Offline Passbolt CE stack for on-premise secret management
Small, focused, and built for environments where installation has to work without Internet access.
Made for private deployments, offline delivery, and straightforward operations.
This project provides a small internal Passbolt base for teams that need a private secret manager without depending on Internet access at install time.
- fully offline installation flow
- Passbolt CE in non-root container mode
- dedicated MariaDB backend
- internal HTTPS support
- local self-signed fallback for lab or validation use
- simple deployment with Docker Compose or Podman Compose
This stack fits small internal deployments where Passbolt needs to stay on a private network, use internal DNS and TLS, and remain easy to hand over to a customer or operations team.
- Passbolt CE in non-root container mode
- dedicated MariaDB container
- Docker Compose and Podman Compose deployment files
- offline image bundle preparation
- install, bootstrap, and verification scripts
- internal HTTPS support
- basic container hardening
- documentation for install, security, and acceptance
- Docker or Podman installation on the host
- automatic certificate issuance
- public SMTP service
- high availability
- external database
- advanced monitoring
- SSO, LDAP, or directory integration
- ready-made automated backups
Current defaults fit a small team:
| Component | Sizing |
|---|---|
| Host | 4 vCPU, 8 GB RAM, 100 GB SSD |
| Passbolt | 2 vCPU max, 3 GB RAM max |
| MariaDB | 1 vCPU max, 2 GB RAM max |
| Team size | about 20 to 30 accounts, 5 to 10 active users |
compose/- Docker Compose and Podman Compose filesscripts/- preflight, import, install, bootstrap, verify, helpersartifacts/- exported images, manifests, checksumscerts/- local TLS drop-in directory, not versioneddocs/- architecture, security, install, egress control, acceptance
cp .env.example .env
$EDITOR .env
./scripts/prepare-bundle.shThen transfer the repository and image archives to the target site.
cp .env.example .env
$EDITOR .envFor production, provide:
certs/passbolt.crtcerts/passbolt.key
These files should match PASSBOLT_FQDN and ideally come from the customer's internal PKI.
If no certificate files are present, preflight.sh generates a local self-signed certificate automatically.
That fallback is useful for lab, demo, or validation use, but it should be replaced before production handover.
./scripts/install.sh docker
./scripts/bootstrap-admin.sh docker
./scripts/verify.sh docker./scripts/install.sh podman
./scripts/bootstrap-admin.sh podman
./scripts/verify.sh podmanReview these values in .env:
PASSBOLT_FQDNPASSBOLT_HTTP_PORTPASSBOLT_HTTPS_PORTPASSBOLT_IMAGEMARIADB_IMAGEDB_NAMEDB_USERDB_PASSWORDPASSBOLT_KEY_*FIRST_ADMIN_*SMTP_*
- Passbolt runs in non-root mode
- internal HTTPS is required
- self-registration is disabled
- MariaDB stays on a backend-only network
- persistent data is separated for database, GPG, and JWT material
- basic hardening is applied with
no-new-privileges,cap_drop, CPU and RAM limits
The repository avoids Internet downloads during installation and normal use.
Actual egress blocking still has to be enforced outside the repo, at host or network level:
- host firewall
- network ACLs
- micro-segmentation
- allow-list for required internal services only
See docs/no-internet-egress.md.
This is a focused V1:
- no directory integration or SSO
- no built-in backup workflow
- no automatic certificate rotation
- production deployments should replace the self-signed TLS fallback
docs/architecture.mddocs/install-offline.mddocs/security.mddocs/no-internet-egress.mddocs/acceptance-checklist.md