How to Upgrade Passbolt Installed from Source on Ubuntu

In this tutorial, you will learn how to upgrade Passbolt installed from source on Ubuntu System. There are different ways in which one can install Passbolt password manager on their systems. The method of installation will determine how one can upgrade Passbolt to the latest version as per the releases.

How to Upgrade Passbolt Installed from Source on Ubuntu

As already mentioned, the method to use to upgrade or to update Passbolt is determined by how you installed it initially.

In my environment, Passbolt was installed from source code and thus, this guide will focus mainly on how you can easily upgrade Passbolt installed from sources on Ubuntu systems.

Check Current Version of Passbolt

Before we proceed, let’s confirm the current version of Passbolt we are running by running the command below;

sudo cat /var/www/passbolt/config/version.php

Sample Output confirming the current Passbolt version I am running, which v2.12.2.

return [
    'passbolt' => [
        'version' => '2.12.0',
        'name' => 'Call me'

As of this writing, Passbolt v3.5.0 is the current release version as per the releases page.

Thus, it is time to upgrade Passbolt installed from source.

System Requirements

Among the system requirements for the installation/running of Passbolt, you should at least have the following;

  • PHP >= 7.3.0
  • MariaDB/Mysql >= 5.5.59
  • Composer >= 2

How to Upgrade Passbolt Installed from Source on Ubuntu

The Major system components that enables Passbolt to run is the LAMP/LEMP stack components. We used LAMP Stack in our current setup.

Thus, you need to upgrade these components to match the versions required by the current version of Passbolt.

Stop HTTP Server

To begin with, stop the web server service. As mentioned above, we are using LAMP stack in our setup. hence, Apache is our HTTP server.

sudo systemctl stop apache2

Upgrade PHP and Required Modules

You need to have PHP >= 7.3.0 and required Modules. Current versions of Passbolt requires PHP >= 7.3.0.

The installed version of PHP in my passbolt server is PHP 7.2;

php -v
PHP 7.2.24-0ubuntu0.18.04.10 (cli) (built: Oct 25 2021 17:47:59) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.24-0ubuntu0.18.04.10, Copyright (c) 1999-2018, by Zend Technologies

I am going to install PHP 7.4 and required Passbolt PHP modules;

sudo apt install php7.4 php7.4-gnupg php7.4-intl php7.4-mbstring php7.4-fpm php7.4-mysql php7.4-xml php7.4-curl php7.4-json php7.4-gd php7.4-ldap php7.4-imagick libapache2-mod-php7.4 -y

If your current Ubuntu system default repositories do not have PHP 7.4/7.3, you can install Onderj/PHP PPA repository;

sudo add-apt-repository ppa:ondrej/php --yes
sudo apt update

Then install PHP 7.3 or PHP 7.4 as shown above.

Disable Old Apache PHP Modules and Enable Current Apache PHP Modules

Next, disable old Apache PHP modules. For example, in current setup, we are running PHP 7.2 as shown above. Thus;

sudo a2dismod php7.2

And since I am running PHP 7.4, let’s enable its Apache modules;

sudo a2enmod php7.4

Set the Default PHP Version to use

If at this point you have multiple versions of PHP running, you need to configure, at least PHP 7.4 as the default PHP version to use with Passbolt.

sudo update-alternatives --config php

I will set PHP 7.4 to default, hence option 2 in the prompt below;

There are 3 choices for the alternative php (providing /usr/bin/php).

  Selection    Path             Priority   Status
* 0            /usr/bin/php8.1   81        auto mode
  1            /usr/bin/php7.2   72        manual mode
  2            /usr/bin/php7.4   74        manual mode
  3            /usr/bin/php8.1   81        manual mode

Press  to keep the current choice[*], or type selection number: 2
update-alternatives: using /usr/bin/php7.4 to provide /usr/bin/php (php) in manual mode

Confirm your default PHP version;

php -v
PHP 7.4.27 (cli) (built: Dec 20 2021 21:27:56) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.27, Copyright (c), by Zend Technologies

Upgrade MySQL/MariaDB Database

I am currently running MariaDB 10.3;

mysql -V
mysql  Ver 15.1 Distrib 10.3.31-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

To upgrade MariaDB to 10.6;

Backup the current databases;

mysqldump -u root -p --all-databases > /home/itnixpro/backup/all-dbs.bak.sql

To backup specific database;

mysqldump -u user -p passbolt-db > /home/itnixpro/backup/passbolt-db.sql

Next, Install MariaDB 10.6 APT repos from MariaDB repositories site for your specific system;

sudo apt install software-properties-common dirmngr apt-transport-https
sudo apt-key adv --fetch-keys ''
echo 'deb [arch=amd64,arm64,ppc64el] focal main' | sudo tee /etc/apt/sources.list.d/mariadb.list
sudo apt update

Stop MariaDB;

sudo systemctl stop mariadb

Upgrade MariaDB;

sudo apt install --only-upgrade  mariadb-server mariadb-client

Once the installation is done, Start MariaDB;

sudo systemctl daemon-reload
sudo systemctl start mariadb

Next, check tables for MariaDB upgrade;

mysql_upgrade -u root -p

Ensure there is no error;

Phase 1/7: Checking and upgrading mysql database
Processing databases
mysql.column_stats                                 OK
mysql.columns_priv                                 OK
mysql.db                                           OK
mysql.event                                        OK
mysql.func                                         OK
mysql.gtid_slave_pos                               OK
mysql.help_category                                OK
mysql.help_keyword                                 OK
mysql.help_relation                                OK
mysql.help_topic                                   OK                                         OK
mysql.index_stats                                  OK
mysql.innodb_index_stats                           OK
mysql.innodb_table_stats                           OK
mysql.plugin                                       OK
mysql.proc                                         OK
mysql.procs_priv                                   OK
mysql.proxies_priv                                 OK
mysql.roles_mapping                                OK
mysql.servers                                      OK
mysql.table_stats                                  OK
mysql.tables_priv                                  OK
mysql.time_zone                                    OK
mysql.time_zone_leap_second                        OK
mysql.time_zone_name                               OK
mysql.time_zone_transition                         OK
mysql.time_zone_transition_type                    OK
mysql.user                                         OK
Phase 2/7: Installing used storage engines... Skipped
Phase 3/7: Fixing views
Phase 4/7: Running 'mysql_fix_privilege_tables'
Phase 5/7: Fixing table and database names
Phase 6/7: Checking and upgrading tables
Processing databases
pass.action_logs                                   OK
pass.actions                                       OK
pass.authentication_tokens                         OK
pass.comments                                      OK
pass.email_queue                                   OK
pass.entities_history                              OK
pass.favorites                                     OK
pass.file_storage                                  OK
pass.gpgkeys                                       OK
pass.groups                                        OK
pass.groups_users                                  OK
pass.organization_settings                         OK
pass.permissions                                   OK
pass.permissions_history                           OK
pass.phinxlog                                      OK
pass.profiles                                      OK
pass.resources                                     OK
pass.roles                                         OK
pass.secret_accesses                               OK
pass.secrets                                       OK
pass.secrets_history                               OK
pass.user_agents                                   OK
pass.users                                         OK
sys.sys_config                                     OK
Phase 7/7: Running 'FLUSH PRIVILEGES'

Upgrade PHP Composer

Check the current version of Composer.

composer.phar --version
Composer version 1.10.0 2020-03-10 14:08:05

Passbolt requires composer.phar >= 2. Upgrade it then;

sudo php /usr/bin/composer.phar self-update

Recheck the version again.

composer.phar --version
Composer version 2.2.6 2022-02-04 17:00:38

Update the Passbolt Code

Navigate to Passbolt web root directory and update the files in the working tree to match the current version;

cd /var/www/passbolt
sudo git checkout HEAD .

Download the latest Passbolt code;

sudo git pull origin master

Update the required Passbolt dependencies.

sudo php -d allow_url_fopen=on /usr/bin/composer.phar install --no-dev -n -o
Package operations: 25 installs, 18 updates, 14 removals
  - Downloading cakephp/plugin-installer (1.3.1)
  - Downloading psr/log (1.1.4)
  - Downloading psr/http-server-handler (1.0.1)
  - Downloading psr/http-server-middleware (1.0.1)
  - Downloading psr/http-client (1.0.1)
  - Downloading psr/container (1.1.1)
  - Downloading league/container (3.4.1)
  - Downloading psr/http-factory (1.0.1)
  - Downloading laminas/laminas-diactoros (2.8.0)
  - Downloading laminas/laminas-zendframework-bridge (1.4.0)
  - Downloading laminas/laminas-httphandlerrunner (1.5.0)
  - Downloading composer/ca-bundle (1.3.1)
  - Downloading cakephp/chronos (2.3.0)
  - Downloading cakephp/cakephp (4.2.9)
  - Downloading bcrowe/cakephp-api-pagination (2.1.1)
  - Downloading cakephp/authentication (2.7.0)
  - Downloading symfony/polyfill-php80 (v1.23.1)
  - Downloading symfony/polyfill-mbstring (v1.23.1)
  - Downloading symfony/polyfill-intl-normalizer (v1.23.0)
  - Downloading symfony/polyfill-intl-grapheme (v1.23.1)
  - Downloading symfony/polyfill-ctype (v1.23.0)
  - Downloading symfony/string (v5.3.10)
  - Downloading symfony/service-contracts (v2.4.0)
  - Downloading symfony/polyfill-php73 (v1.23.0)
  - Downloading symfony/deprecation-contracts (v2.4.0)
  - Downloading symfony/console (v5.3.10)
  - Downloading symfony/polyfill-php81 (v1.23.0)
  - Downloading symfony/filesystem (v5.3.4)
  - Downloading symfony/config (v5.3.10)
  - Downloading robmorgan/phinx (0.12.9)
  - Downloading cakephp/migrations (3.1.0)
  - Downloading donatj/phpuseragentparser (v1.5.0)
  - Downloading firebase/php-jwt (v5.5.1)
  - Downloading imagine/imagine (1.2.4)
  - Downloading league/mime-type-detection (1.8.0)
  - Downloading league/flysystem (2.3.1)
  - Downloading lorenzo/cakephp-email-queue (4.0.0)
  - Downloading mobiledetect/mobiledetectlib (2.8.37)
  - Downloading ramsey/collection (1.2.2)
  - Downloading brick/math (0.9.3)
  - Downloading ramsey/uuid (4.2.3)
  - Downloading phpseclib/phpseclib (2.0.34)
  - Downloading singpolyma/openpgp-php (0.5.0)
  - Removing zendframework/zend-diactoros (1.8.7)
  - Removing thadafinser/user-agent-parser (v2.0.0)
  - Removing thadafinser/package-info (v1.0.0)
  - Removing symfony/yaml (v3.4.36)
  - Removing symfony/debug (v3.4.36)
  - Removing ralouphie/getallheaders (3.0.3)
  - Removing paragonie/random_compat (v9.99.99)
  - Removing knplabs/gaufrette (v0.7.0)
  - Removing guzzlehttp/psr7 (1.6.1)
  - Removing guzzlehttp/promises (v1.3.1)
  - Removing guzzlehttp/guzzle (6.4.1)
  - Removing burzum/cakephp-imagine-plugin (3.x-dev 3ef5969)
  - Removing burzum/cakephp-file-storage (2.1)
  - Removing aura/intl (3.0.0)
  - Removing cakephp/plugin-installer (1.1.1)
  - Installing cakephp/plugin-installer (1.3.1): Extracting archive
  - Upgrading psr/log (1.1.2 => 1.1.4): Extracting archive
  - Installing psr/http-server-handler (1.0.1): Extracting archive
  - Installing psr/http-server-middleware (1.0.1): Extracting archive
  - Installing psr/http-client (1.0.1): Extracting archive
  - Installing psr/container (1.1.1): Extracting archive
  - Installing league/container (3.4.1): Extracting archive
  - Installing psr/http-factory (1.0.1): Extracting archive
  - Installing laminas/laminas-diactoros (2.8.0): Extracting archive
  - Installing laminas/laminas-zendframework-bridge (1.4.0): Extracting archive
  - Installing laminas/laminas-httphandlerrunner (1.5.0): Extracting archive
  - Installing composer/ca-bundle (1.3.1): Extracting archive
  - Upgrading cakephp/chronos (1.3.0 => 2.3.0): Extracting archive
  - Upgrading cakephp/cakephp (3.8.6 => 4.2.9): Extracting archive
  - Installing bcrowe/cakephp-api-pagination (2.1.1): Extracting archive
  - Installing cakephp/authentication (2.7.0): Extracting archive
  - Installing symfony/polyfill-php80 (v1.23.1): Extracting archive
  - Upgrading symfony/polyfill-mbstring (v1.13.1 => v1.23.1): Extracting archive
  - Installing symfony/polyfill-intl-normalizer (v1.23.0): Extracting archive
  - Installing symfony/polyfill-intl-grapheme (v1.23.1): Extracting archive
  - Upgrading symfony/polyfill-ctype (v1.13.1 => v1.23.0): Extracting archive
  - Installing symfony/string (v5.3.10): Extracting archive
  - Installing symfony/service-contracts (v2.4.0): Extracting archive
  - Installing symfony/polyfill-php73 (v1.23.0): Extracting archive
  - Installing symfony/deprecation-contracts (v2.4.0): Extracting archive
  - Upgrading symfony/console (v3.4.36 => v5.3.10): Extracting archive
  - Installing symfony/polyfill-php81 (v1.23.0): Extracting archive
  - Upgrading symfony/filesystem (v3.4.36 => v5.3.4): Extracting archive
  - Upgrading symfony/config (v3.4.36 => v5.3.10): Extracting archive
  - Upgrading robmorgan/phinx (0.11.1 => 0.12.9): Extracting archive
  - Upgrading cakephp/migrations (2.4.0 => 3.1.0): Extracting archive
  - Upgrading donatj/phpuseragentparser (v0.7.0 => v1.5.0): Extracting archive
  - Installing firebase/php-jwt (v5.5.1): Extracting archive
  - Upgrading imagine/imagine (v0.6.3 => 1.2.4): Extracting archive
  - Installing league/mime-type-detection (1.8.0): Extracting archive
  - Installing league/flysystem (2.3.1): Extracting archive
  - Upgrading lorenzo/cakephp-email-queue (3.3.1 => 4.0.0): Extracting archive
  - Upgrading mobiledetect/mobiledetectlib (2.8.34 => 2.8.37): Extracting archive
  - Installing ramsey/collection (1.2.2): Extracting archive
  - Installing brick/math (0.9.3): Extracting archive
  - Upgrading ramsey/uuid (3.9.1 => 4.2.3): Extracting archive
  - Upgrading phpseclib/phpseclib (2.0.4 => 2.0.34): Extracting archive
  - Upgrading singpolyma/openpgp-php (0.3.0 => 0.5.0): Extracting archive
Package webmozart/path-util is abandoned, you should avoid using it. Use symfony/filesystem instead.
Generating optimized autoload files
27 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
> App\Console\Installer::postInstall
Permissions set on /var/www/passbolt/tmp/avatars
Permissions set on /var/www/passbolt/tmp/cache
Permissions set on /var/www/passbolt/tmp/cache/database
Permissions set on /var/www/passbolt/tmp/cache/models
Permissions set on /var/www/passbolt/tmp/cache/persistent
Permissions set on /var/www/passbolt/tmp/cache/views
Permissions set on /var/www/passbolt/tmp/selenium
Permissions set on /var/www/passbolt/tmp/sessions
Permissions set on /var/www/passbolt/tmp/tests
Permissions set on /var/www/passbolt/tmp
No Security.salt placeholder to replace.

Run the migration script

Next, run the Passbolt migration script.

sudo -H -u www-data bash -c "./bin/cake passbolt migrate --backup"

The command will create a backup of the current database and place it under /var/www/passbolt/tmp/cache/database/backup_xxxxxxxxxx.sql. This is so you can easily revert in case things don’t go well.

The migration process may take sometime.

When all is done, you should get such an output;

All Done. Took 1973.3069s
Clearing default
Cleared default cache
Clearing _cake_core_
Cleared _cake_core_ cache
Clearing _cake_model_
Cleared _cake_model_ cache

Passbolt should now be upgraded.


cat /var/www/passbolt/config/version.php
return [
    'passbolt' => [
        'version' => '3.5.0',
        'name' => 'Wide Open'

Clear Passbolt App Cache

After the upgrade, clear the application cache;

sudo -H -u www-data bash -c "/var/www/passbolt/bin/cake cache clear_all"

Create Passbolt JWT Key Pairs

To begin with, create set the ownership of the JWT keys directory to Apache’s Web server user;

sudo chown -R www-data: /var/www/passbolt/config/jwt

Next, generate the JWT keys;

sudo -H -u www-data bash -c "/var/www/passbolt/bin/cake passbolt create_jwt_keys"

Sample command output;

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
A JWT key pair was successfully created.
Public key path: /var/www/passbolt/config/jwt/jwt.pem
Secret key path: /var/www/passbolt/config/jwt/jwt.key

Start Apache Web Server;

You can now start your web server

sudo systemctl start apache2

Run Passbolt Health Check

Execute the command below to run Passbolt health checks;

sudo -H -u www-data bash -c "/var/www/passbolt/bin/cake passbolt healthcheck"

Ensure there is no error from the health check;

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
 Healthcheck shell        


 [PASS] PHP version 7.4.27.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate


 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
 [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.5.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [WARN] Registration is open to everyone.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set passbolt.registration.public to false in config/passbolt.php.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /var/www/passbolt/config/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [PASS] No error found. Nice one sparky!

Login to Upgraded Passbolt and Verify your Passwords are Intact

You can now login to Passbolt and confirm if all your passwords are in place.

How to Upgrade Passbolt Installed from Source on Ubuntu

And there you go. All my passwords are in place.

That marks the end of our tutorial on how to upgrade Passbolt installed from source on Ubuntu System.


Update passbolt source install

Founder of|Linux Engineer|Author at

Leave a Comment