安全的同僚,尤其甲方的蓝队安全人员往往会碰到这样的问题,一堆安全设备的密码Passbolt是面向团队的开源密码管理。专为团队协作而打造,开源、自托管、以 API 为中心、注重隐私、开发者优先。

官方文档建议的配置是2H2GB的,我选择了Debian 12操作系统,纯净好用!本文是以docker为例搭建的,如果想系统安装建议最新最干净的系统进行安装,别整什么服务面板之类的,不然可能你web服务是哪个跑起来的都分不清。

环境准备

使用docker安装会很方便,首先安装部署docker:

1
2
3
4
5
6
7
8
9
sudo apt update  
sudo apt install apt-transport-https ca-certificates curl software-properties-common  

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg  

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null  

sudo apt update  
sudo apt install docker-ce

启动docker,并设置为开机自启:

1
2
sudo systemctl start docker  
sudo systemctl enable docker

下载docker-compose,这个需要自己重新下载:

1
sudo curl -L "https://github.com/docker/compose/releases/download/v2.10.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

赋予执行权限:

1
sudo chmod +x /usr/local/bin/docker-compose

检查是否需要配置环境变量:

1
docker-compose --version

如果 /usr/local/bin 不在你的 PATH 中,你可以创建一个符号链接到 /usr/bin

1
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

安装Passbolt

下载官方docker容器文件,官方文档里写的docker文件有时候会出玄学问题,我这里用的是在官方GITHUB仓库找到的docker文件:

1
curl -LO https://raw.githubusercontent.com/passbolt/passbolt_docker/refs/heads/master/docker-compose/docker-compose-ce.yaml

下载哈希校验文件:

1
curl -LO https://github.com/passbolt/passbolt_docker/releases/latest/download/docker-compose-ce-SHA512SUM.txt

比对哈希:

1
sha512sum -c docker-compose-ce-SHA512SUM.txt

如果不OK说明文件下载不完整,会出问题的:

image-20241015104956461

容器默认占据的80端口和443端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
root@debianserver:/home/debian# cat docker-compose-ce.yaml
version: "3.9"
services:
  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://passbolt.local
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    ports:
      - 80:80
      - 443:443
    #Alternatively for non-root images:
    # - 80:8080
    # - 443:4433

volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

文件中包含了数据库用户名密码,数据库端口,以及Passbolt的域名https://passbolt.local。官方还提供了更多的变量:

1
https://www.passbolt.com/docs/hosting/configure/environment-reference/

比如我要添加对接内网的邮服SMTP,可以在passbolt中添加:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
version: "3.9"  
services:  
  db:  
    image: mariadb:10.11  
    restart: unless-stopped  
    environment:  
      MYSQL_RANDOM_ROOT_PASSWORD: "true"  
      MYSQL_DATABASE: "passbolt"  
      MYSQL_USER: "passbolt"  
      MYSQL_PASSWORD: "P4ssb0lt"  
    volumes:  
      - database_volume:/var/lib/mysql  

  passbolt:  
    image: passbolt/passbolt:latest-ce  
    # Alternatively you can use rootless:  
    # image: passbolt/passbolt:latest-ce-non-root  
    restart: unless-stopped  
    depends_on:  
      - db  
    environment:  
      APP_FULL_BASE_URL: https://passbolt.local  
      DATASOURCES_DEFAULT_HOST: "db"  
      DATASOURCES_DEFAULT_USERNAME: "passbolt"  
      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"  
      DATASOURCES_DEFAULT_DATABASE: "passbolt"  
      EMAIL_DEFAULT_FROM: 'noreply@yourdomain.com'  
      EMAIL_TRANSPORT_DEFAULT_HOST: 'smtp.your-smtp-server.com'  
      EMAIL_TRANSPORT_DEFAULT_PORT: 587  
      EMAIL_TRANSPORT_DEFAULT_USERNAME: 'your-smtp-username'  
      EMAIL_TRANSPORT_DEFAULT_PASSWORD: 'your-smtp-password'  
      EMAIL_TRANSPORT_DEFAULT_TLS: true  
    volumes:  
      - gpg_volume:/etc/passbolt/gpg  
      - jwt_volume:/etc/passbolt/jwt  
    command:  
      [  
        "/usr/bin/wait-for.sh",  
        "-t",  
        "0",  
        "db:3306",  
        "--",  
        "/docker-entrypoint.sh",  
      ]  
    ports:  
      - 80:80  
      - 443:443  
    # Alternatively for non-root images:  
    # - 80:8080  
    # - 443:4433  

volumes:  
  database_volume:  
  gpg_volume:  
  jwt_volume:

构建启动容器:

1
docker-compose -f docker-compose-ce.yaml up -d

开启第一个管理用户

注册第一个账户:

1
docker exec passbolt su -m -c "bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data

image-20241015105641674

注意下边的绿色链接,直接打开会白屏,使用ip访问也会白屏,并不是构建失败了,将自己docker.yaml文件中的域名与自己环境ip写进自己本地hosts文件中:

1
passbolt.local xx.xx.xx.xx

然后浏览器打开:

image-20241015105933342

为注册的用户设置一个密码,应用会检查设置的密码是否在弱口令密码泄露库里,如果密码符合它的要求,会下载一个key文件:

image-20241015110139023

随后点击Next,选择一个颜色:

image-20241015110227038

随后进入web应用页面:

image-20241015110305352

功能介绍

左边是功能区,上半部分是工具栏,点击左边的Creat可以进行创建条目:

image-20241015110454414

New Password:

image-20241015110604085

URL不是必填项,如果有很多网站后台密码,可以填写Url,创建添加密码会进行身份校验,需要二次验证:

image-20241015110743587

添加完成后密码会以加密类型显示,前端看起来是解不出来的:

image-20241015111039387

那么需要给密码归类怎么办呢?看到New Folders了吗?

image-20241015111133502

创建好文件夹可以直接把已经添加好的密码用鼠标左键拖进去:

image-20241015111218874

顶部还有users控制面板,可以便于管理admin以及非admin用户:

image-20241015111312689

还可以个性化:

image-20241015111527148