All articles

How to Set-Up a Highly-Available Passbolt Environment

8 min. read

LV

Louis Vallat

3 July, 2025

Passbolt Highly-Availability

  • 3 fresh Debian 12 servers (named ha-1, ha-2 and ha-3 in this article)
  • Prior knowledge about MySQL/MariaDB and SQL
  • A firewall, such as nftables, to avoid having the database ports exposed on the internet
  • A dedicated, secure and preferably encrypted link between the servers for database communication
mysql -u <the Passbolt database user> -p <the Passbolt database name>
CREATE TABLE `sessions` (
  `id` char(40) CHARACTER SET ascii COLLATE ascii_bin NOT NULL,
  `created` datetime DEFAULT CURRENT_TIMESTAMP, -- Optional
  `modified` datetime DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, -- Optional
  `data` blob DEFAULT NULL, -- for PostgreSQL use bytea instead of blob
  `expires` int(10) unsigned DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
'Session' => [
    'defaults' => 'database'
],
A Star Wars GIF with Han Solo saying "Here's where the fun begins" in a cockpit
[galera]
# Mandatory settings
wsrep_on                   = ON
wsrep_provider             = /usr/lib/galera/libgalera_smm.so
wsrep_cluster_name         = "Passbolt HA Galera"
wsrep_cluster_address      = gcomm://<ha-1 IP>,<ha-2 IP>,<ha-3 IP>
binlog_format              = row
default_storage_engine     = InnoDB
innodb_autoinc_lock_mode   = 2
innodb_force_primary_key   = 1

# Allow server to accept connections on all interfaces.
bind-address               = 0.0.0.0

# Optional settings
#wsrep_slave_threads       = 1
#innodb_flush_log_at_trx_commit = 0
log_error                  = /var/log/mysql/error-galera.log
$ mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 36
Server version: 10.11.11-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help.  Type '\c' to clear the current input statement.

MariaDB [(none)]> show status like 'wsrep_cluster_size';
+--------------------+-------+
| Variable_name      | Value |
+--------------------+-------+
| wsrep_cluster_size | 1     |
+--------------------+-------+
1 row in set (0.001 sec)

MariaDB [(none)]>
A picture of a farmer saying "It ain't much but it's honest work"
bind-address = 0.0.0.0
mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 49
Server version: 10.11.11-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help.  Type '\c' to clear the current input statement.

MariaDB [(none)]> show status like 'wsrep_cluster_size';
+--------------------+-------+
| Variable_name      | Value |
+--------------------+-------+
| wsrep_cluster_size | 3     |
+--------------------+-------+
1 row in set (0.001 sec)

MariaDB [(none)]>
  • /etc/passbolt/passbolt.php
  • /etc/passbolt/gpg/
  • /etc/passbolt/jwt/
sudo -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
[PASS] No error found. Nice one, sparky!
A GIF with a man shouting "It's working!" in a control room.
    • make sure that your certificates are identical across all nodes to avoid HTTPS issues when communicating with different nodes
    • have a short enough DNS record TTL (like 60) so that in case of a node going down, you can quickly remove it from the DNS records to minimize disruption

Continue reading

Passbolt 5.2 Introduces Multiple URIs and Custom Icons

3 min. read

Passbolt 5.2 Introduces Multiple URIs and Custom Icons

Passbolt v5.2 brings personalised resource icons, multiple URIs per resource and adds Slovenian and Ukrainian language support. Check out all the details!

Passbolt team

Passbolt team

17 June, 2025

Passbolt 5.1 Strengthens Metadata Security for Shared Passwords

5 min. read

Passbolt 5.1 Strengthens Metadata Security for Shared Passwords

Passbolt 5.1 introduces encrypted resource metadata, extending end-to-end encryption to the context around credentials, like the name you give a password in passbolt or the URL where it’s used to log in.

Passbolt team

Passbolt team

20 May, 2025

Flag of European UnionMade in Europe. Privacy by default.