaDB database
  • SMTP server credentials for email functionality
  • Understanding of GPG/OpenPGP concepts (helpful but not required)

Understanding Passbolt Architecture

Passbolt consists of several components:

Web Application: PHP-based CakePHP application serving the web interface and API.

Database: MySQL/MariaDB storing encrypted passwords, user accounts, and metadata.

GPG Keyring: Server GPG keys for cryptographic operations.

Email System: Sends account recovery, sharing notifications, and security alerts.

Browser Extensions: Client-side extensions handling local encryption/decryption with user’s GPG keys.

Preparing Your Repository

Create a GitHub repository containing your Dockerfile for Passbolt deployment.

Repository Structure

passbolt-deploy/
├── Dockerfile
└── .dockerignore

Creating the Dockerfile

Create a Dockerfile in the root of your repository:

FROM passbolt/passbolt:latest-ce


# Set environment variables
ENV APP_FULL_BASE_URL=${APP_FULL_BASE_URL}
ENV DATASOURCES_DEFAULT_HOST=${DATABASE_HOST}
ENV DATASOURCES_DEFAULT_USERNAME=${DATABASE_USER}
ENV DATASOURCES_DEFAULT_PASSWORD=${DATABASE_PASSWORD}
ENV DATASOURCES_DEFAULT_DATABASE=${DATABASE_NAME}


# Email configuration
ENV EMAIL_DEFAULT_FROM=${EMAIL_FROM}
ENV EMAIL_TRANSPORT_DEFAULT_HOST=${SMTP_HOST}
ENV EMAIL_TRANSPORT_DEFAULT_PORT=${SMTP_PORT}
ENV EMAIL_TRANSPORT_DEFAULT_USERNAME=${SMTP_USER}
ENV EMAIL_TRANSPORT_DEFAULT_PASSWORD=${SMTP_PASSWORD}
ENV EMAIL_TRANSPORT_DEFAULT_TLS=${SMTP_TLS}


# GPG configuration
ENV PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=${GPG_FINGERPRINT}


# Expose the web interface port
EXPOSE 80 443


# Use the default entrypoint from the base image

Creating the .dockerignore File

Create a .dockerignore file:

.git
.github
*.md
LICENSE
.gitignore
*.log
.DS_Store
.env
.env.local

Environment Variables Reference

VariableRequiredDescription
APP_FULL_BASE_URLYesFull URL of your Passbolt instance (https://…)
DATASOURCES_DEFAULT_HOSTYesDatabase hostname
DATASOURCES_DEFAULT_USERNAMEYesDatabase username
DATASOURCES_DEFAULT_PASSWORDYesDatabase password
DATASOURCES_DEFAULT_DATABASEYesDatabase name
EMAIL_DEFAULT_FROMYesEmail sender address
EMAIL_TRANSPORT_DEFAULT_HOSTYesSMTP server hostname
EMAIL_TRANSPORT_DEFAULT_PORTYesSMTP port (587, 465, 25)
EMAIL_TRANSPORT_DEFAULT_USERNAMENoSMTP username
EMAIL_TRANSPORT_DEFAULT_PASSWORDNoSMTP password
EMAIL_TRANSPORT_DEFAULT_TLSNoEnable TLS (true/false)
PASSBOLT_GPG_SERVER_KEY_FINGERPRINTNoServer GPG key fingerprint

Deploying Passbolt on Klutch.sh

    Set Up MySQL/MariaDB Database

    Deploy a MySQL or MariaDB database on Klutch.sh or use an external database service. Create a database named passbolt and note the connection credentials.

    Configure SMTP

    Set up an SMTP service for sending emails. You can use services like:

    • Your organization’s mail server
    • Amazon SES
    • Mailgun
    • SendGrid

    Push Your Repository to GitHub

    Initialize your repository and push to GitHub with your Dockerfile.

    Create a New Project on Klutch.sh

    Navigate to the Klutch.sh dashboard and create a new project. Give it a descriptive name like “passbolt” or “password-manager”.

    Create a New App

    Within your project, create a new app. Connect your GitHub account if you haven’t already, then select the repository containing your Passbolt Dockerfile.

    Configure HTTP Traffic

    In the deployment settings:

    • Select HTTP as the traffic type
    • Set the internal port to 80

    Set Environment Variables

    Add the following environment variables:

    VariableValue
    APP_FULL_BASE_URLhttps://your-app-name.klutch.sh
    DATASOURCES_DEFAULT_HOSTYour database host
    DATASOURCES_DEFAULT_USERNAMEDatabase username
    DATASOURCES_DEFAULT_PASSWORDDatabase password
    DATASOURCES_DEFAULT_DATABASEpassbolt
    EMAIL_DEFAULT_FROMpassbolt@yourdomain.com
    EMAIL_TRANSPORT_DEFAULT_HOSTSMTP hostname
    EMAIL_TRANSPORT_DEFAULT_PORTSMTP port
    EMAIL_TRANSPORT_DEFAULT_USERNAMESMTP username
    EMAIL_TRANSPORT_DEFAULT_PASSWORDSMTP password

    Attach Persistent Volumes

    Add the following volumes:

    Mount PathRecommended SizePurpose
    /etc/passbolt/gpg1 GBServer GPG keys
    /usr/share/php/passbolt/webroot/img/public1 GBUser avatars

    Deploy Your Application

    Click Deploy to start the build process. Klutch.sh will:

    • Detect your Dockerfile automatically
    • Build the container image
    • Attach the persistent volumes
    • Start the Passbolt container
    • Provision an HTTPS certificate

    Create Admin User

    After deployment, create your first admin user by running the registration command through the Klutch.sh console or accessing the setup URL.

    Access Passbolt

    Once deployment completes, access your Passbolt instance at https://your-app-name.klutch.sh and complete the setup wizard.

Initial Setup

First Admin Setup

  1. Navigate to your Passbolt URL
  2. Follow the first-time setup wizard
  3. Create your admin account
  4. Download and install the browser extension
  5. Generate or import your GPG key
  6. Complete the account setup

Browser Extension Setup

  1. Install the Passbolt extension for your browser
  2. Visit your Passbolt instance
  3. Follow the extension setup wizard
  4. Generate or import your GPG private key
  5. Set a passphrase for your key

Inviting Team Members

  1. Log in to Passbolt
  2. Navigate to Users
  3. Click + Create
  4. Enter the user’s email address
  5. They’ll receive an invitation to set up their account

Using Passbolt

Creating Passwords

  1. Click + Create in the password list
  2. Enter the name, URL, username, and password
  3. Set the description if needed
  4. Save the password

Sharing Passwords

  1. Select a password or folder
  2. Click the Share button
  3. Search for users or groups
  4. Set permission level (read, update, owner)
  5. Save the sharing settings

Organizing with Folders

  1. Create folders for logical organization
  2. Move passwords into folders
  3. Share entire folders with teams
  4. Nest folders for hierarchical structure

Groups

  1. Create groups for teams or departments
  2. Add users to groups
  3. Share passwords with groups instead of individuals
  4. Manage group membership centrally

Security Best Practices

Key Management

  • Use strong passphrases for GPG keys
  • Store key backups securely
  • Rotate keys periodically
  • Revoke keys for departing users

Access Control

  • Use the principle of least privilege
  • Regularly review sharing permissions
  • Remove access for departing employees immediately
  • Use groups for scalable permission management

Audit and Monitoring

  • Review audit logs regularly
  • Monitor for unusual access patterns
  • Set up alerts for sensitive credential access

Additional Resources

Conclusion

Deploying Passbolt on Klutch.sh gives you a secure, self-hosted password manager designed for team collaboration. The combination of end-to-end encryption, GPG-based authentication, and granular sharing controls makes Passbolt ideal for organizations that need to share credentials securely.

With complete data sovereignty, audit logging, and browser extensions for seamless access, Passbolt provides enterprise-grade password management while keeping your sensitive data under your control.