How to Install sysPass Password Manager on Debian 11
sysPass is a web-based password management application written in PHP. It is secure, reliable, and runs in a multiuser environment for business and personal use. It saves passwords using bidirectional encryption with a master password to a database. It provides an intuitive web UI that helps you to set options like LDAP auth, mail, auditing, backup, import/export, etc.
Features
- Free and Open-source
- Group/Profile access control
- Password encryption
- File storage with inline image viewer
- OpenLDAP and Active Directory integration
- Provide notification via email
In this tutorial, I will show you how to install sysPass password manager application and secure it with a free Let's Encrypt SSL certificate on Debian 11.
Prerequisites
- A server running Debian 11.
- A valid domain name pointed with your server IP.
- A root password is configured on the server.
Install Apache, MariaDB and PHP
sysPass runs on web server, uses MariaDB as a database backend and written in PHP. So you will need to install the Apache web server, MariaDB database server, PHP and other PHP extensions to your server. You can install all of them using the following command:
apt-get install apache2 mariadb-server libapache2-mod-php php php-mysqli php-pdo php-pear php php-cgi php-cli php-common php-gd php-json php-readline php-curl php-intl php-ldap php-xml php-mbstring git -y
Once all the packages are installed, edit the php.ini file and make some changes:
nano /etc/php/7.4/apache2/php.ini
Change the following settings:
post_max_size = 100M upload_max_filesize = 100M max_execution_time = 7200 memory_limit = 512M date.timezone = Asia/Kolkata
Save and close the file when you are finished. Next, restart the Apache service to apply the configuration changes:
systemctl restart apache2
Create a Database for sysPass
By default, MariaDB installation is not secured. So you will need to secure it first. You can secure it using the following command:
mysql_secure_installation
Answer all the questions as shown below to set a MariaDB root password and secure the installation:
Enter current password for root (enter for none): Switch to unix_socket authentication [Y/n] Y Change the root password? [Y/n] Y New password: Re-enter new password: Remove anonymous users? [Y/n] Y Disallow root login remotely? [Y/n] Y Remove test database and access to it? [Y/n] Y Reload privilege tables now? [Y/n] Y
Once you are done, log in to the MariaDB interface with the following command:
mysql -u root -p
You will be asked to provide a MariaDB root password. Once you are log in, create a database and user with the following command:
MariaDB [(none)]> create database syspassdb;
MariaDB [(none)]> grant all privileges on syspassdb.* to syspassuser@localhost identified by "password";
Next, flush the privileges and exit from the MariaDB shell with the following command:
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;
At this point, your MariaDB database and the user is ready for sysPass. You can now proceed to the next step.
Install sysPass
First, you will need to download the latest version of sysPass from the Git repository. You can download it using the following command:
git clone https://github.com/nuxsmin/sysPass.git
Once the download is completed, move the downloaded directory to the Apache web root directory:
mv sysPass /var/www/html/syspass
Next, set proper ownership to the syspass directory with the following command:
chown -R www-data:www-data /var/www/html/syspass
Next, set proper permission to the other directories:
chmod 750 /var/www/html/syspass/app/{config,backup}
Next, you will need to install the Composer to your system.
First, create a Composer installation script with the following command:
nano /var/www/html/syspass/install-composer.sh
Add the following lines:
#!/bin/sh
EXPECTED_SIGNATURE="$(wget -q -O - https://composer.github.io/installer.sig)"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_SIGNATURE="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
if [ "$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE" ]
then
>&2 echo 'ERROR: Invalid installer signature'
rm composer-setup.php
exit 1
fi
php composer-setup.php --quiet
RESULT=$?
rm composer-setup.php
exit $RESULT
Save and close the file then run the Composer installation script using the following command:
cd /var/www/html/syspass/
sh install-composer.sh
Once the Composer is installed, run the following command to install all required PHP dependencies:
php composer.phar install --no-dev
Once all the dependencies are installed, you can proceed to the next step.
Configure Apache Virtual Host for sysPass
Next, you will need to create an Apache virtual host configuration file to host sysPass on the internet. You can create it using the following command:
nano /etc/apache2/sites-available/syspass.conf
Add the following lines:
<VirtualHost *:80> ServerAdmin [email protected] DocumentRoot "/var/www/html/syspass" ServerName syspass.example.com <Directory "/var/www/html/syspass/"> Options MultiViews FollowSymlinks AllowOverride All Order allow,deny Allow from all </Directory> TransferLog /var/log/apache2/syspass_access.log ErrorLog /var/log/apache2/syspass_error.log </VirtualHost>
Save and close the file when you are finished the activate the Apache virtual host with the following command:
a2ensite syspass
Next, restart the Apache service to apply the changes:
systemctl restart apache2
You can also check the status of the Apache service using the following command:
systemctl status apache2
You should get the following output:
? apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-10-16 13:41:36 UTC; 4s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 17819 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 17824 (apache2)
Tasks: 6 (limit: 2341)
Memory: 14.7M
CPU: 76ms
CGroup: /system.slice/apache2.service
??17824 /usr/sbin/apache2 -k start
??17825 /usr/sbin/apache2 -k start
??17826 /usr/sbin/apache2 -k start
??17827 /usr/sbin/apache2 -k start
??17828 /usr/sbin/apache2 -k start
??17829 /usr/sbin/apache2 -k start
Oct 16 13:41:36 debian11 systemd[1]: Starting The Apache HTTP Server...
Once you are finished, you can proceed to the next step.
Access sysPass Web UI
At this point, sysPass is installed and hosted on the Apache webserver. Now, open your web browser and access the sysPass web interface using the URL http://syspass.example.com. You will be redirected to the following page:
Provide your admin username, password, master password, database credentials, choose your language, hosting mode and click on the INSTALL button. Once the installation has been completed, you will be redirected to sysPass login page.
Provide your admin username, password and click on the > button. You should see the sysPass dashboard on the following page:
Enable Let's Encrypt SSL Support on sysPass
It is always a good idea to secure your website with Let's Encrypt SSL. First, you will need to install the Certbot client to install and manage the SSL. By default, the Certbot package is included in the Debian 11 default repository so you can install it with the following command:
apt-get install python3-certbot-apache -y
Once the Certbot is installed, run the following command to secure your website with Let's Encrypt SSL:
certbot --apache -d syspass.example.com
You will be asked to provide your email and accept the term of service as shown below:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Performing the following challenges: http-01 challenge for syspass.example.com Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/syspass-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/syspass-le-ssl.conf Enabling available site: /etc/apache2/sites-available/syspass-le-ssl.conf
Next, select whether or not to redirect HTTP traffic to HTTPS as shown below:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Type 2 and hit Enter to install the Let's Encrypt SSL for your website:
Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/syspass.conf to ssl vhost in /etc/apache2/sites-available/syspass-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://syspass.example.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=syspass.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/syspass.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/syspass.example.com/privkey.pem Your cert will expire on 2021-07-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Conclusion
Congratulations! you have successfully installed sysPass password manager with Apache on Debian 11. You can now create a different account, add user, access privileges and deploy it in your production environment.
