Create A Backup of Passbolt Data With A Bash Script

There’s one crucial aspect that’s often overlooked when running your own self-hosted software: reliable backups. While some applications only need a database backup, passbolt has a few other files that should also be backed up. There’s a section on the help site with distribution-specific details. You can use these pages to see what’s needed for backups, but it’s up to you to take the time to do them regularly.

The Backup Bash Script

Because backups are so important, and the additional backup elements, passbolt has written a Bash script that you can use to perform regular backups. All you have to do is place this script on your server and make a few modifications. Then you'll be able to backup on a consistent basis, ensuring that you can restore your instance whenever you need to.

Gather Your Tools

Before you dive in though, there are some things you’ll need:

• A passbolt server or container
• A MariaDB Server or MySQL server installed on the passbolt instance - this script uses mysqldump
• A user with the right permissions to use either the sudo or su command

Creating Backups With The Script

Once you have your tools at the ready, you can get started.

First, get the script onto your server or container running this simple command:

wget https://raw.githubusercontent.com/passbolt/lab-passbolt-admin-scripts/main/backup.sh

Then ensure it has the power to execute:

chmod +x backup.sh

If you’re not using Docker then you can start editing the backup.sh script to set the webserver_user on line 4. Just remove the comment and enter your webserver user (nginx or www-data; the choice is yours)

Realistically, you can run the script at this point and let it work its magic. But before you do, make sure the backup_dir variable is set to your desired location. You may want to change this, as it defaults to /tmp. It's also where you set the filename if you want to use a format other than the default.

You're now in a position to run the script. As some of these commands use the web server user to run them, you may need to run them with sudo:

sudo ./backup.sh

Voila! You should now have the backup tar file in the directory that you specified. Unpack it and check that all the files you expected have been included. You can do this by running the command below:

tar -xzf /<Backup Dir>/<Backup File>.tar.gz
ls -al

It should return something like this:

Next Steps

Now that you have a tar file in your backup, what’s next? Let’s take a look at a few things you may want to do now.

Testing You Backups

While you could take our word for it, you should put it to the test and make sure this backup can bring up an instance. Make sure you have what you need and you know the steps to take if you ever lose your passbolt instance. The help site has a page dedicated to upgrading and migrating servers that doubles as instructions on how to use these backup files.

Automate It With cronjob

While having one backup is better than none, having regular and consistent backups is ideal. Decide how often you’d like to run the script - it could be daily (what’s recommended) or as frequently as you wish. Then set up a cronjob for it!

Keep A Copy Off-Site

You’ll want to keep your backup files somewhere outside of your passbolt in case something happens to your instance. If you set the script to run as a cronjob, you’ll also want to include moving the tar file off of the server as part of it.

Limitations to Consider

Like with anything, there are some limitations to take into consideration with this script method.

Non-root Docker

As it stands, this script won’t work with the non-root Docker container provided by passbolt. You won’t be able to install the necessary package to make it work, as this requires the installation of a mariadb-server, and the default www-data user doesn’t have the ability to run sudo commands. In these situations, you’ll have to use the more standard backup option.

Mysqldump

When running the database backup, this script uses mysqldump. And while normally there’s nothing wrong with this, on larger databases it can take a while to run. Restoring from an SQL file can also be time consuming. So if you need to restore quickly, or have a large database, consider using alternative backup methods.

From source installation

This backup script assumes you're using either Docker or one of the passbolt packages for your installation. The file paths that it uses are set to /etc/passbolt by default. So if you are running a from source installation and want to use the backup script, you'll need to edit it accordingly to get it working for your instance.