Deploy Passbolt | Open Source Team Password Manager
Self Host Passbolt. Team password vault with end-to-end encryption
MariaDB
Just deployed
/var/lib/mysql
Passbolt
Just deployed
/data/passbolt
Deploy and Host Passbolt CE on Railway
Deploy Passbolt CE on Railway to give your team a self-hosted, GPG-encrypted password manager with granular access controls and browser-based autofill. Self-host Passbolt on Railway and keep full ownership of your credentials — no third-party cloud provider ever sees your plaintext passwords.
This Railway template deploys Passbolt Community Edition with a MariaDB database, persistent GPG key storage, and automatic database migrations. Run Passbolt on Railway with a single click and get a production-ready team password vault behind HTTPS.
Getting Started with Passbolt CE on Railway
After the template deploys, you need to create your first admin account. Open the Railway dashboard, navigate to the Passbolt-App service, and use the built-in SSH console to run:
su -m -c '/usr/share/php/passbolt/bin/cake passbolt register_user \
-u [email protected] -f Admin -l User -r admin' \
-s /bin/sh www-data
This outputs a registration URL. Open it in a browser that has the Passbolt browser extension installed (Chrome, Firefox, Edge, or Safari). The extension generates your personal GPG key pair and completes the setup. Once registered, navigate to the Passbolt dashboard to create your first shared folder, invite team members, and start storing credentials.
About Hosting Passbolt
Passbolt is an open-source password manager built specifically for team collaboration. Unlike consumer password managers, Passbolt uses asymmetric GPG encryption where the server never has access to plaintext passwords — decryption happens entirely in the browser extension.
Key features of Passbolt CE:
- End-to-end GPG encryption — client-side only, server never sees plaintext
- Granular role-based access control with group permissions and shared folders
- Browser extensions for Chrome, Firefox, Edge, and Safari with form autofill
- Native mobile apps for iOS and Android with biometric authentication
- Full REST API for automation, CI/CD credential injection, and integrations
- Multi-factor authentication supporting TOTP, Duo, and YubiKey
- Detailed audit logs tracking who accessed or modified every credential
The Railway template runs two services: Passbolt-App (the PHP application with Nginx) and MariaDB 10.11 for persistent storage.
Why Deploy Passbolt CE on Railway
- Zero infrastructure overhead — Railway handles TLS, DNS, and container orchestration
- Full data sovereignty — credentials stay in your own Railway-managed database
- Persistent GPG keys — volume-backed key storage survives redeployments
- Cross-service references — MariaDB credentials flow to Passbolt automatically via Railway's service graph
- One-command admin setup — SSH into the running service to register your first admin
Common Use Cases for Self-Hosted Passbolt
- IT teams sharing infrastructure credentials — database passwords, API tokens, SSH keys, and cloud console access distributed with per-group permissions
- Employee onboarding/offboarding — grant credential access on day one, revoke instantly on departure without rotating every shared password
- DevOps and SRE teams — store production secrets with audit trails showing who accessed what and when
- Compliance-driven organizations — meet SOC 2 and GDPR requirements by hosting credentials in your own infrastructure with full audit logging
Dependencies for Passbolt CE on Railway
- Passbolt-App —
passbolt/passbolt:latest-ce(PHP 8.x, Nginx, Supervisor) - MariaDB —
mariadb:10.11(MySQL-compatible relational database)
Environment Variables Reference for Passbolt CE
| Variable | Service | Description |
|---|---|---|
APP_FULL_BASE_URL | Passbolt-App | Public HTTPS URL for the application |
DATASOURCES_DEFAULT_HOST | Passbolt-App | MariaDB internal hostname |
DATASOURCES_DEFAULT_PASSWORD | Passbolt-App | Database password (references MariaDB) |
PASSBOLT_KEY_EMAIL | Passbolt-App | Email address for GPG server key |
PASSBOLT_SSL_FORCE | Passbolt-App | Must be false behind Railway's TLS proxy |
PASSBOLT_REGISTRATION_PUBLIC | Passbolt-App | Whether anyone can self-register |
MYSQL_DATABASE | MariaDB | Database name |
MYSQL_USER | MariaDB | Database user |
MYSQL_PASSWORD | MariaDB | Database password |
Deployment Dependencies
- Runtime: PHP 8.x with GnuPG extension, Nginx, Supervisor
- Docker Hub: passbolt/passbolt
- GitHub: passbolt/passbolt_docker
- Official Docs: passbolt.com/docs/hosting
Hardware Requirements for Self-Hosting Passbolt CE
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 1 core | 2 cores |
| RAM | 1 GB | 2 GB |
| Storage | 500 MB (app) + 1 GB (DB) | 2 GB+ (scales with team size) |
| Runtime | Docker 20+ | Docker 24+ with Compose v2 |
Self-Hosting Passbolt CE with Docker
The fastest way to self-host Passbolt CE is with Docker Compose. Download the official compose file and configure your domain:
curl -LO https://download.passbolt.com/ce/docker/docker-compose-ce.yaml
# Edit APP_FULL_BASE_URL to your domain
docker compose -f docker-compose-ce.yaml up -d
After the containers start, register the first admin user:
docker compose -f docker-compose-ce.yaml exec passbolt \
su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user \
-u [email protected] -f Admin -l User -r admin" \
-s /bin/sh www-data
Open the registration URL in a browser with the Passbolt extension installed to complete setup.
Is Passbolt CE Free to Self-Host?
Passbolt Community Edition is 100% free and open source under AGPL-3.0. There are no user limits, no feature gates, and no license fees. Paid tiers exist for organizations needing SSO, account recovery, or managed hosting: Pro starts at approximately $49/month (10 users) and Cloud at approximately $54/month (10 users). On Railway, you only pay for the infrastructure — typically under $5/month for small teams.
Passbolt CE vs Bitwarden vs Vaultwarden
| Feature | Passbolt CE | Bitwarden | Vaultwarden |
|---|---|---|---|
| Open Source | Yes (AGPL-3.0) | Yes (GPL-3.0) | Yes (GPL-3.0) |
| Self-Hostable | Yes | Limited (paid) | Yes |
| Encryption | GPG (asymmetric) | AES-256 | AES-256 |
| Team Sharing | Native, all tiers | Paid plans only | Yes |
| Mobile Apps | iOS, Android | iOS, Android | Via Bitwarden apps |
| RBAC | Granular groups | Basic collections | Basic |
| API | Full REST API | Full REST API | Full REST API |
Passbolt stands out with asymmetric GPG encryption where the server is cryptographically unable to read passwords, while Bitwarden and Vaultwarden use symmetric encryption with server-side key derivation.
FAQ
What is Passbolt CE and why self-host it? Passbolt CE is a free, open-source password manager designed for team collaboration. Self-hosting gives you complete control over your credential data — passwords never leave your infrastructure, and you can audit exactly how they are stored and accessed.
What does this Railway template deploy for Passbolt CE? The template deploys two services: Passbolt-App (the PHP application with Nginx and GPG encryption) and MariaDB 10.11 (the database). It pre-configures database connectivity, persistent GPG key storage, HTTPS via Railway's edge proxy, and automatic database migrations.
Why does Passbolt CE need MariaDB on Railway? Passbolt stores user accounts, encrypted credential metadata, group permissions, and audit logs in a relational database. MariaDB 10.11 is the officially supported database engine. The template connects Passbolt to MariaDB via Railway's internal network for low-latency, secure communication.
How do I enable TOTP two-factor authentication in self-hosted Passbolt? After creating your admin account, navigate to your user profile in the Passbolt web interface and select "Multi-Factor Authentication." Enable TOTP and scan the QR code with any authenticator app (Google Authenticator, Authy, etc.). All users can independently enable MFA on their accounts.
Does self-hosted Passbolt CE support browser extensions and mobile apps? Yes. Passbolt provides official browser extensions for Chrome, Firefox, Edge, and Safari, plus native mobile apps for iOS and Android. The browser extension is required for initial account setup as it generates your personal GPG key pair. All clients connect to your self-hosted Railway URL.
How do I back up Passbolt credentials on Railway?
Back up the MariaDB database using mysqldump via Railway's SSH access or TCP proxy. Also preserve the GPG keys stored in the /data/passbolt/gpg volume — these are required to decrypt stored passwords. Without matching GPG keys, database backups cannot be decrypted.
Template Content
MariaDB
mariadb:10.11Passbolt
passbolt/passbolt:latest-ceEMAIL_DEFAULT_FROM
From address — set after deploy (e.g. [email protected])
PASSBOLT_KEY_EMAIL
GPG server key email
EMAIL_TRANSPORT_DEFAULT_HOST
SMTP server (e.g. smtp.gmail.com, smtp.sendgrid.net)
EMAIL_TRANSPORT_DEFAULT_PORT
SMTP port (587 TLS, 465 SSL)
EMAIL_TRANSPORT_DEFAULT_PASSWORD
SMTP password / app password — set after deploy
EMAIL_TRANSPORT_DEFAULT_USERNAME
SMTP username — set after deploy
