Posted inSecurity

Self-hosting Passbolt with Docker: Ending Password Sharing via Zalo for Tech Teams

Security tutorial - IT technology blog
Security tutorial - IT technology blog

The Reality: Zalo and Excel – Security “Death Traps” for Many Startups

Working with various tech teams, I often see a recurring scenario: root passwords, API keys, or database credentials sent “raw” via Zalo, Slack, or dumped into a shared Google Doc. This approach is extremely risky. If just one team member’s machine is infected with malware or a browser session is leaked, your entire infrastructure is handed over to hackers.

According to statistics, over 80% of data breaches stem from poor credential management. I once witnessed a server being completely wiped just because the admin password was left in an old group chat. Passbolt was created to solve this problem once and for all. It is an open-source tool using end-to-end encryption (E2EE), supporting granular permissions and highly transparent Audit Logs.

Quick Start: Running Passbolt in 15 Minutes with Docker

To save you time, here is the fastest way to deploy Passbolt in a lab environment or on a personal server using Docker Compose.

Step 1: Preparing the docker-compose.yaml File

First, create the directory and configuration file:

mkdir passbolt && cd passbolt
nano docker-compose.yaml

Paste the following content (remember to change the database passwords and APP_FULL_BASE_URL):

version: '3.4'
services:
  db:
    image: mariadb:10.11
    environment:
      - MYSQL_ROOT_PASSWORD=replace_with_your_password
      - MYSQL_DATABASE=passbolt
      - MYSQL_USER=passbolt
      - MYSQL_PASSWORD=passbolt_password
    volumes:
      - ./database:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    depends_on:
      - db
    environment:
      - APP_FULL_BASE_URL=https://passbolt.yourdomain.com
      - DATASOURCES_DEFAULT_HOST=db
      - DATASOURCES_DEFAULT_PASSWORD=passbolt_password
      - DATASOURCES_DEFAULT_USERNAME=passbolt
      - DATASOURCES_DEFAULT_DATABASE=passbolt
    volumes:
      - ./gpg:/var/www/passbolt/config/gpg
      - ./images:/var/www/passbolt/webroot/img/public
    ports:
      - "80:80"
      - "443:443"

Step 2: Launch and Register Admin

Run docker-compose up -d to start the containers. After about a minute, use the command below to get the admin registration link:

docker-compose exec passbolt su -m -c "/var/www/passbolt/bin/cake passbolt register_user -u [email protected] -f Admin -l System -r admin" -s /bin/sh www-data

The system will generate a unique link. Open this in your browser to start creating your personal GPG key pair.

Why Passbolt and not Bitwarden or Vault?

The most common question is: “Bitwarden is great, why switch?”. In reality, each tool has its own philosophy. Bitwarden targets individuals and multi-device convenience. Conversely, Passbolt focuses heavily on Collaboration.

  • GPG Philosophy: Each user owns their own key pair. Even a system admin with server access cannot peek at an employee’s passwords unless they are actively shared.
  • Detailed Audit Logs: You will know exactly who copied the Telegram bot password at 3 PM. In a corporate environment, this transparency is vital.
  • Flexible Permissions: Assigning roles (Read, Update, Owner) to specific folders like Dev, Marketing, or Infra teams is extremely intuitive.

Advanced Deployment: SMTP and HTTPS

Using Passbolt over HTTP is security suicide. Browsers will also block decryption extensions without HTTPS. For a team of 5-10 people, you must configure SMTP and SSL.

The cleanest way is to use Nginx Proxy Manager or Traefik as a Reverse Proxy. If you are self-hosting at home without a static IP, Cloudflare Tunnel is an excellent solution to get free SSL without opening router ports.

Practical Experience: Avoiding Headaches During Operation

After deploying for several personal projects, I’ve learned three hard-earned lessons:

1. Never Lose Your Private Key

Forgetting your passphrase or losing your Private Key means losing all your data. Passbolt doesn’t have a traditional “forgot password” feature via email. Remind your team to back up their .asc files carefully to a USB or physical vault.

2. Automate Database Backups

All data resides in MariaDB. Set up a cronjob to dump the database every day at 2 AM:

docker-compose exec db mysqldump -u passbolt -p'passbolt_password' passbolt > backup_$(date +%F).sql

3. Prioritize the “Share” Feature over Copy-Paste

Never copy passwords to send via chat. Use the Share feature directly within the Passbolt interface. When an employee leaves, you can revoke access with a single click, instead of having to change passwords for dozens of related systems.

Conclusion

Self-hosting Passbolt requires more responsibility in terms of maintenance. In return, your team gains absolute freedom and data security. I hope this guide helps your workflow become more professional, ending the worry of leaking credentials via Zalo.

Share:
Tags: