Current Stable Version: 5.9.0 (February 2026) | Docker Image: passbolt/passbolt:5.9.0-1-non-root
This guide provides instructions for deploying Passbolt on self-hosted infrastructure. Choose the deployment method that best fits your environment and operational requirements.
| Method | Complexity | Best For | Time |
|---|---|---|---|
| Docker Compose | ⭐⭐ | Quick deployment, testing, small teams | 10-15 min |
| Ansible Automation | ⭐⭐⭐ | Repeatable deployments, infrastructure as code | 15-20 min |
| Native Packages | ⭐⭐⭐⭐ | Production, full control, enterprise | 30-45 min |
| Kubernetes (Helm) | ⭐⭐⭐⭐⭐ | High availability, scaling, cloud-native | 45-60 min |
| Resource | Minimum | Recommended (Production) |
|---|---|---|
| CPU | 2 cores | 4+ cores |
| RAM | 2GB | 4-8GB |
| Storage | 20GB | 50GB+ SSD |
| Network | 10 Mbps | 100 Mbps |
⚠️ Important: Docker installation is considered an advanced method requiring Docker familiarity. For production environments, pin specific version tags instead of using
latest.
# Update system packages
sudo apt-get update && sudo apt-get upgrade -y
# Install Docker and Compose plugin (Debian/Ubuntu)
sudo apt-get install -y docker.io docker-compose-plugin git
# Enable and start Docker
sudo systemctl enable docker && sudo systemctl start docker
# Add user to docker group (avoid sudo)
sudo usermod -aG docker $USER
newgrp docker
# Create application directory
sudo mkdir -p /opt/passbolt
cd /opt/passbolt
# Download official Docker Compose file
curl -LO https://download.passbolt.com/ce/docker/docker-compose-ce.yaml
# Download checksum for verification
curl -LO https://github.com/passbolt/passbolt_docker/releases/latest/download/docker-compose-ce-SHA512SUM.txt
# Verify file integrity
sha512sum -c docker-compose-ce-SHA512SUM.txt
# Expected: docker-compose-ce.yaml: OK
Edit the Docker Compose file to customize your instance:
sudo nano docker-compose-ce.yaml
Critical Variables to Configure:
services:
passbolt:
environment:
# Application URL (REQUIRED - change from default)
APP_FULL_BASE_URL: https://passbolt.your-domain.com
# Email configuration (REQUIRED for user registration)
EMAIL_DEFAULT_FROM_NAME: "Passbolt"
EMAIL_DEFAULT_FROM: passbolt@your-domain.com
EMAIL_TRANSPORT_DEFAULT_HOST: smtp.your-domain.com
EMAIL_TRANSPORT_DEFAULT_PORT: 587
EMAIL_TRANSPORT_DEFAULT_USERNAME: smtp-username
EMAIL_TRANSPORT_DEFAULT_PASSWORD: smtp-password
EMAIL_TRANSPORT_DEFAULT_TLS: true
# Database (auto-generated for demo, use external for production)
DATASOURCES_DEFAULT_HOST: mariadb
DATASOURCES_DEFAULT_USERNAME: passbolt
DATASOURCES_DEFAULT_PASSWORD: <strong-random-password>
# Security settings
PASSBOLT_REGISTRATION_PUBLIC_URL: https://passbolt.your-domain.com
💡 Production Tip: Use Docker secrets or external secret management for sensitive values like passwords and API keys.
# Start containers in detached mode
docker compose -f docker-compose-ce.yaml up -d
# Check container status
docker compose -f docker-compose-ce.yaml ps
# View logs
docker compose -f docker-compose-ce.yaml logs -f passbolt
docker compose -f docker-compose-ce.yaml \
exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \
passbolt register_user \
-u admin@your-domain.com \
-f Admin \
-l User \
-r admin" -s /bin/sh www-data
This outputs a registration link:
https://passbolt.your-domain.com/setup/install/1eafab88-a17d-4ad8-97af-77a97f5ff552/f097be64-3703-41e2-8ea2-d59cbe1c15bc
⚠️ Important: Save this link securely. It’s required for initial account setup and expires after use.
Option A: Let’s Encrypt (Recommended)
See Docker Automatic HTTPS for Traefik integration.
Option B: Manual Certificate Installation
# Create certs directory
sudo mkdir -p /opt/passbolt/certs
# Copy your certificates
sudo cp /path/to/fullchain.pem /opt/passbolt/certs/
sudo cp /path/to/privkey.pem /opt/passbolt/certs/
# Update Docker Compose to mount certificates
# See: https://www.passbolt.com/docs/hosting/configure/https/ce/docker-manual/
# Install prerequisites
sudo apt-get install -y gnupg curl apt-transport-https
# Import Passbolt GPG key
curl https://download.passbolt.com/ce/apt/keyring.gpg | \
sudo gpg --dearmor -o /etc/apt/keyrings/passbolt-ce-archive-keyring.gpg
# Add repository
echo "deb [signed-by=/etc/apt/keyrings/passbolt-ce-archive-keyring.gpg] \
https://download.passbolt.com/ce/apt stable main" | \
sudo tee /etc/apt/sources.list.d/passbolt-ce.list
# Update package index
sudo apt-get update
# Install Passbolt CE
sudo apt-get install -y passbolt-ce-server
# During installation, you'll be prompted for:
# - Database configuration
# - Email settings
# - Base URL
# Verify installation
sudo -u www-data /usr/share/php/passbolt/bin/cake passbolt healthcheck
# Check GPG configuration
sudo -u www-data /usr/share/php/passbolt/bin/cake passbolt healthcheck \
--domain gpg
# Add Passbolt Helm repository
helm repo add passbolt https://passbolt.github.io/passbolt-helm
helm repo update
# Create values file
cat > values.yaml <<EOF
replicaCount: 2
ingress:
enabled: true
className: nginx
hosts:
- host: passbolt.your-domain.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: passbolt-tls
hosts:
- passbolt.your-domain.com
mariadb:
enabled: true
auth:
rootPassword: <strong-root-password>
password: <strong-db-password>
username: passbolt
database: passbolt
email:
from: passbolt@your-domain.com
transport:
host: smtp.your-domain.com
port: 587
username: smtp-username
password: smtp-password
tls: true
EOF
# Install Passbolt
helm install passbolt passbolt/passbolt -f values.yaml -n passbolt --create-namespace
# Run health check
sudo -u www-data /usr/share/php/passbolt/bin/cake passbolt healthcheck
# Test email configuration
sudo -u www-data /usr/share/php/passbolt/bin/cake passbolt \
send_test_email --recipient test@your-domain.com
Database Backup:
# MariaDB/MySQL backup
mysqldump -u passbolt -p passbolt > passbolt_backup_$(date +%F).sql
GPG Keys Backup:
# Export server GPG keys
sudo gpg --export-secret-keys --armor passbolt@your-domain.com > server_key.asc
sudo chmod 600 server_key.asc
Configuration Backup:
# Backup configuration files
sudo tar -czf passbolt_config_$(date +%F).tar.gz \
/etc/passbolt \
/var/www/passbolt/config
docker compose psdocker compose logs -f passbolt# Pull latest image
docker compose -f docker-compose-ce.yaml pull
# Stop containers
docker compose -f docker-compose-ce.yaml down
# Start with new version
docker compose -f docker-compose-ce.yaml up -d
# Run database migrations
docker compose -f docker-compose-ce.yaml \
exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \
passbolt migrate" -s /bin/sh www-data
# Update package index
sudo apt-get update
# Upgrade Passbolt
sudo apt-get upgrade passbolt-ce-server
# Run migrations
sudo -u www-data /usr/share/php/passbolt/bin/cake passbolt migrate
⚠️ Upgrade Notice: Always backup database and configuration before upgrading. Review release notes for breaking changes.
GPG Authentication Failures:
# Check NTP synchronization
timedatectl status
sudo systemctl restart systemd-timesyncd
# Regenerate GPG keys if needed
sudo -u www-data /usr/share/php/passbolt/bin/cake passbolt \
recover_keypair --force
Email Delivery Issues:
# Test SMTP connection
telnet smtp.your-domain.com 587
# Check email configuration
sudo -u www-data /usr/share/php/passbolt/bin/cake passbolt \
healthcheck --domain email
Database Connection Errors:
# Verify database is running
docker compose -f docker-compose-ce.yaml ps mariadb
# Check database logs
docker compose -f docker-compose-ce.yaml logs mariadb
Any questions?
Feel free to contact us. Find all contact information on our contact page.