Passbolt is an open-source password manager designed for teams and organizations. It allows you to securely store and share passwords using end-to-end encryption based on OpenPGP. In this guide, we’ll walk you through how to deploy Passbolt on a DigitalOcean droplet using Docker, without a domain name — just your server’s IP address.
Why Use Passbolt?
In today’s security-focused environments, storing team credentials in a shared document or spreadsheet is a huge risk. Passbolt provides:
- End-to-end encryption (OpenPGP-based)
- User-level sharing and permissions
- Audit logs and security controls
- Easy integration with teams and roles
- Fully open-source and self-hosted
Whether you’re a developer, a DevOps engineer, or part of an IT team, Passbolt makes password sharing safe and efficient.
Step-by-Step Setup Guide
1. Launch Droplet and SSH In
Spin up a new droplet on DigitalOcean and connect via SSH:
ssh root@your-server-ip2. Install Docker and Docker Compose
apt update && apt upgrade -y
apt install -y docker.io docker-compose
systemctl enable --now docker3. Create Project Folder and Docker Compose File
mkdir -p /opt/passbolt && cd /opt/passbolt
nano docker-compose.ymlPaste the following (dummy values used change it accordingly):
version: "3"
services:
passbolt:
image: passbolt/passbolt:latest-ce
container_name: passbolt
environment:
APP_FULL_BASE_URL: http://your-server-ip
DATASOURCES_DEFAULT_HOST: db
DATASOURCES_DEFAULT_USERNAME: passbolt
DATASOURCES_DEFAULT_PASSWORD: passbolt
DATASOURCES_DEFAULT_DATABASE: passbolt
EMAIL_DEFAULT_FROM: passbolt@example.com
EMAIL_TRANSPORT_DEFAULT_HOST: smtp.sendgrid.net
EMAIL_TRANSPORT_DEFAULT_PORT: 587
EMAIL_TRANSPORT_DEFAULT_USERNAME: apikey
EMAIL_TRANSPORT_DEFAULT_PASSWORD: your-sendgrid-api-key
EMAIL_TRANSPORT_DEFAULT_TLS: true
ports:
- "80:80"
volumes:
- /opt/passbolt/gpg:/etc/passbolt/gpg
- /opt/passbolt/jwt:/etc/passbolt/jwt
depends_on:
- db
db:
image: mariadb:10.5
container_name: passbolt_db
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: passbolt
MYSQL_USER: passbolt
MYSQL_PASSWORD: passbolt
volumes:
- db_volume:/var/lib/mysql
volumes:
db_volume:
4. ▶️ Start Passbolt
docker-compose up -dWait a few moments, then access:
http://your-server-ipFor Passbolt Email
http://your-server-ip:10805. Create Admin User via CLI
Run the command below to generate the first user:
docker exec -it passbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u admin@example.com -f Admin -l User -r admin" -s /bin/bash www-dataYou’ll get a setup link. Open it in your browser to finish the admin setup.
Choose a Strong Passphrase
When prompted, create a strong passphrase — this unlocks your personal GPG key.
Save the recovery kit when Passbolt asks — it contains your private key and is needed for future logins.
Configure Email Notifications (SMTP)
Passbolt uses email for verification and notifications. We used SendGrid SMTP, but you can also use AWS SES, Mailgun, Gmail, or any SMTP provider.
Update the email section in the Docker Compose file, as shown above, and restart:
docker-compose down
docker-compose up -dTesting Email Delivery
You can test SMTP with:
docker exec -it passbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=you@example.com" -s /bin/bash www-dataOptional: Add HTTPS with Nginx + Let’s Encrypt
For production, it’s highly recommended to set up a reverse proxy (Nginx) and add SSL/TLS encryption with Let’s Encrypt. This ensures credentials aren’t exposed over HTTP.
Final Thoughts
Passbolt is a powerful, secure password manager tailored for team use. It’s open-source, transparent, and puts control back in your hands.
Whether you’re managing cloud credentials, internal databases, or shared secrets, Passbolt ensures your sensitive data remains safe and only accessible to those you trust.
