DONE Password Management For Ghosts - Passbolt

Signal trace: why Passbolt?

DeadSwitch investigates open source tools not for visibility, but for survival.
No sponsorships. No affiliate codes. No fake enthusiasm.

He moves through the noise, testing what matters - what can be trusted, what can be hardened, what deserves a place in the ghost stack.

This time, it's Passbolt.

Not because it's trending.
Because it speaks encryption. Because it stores secrets in a way that respects control.
Because when the lights cut, you need to know your keys don't vanish with them.

This isn't a review. It's a trace log.
Use it, bend it, improve it - if you're one of those who still listens to the signal.

Mission Brief

This operation details the deployment of Passbolt CE using Podman containers on Debian 12.

No Docker daemon.
No exposed defaults.
Just isolated container, controlled trust, and encryption under your command.

Requirements

  • Debian 12 (with hardened kernel preferred)
  • Podman installed and functional (v4 or later)
  • GPG and OpenSSL tools available
  • Environment variables set securely or managed via .env
  • Terminal access with elevated privileges or configured rootless Podman
  • Local DNS or /etc/hosts configured for passbolt.local

Step 1: Create the Podman network

Establish a dedicated network for compartmentalization. 

podman network create n_passbolt

Step 2: Deploy the database container

Start the database container.
Inject secrets via environment variables. Avoid inline exposure. 

 export  MYSQL_ROOT_PASSWORD= "yourRootPassword"
 export  MYSQL_PASSWORD= "yourUserPassword"

podman volume create db_volume

podman run -d --name db --network n_passbolt  \
  -e  MYSQL_ROOT_PASSWORD=$ MYSQL_ROOT_PASSWORD  \
  -e  MYSQL_DATABASE=passbolt  \
  -e  MYSQL_USER=passbolt  \
  -e  MYSQL_PASSWORD=$ MYSQL_PASSWORD  \
  -v db_volume:/var/lib/mysql  \
  docker.io/mysql:lts

Replace passwords with secure values. Rotate regularly.

Step 3: Deploy the passbolt container

Create persistent volumes and launch the vault. 

podman volume create gpg_volume
podman volume create jwt_volume

podman run -d --name passbolt  \
  --network n_passbolt  \
  -p 8000:80 -p 4430:443  \
  -e  DATASOURCES_DEFAULT_HOST=db  \
  -e  DATASOURCES_DEFAULT_USERNAME=passbolt  \
  -e  DATASOURCES_DEFAULT_PASSWORD=$ MYSQL_PASSWORD  \
  -e  DATASOURCES_DEFAULT_DATABASE=passbolt  \
  -e  APP_FULL_BASE_URL=https://passbolt.local:4430  \
  -v gpg_volume:/etc/passbolt/gpg  \
  -v jwt_volume:/etc/passbolt/jwt  \
  docker.io/passbolt/passbolt:4.4.2-1-ce

Ensure DNS resolves passbolt.local to the correct IP. Use /etc/hosts if needed.

Step 4: Inject the Admin user

Once Passbolt is running, register the first admin user inside the container: 

podman exec -it passbolt  \
  su -m -c  "/usr/share/php/passbolt/bin/cake passbolt register_user \
  -u YOUR_EMAIL \
  -f YOUR_NAME \
  -l YOUR_LASTNAME \
  -r admin" -s /bin/sh www-data

The command must run as www-data within the container to correctly register the user in Passbolt.

Step 5: First Contact

Initiate secure access using a hardened browser:

https://passbolt.local:4430

Step 6: Security Cleanup

Don't leave any credentials behind. 

 unset MYSQL_PASSWORD
 unset MYSQL_ROOT_PASSWORD

Always use safely-stored .env files in production.

Alternative Way: Create a Podman pod like a Ghost

Create an empty pod: 

podman pod create -p 4430:443 p_passbolt

Assign the MySQL container to the new pod: 

podman run --rm -d --name passbolt_mysql --pod p_passbolt  \
  -e  MYSQL_ROOT_PASSWORD=$ MYSQL_ROOT_PASSWORD  \
  -e  MYSQL_DATABASE=passbolt  \
  -e  MYSQL_USER=passbolt  \
  -e  MYSQL_PASSWORD=$ MYSQL_PASSWORD  \
  -v db_volume:/var/lib/mysql  \
  docker.io/mysql:lts

Add the Passbolt to it: 

podman run --rm -d --name passbolt  \
  --pod p_passbolt  \
  -e  DATASOURCES_DEFAULT_HOST=127.0.0.1  \
  -e  DATASOURCES_DEFAULT_USERNAME=passbolt  \
  -e  DATASOURCES_DEFAULT_PASSWORD=$ MYSQL_PASSWORD  \
  -e  DATASOURCES_DEFAULT_DATABASE=passbolt  \
  -e  APP_FULL_BASE_URL=https://passbolt.local:4430  \
  -v gpg_volume:/etc/passbolt/gpg  \
  -v jwt_volume:/etc/passbolt/jwt  \
  docker.io/passbolt/passbolt:4.4.2-1-ce

Generate the pod configuration: 

podman kube generate p_passbolt -f passbolt-pod.yaml

You can create the pod with the podman kube play passbolt-pod.yaml command.


Notes

  • Run as non-root Podman user if security context allows.
  • Enforce HTTPS (Let's Encrypt or internal CA). Official Documentation
  • Place .env file in an encrypted volume or LUKS-mounted drive.
  • Use iptables or nftables to restrict inbound traffic to 4430 only.
  • Perform GPG backups and store offline.
  • Set up log monitoring and intrusion alerts for container activity.

Ghost Whisper: Why this matters for small ops

This stack runs lean and isolated. No daemon overhead. No exposed cloud surfaces.
Just you, your keys, and a vault cut from silence.

When trust fails, small teams bleed first.
Passbolt speaks to them - not with bloatware, but with OpenPGP, audits, and clear code.

It's not a toy. It's a vault.
Open source. Team-first. Built to be verified, not marketed.

For SMBs who still care about sovereignty,
Passbolt offers a sharp edge - and no hidden trapdoor.


Write to DeadSwitch on Matrix: @deadswitch:matrix.org

DeadSwitch | The Cyber Ghost
"In silence, we rise. In the switch, we fade."