Passbolt Environment Variables
Notice
These are available for use with both the Docker installation and the Helm installation
Following there is a list of the environment variables supported in passbolt both PRO and CE editions with their default values.
| Variable name | Description | Default value |
|---|---|---|
| APP_BASE | it allows people to specify the base subdir the application is running in | null |
| APP_ENCODING | Set text encoding | 'UTF-8' |
| APP_FULL_BASE_URL | Passbolt base url | 'false' |
| APP_DEFAULT_TIMEZONE | Passbolt default timezone | 'UTC' |
| DATASOURCES_DEFAULT_DATABASE | Database name | '' |
| DATASOURCES_DEFAULT_HOST | Database hostname | 'localhost' |
| DATASOURCES_DEFAULT_PORT | Database port | 3306 |
| DATASOURCES_DEFAULT_URL | Database url | '' |
| DATASOURCES_DEFAULT_PASSWORD | Database password | '' |
| DATASOURCES_DEFAULT_SSL_KEY | Database SSL Key | '' |
| DATASOURCES_DEFAULT_SSL_CERT | Database SSL Cert | '' |
| DATASOURCES_DEFAULT_SSL_CA | Database SSL CA | '' |
| DATASOURCES_DEFAULT_USERNAME | Database username | '' |
| DEBUG | Debug mode | 'false' |
| EMAIL_TRANSPORT_DEFAULT_CLASS_NAME | Email classname | 'Smtp' |
| EMAIL_DEFAULT_FROM_NAME | From email username | 'Passbolt' |
| EMAIL_DEFAULT_FROM | From email address | 'you@localhost' |
| EMAIL_DEFAULT_TRANSPORT | Sets transport method | 'default' |
| EMAIL_TRANSPORT_DEFAULT_HOST | Server hostname | 'localhost' |
| EMAIL_TRANSPORT_DEFAULT_PORT | Server port | 25 |
| EMAIL_TRANSPORT_DEFAULT_TIMEOUT | Timeout | 30 |
| EMAIL_TRANSPORT_DEFAULT_USERNAME | Username for email server auth | null |
| EMAIL_TRANSPORT_DEFAULT_PASSWORD | Password for email server auth | null |
| EMAIL_TRANSPORT_DEFAULT_CLIENT | Client | null |
| EMAIL_TRANSPORT_DEFAULT_TLS | Set tls | null |
| EMAIL_TRANSPORT_DEFAULT_URL | Set url | null |
| GNUPGHOME | path to gnupghome directory | '/home/www-data/.gnupg' |
| PASSBOLT_AUTH_TOKEN_EXPIRY | Passbolt authorization token expiration | '10 days' |
| PASSBOLT_AUTH_REGISTER_TOKEN_EXPIRY | Passbolt authorization registration token expiration | '10 days' |
| PASSBOLT_AUTH_RECOVER_TOKEN_EXPIRY | Passbolt authorization recover token expiration | '1 day' |
| PASSBOLT_AUTH_LOGIN_TOKEN_EXPIRY | Passbolt authorization token login expiration | '5 minutes' |
| PASSBOLT_AUTH_MOBILE_TRANSFER_TOKEN_EXPIRY | Passbolt mobile transfer token expiration | '5 minutes' |
| PASSBOLT_AUTH_JWT_REFRESH_TOKEN | Passbolt authorization JWT refresh token | '1 month' |
| PASSBOLT_AUTH_JWT_ACCESS_TOKEN | Passbolt authorization JWT access token | '5 minutes' |
| PASSBOLT_AUTH_JWT_VERIFY_TOKEN | Passbolt authorization JWT verify token | '1 hour' |
| PASSBOLT_EMAIL_VALIDATE_MX | Email validation | false |
| PASSBOLT_GPG_SERVER_KEY_FINGERPRINT | GnuPG fingerprint | null |
| PASSBOLT_GPG_SERVER_KEY_PUBLIC | Path to GnuPG public server key | '/etc/passbolt/gpg/serverkey.asc' |
| PASSBOLT_GPG_SERVER_KEY_PRIVATE | Path to GnuPG private server key | '/etc/passbolt/gpg/serverkey_private.asc' |
| PASSBOLT_JS_BUILD | passbolt.js type of build 'development' or 'production' | 'production' |
| PASSBOLT_LEGAL_PRIVACYPOLICYURL | Set legal policy URL | '' |
| PASSBOLT_LEGAL_TERMSURL | Set legal terms URL | 'https://www.passbolt.com/terms' |
| PASSBOLT_META_DESCRIPTION | Set html meta description for the site | 'Open source password manager for teams' |
| PASSBOLT_META_ROBOTS | Search engines indexing parameters | 'noindex, nofollow' |
| PASSBOLT_META_TITLE | Set html meta title for | 'Passbolt' |
| PASSBOLT_PLUGINS_EXPORT_ENABLED | Enable export plugin | true |
| PASSBOLT_PLUGINS_IMPORT_ENABLED | Enable import plugin | true |
| PASSBOLT_PLUGINS_IN_FORM_INTEGRATION_ENABLED | Enable Passbolt icon in web forms | true |
| PASSBOLT_PLUGINS_PASSWORD_GENERATOR_DEFAULT_GENERATOR | Default password generator (can be password or passphrase) | password |
| PASSBOLT_PLUGINS_PASSWORD_GENERATOR_ENABLED | Enable password generator plugin | true |
| PASSBOLT_PLUGINS_PREVIEW_PASSWORD_ENABLED | Enable password generator preview | true |
| PASSBOLT_PLUGINS_MOBILE_ENABLED | Enable mobile plugin | true |
| PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED | Enable jwt authentication plugin | true |
| PASSBOLT_PLUGINS_RBACS_ENABLED | Enable RBAC plugin | true |
| PASSBOLT_PLUGINS_HEALTHCHECK_SECURITY_INDEX_ENDPOINT_ENABLED | Enable the healthCheck index endpoints | true |
| PASSBOLT_PLUGINS_PASSWORD_EXPIRY_ENABLED | Enable the password expiry plugin | true |
| PASSBOLT_PLUGINS_PASSWORD_EXPIRY_POLICIES_ENABLED | Enable the password expiry policies plugin | true |
| PASSBOLT_PLUGINS_TOTP_RESOURCE_TYPE_ENABLED | Enable the ability to create TOTP resource types | true |
| PASSBOLT_PLUGINS_DESKTOP_ENABLED | Enable the desktop plugin | true |
| PASSBOLT_PLUGINS_EMAIL_DIGEST_ENABLED | Enable the email digest plugin | true |
| PASSBOLT_PLUGINS_ACCOUNT_RECOVERY_ENABLED | Enable the account recovery feature plugin | true |
| PASSBOLT_PLUGINS_SMTP_SETTINGS_ENABLED | Enable the SMTP settings plugin | true |
| PASSBOLT_PLUGINS_PASSWORD_POLICIES_ENABLED | Enable the password policy plugin | true |
| PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_VERIFY_PEER | Enable the SMTP peer verification for the SSL certificate | true |
| PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_VERIFY_PEER_NAME | Enable the SMTP peer name verification for the SSL certificate | true |
| PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_ALLOW_SELF_SIGNED | Enable self-signed certificate for email servers | false |
| PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_CAFILE | Path to the rootCA certificate | null |
| PASSBOLT_PLUGINS_SELF_REGISTRATION_ENABLED | Enable the self registration plugin | true |
| PASSBOLT_PLUGINS_SSO_ENABLED | Enable the SSO plugin | true |
| PASSBOLT_PLUGINS_SSO_PROVIDER_AZURE_ENABLED | Enable the Azure AD SSO plugin | true |
| PASSBOLT_PLUGINS_SSO_PROVIDER_GOOGLE_ENABLED | Enable the Google SSO plugin | true |
| PASSBOLT_PLUGINS_SSO_PROVIDER_OAUHT2_ENABLED | Enable the OAuth2 (OIDC) SSO plugin | false |
| PASSBOLT_PLUGINS_SSO_PROVIDER_ADFS_ENABLED | Enable the ADFS SSO plugin | false |
| PASSBOLT_PLUGINS_MFA_POLICIES_ENABLED | Enable the MFA Policy plugin | true |
| PASSBOLT_PLUGINS_DIRECTORY_SYNC_CASE_SENSITIVE_FILTERS | Enable the case sensitive filters for directorySync plugin | false |
| PASSBOLT_PLUGINS_DIRECTORY_SYNC_SECURITY_SSL_CUSTOM_OPTIONS_ENABLED | Enable the custom root CA certificate | false |
| PASSBOLT_PLUGINS_DIRECTORY_SYNC_SECURITY_SSL_CUSTOM_OPTIONS_VERIFY_PEER | Enable the peer verification of the custom root CA certificate | true |
| PASSBOLT_PLUGINS_DIRECTORY_SYNC_SECURITY_SSL_CUSTOM_OPTIONS_CADIR | Set the directory of the SSL directory | null |
| PASSBOLT_PLUGINS_DIRECTORY_SYNC_SECURITY_SSL_CUSTOM_OPTIONS_CAFILE | Set the path of the custom root CA certificate | null |
| PASSBOLT_PLUGINS_HEALTHCHECK_UI_ENABLED | Enable the Passbolt API Status plugin | true |
| PASSBOLT_PLUGINS_PASSWORD_POLICIES_ENABLED | Enable the password policy plugin | true |
| PASSBOLT_PLUGINS_PASSWORD_POLICIES_UPDATE_EANBLED | Enable the password policy plugin update | true |
| PASSBOLT_PLUGINS_USER_PASSPHRASE_POLICIES_ENABLED | Enable the user passphrase policy | true |
| PASSBOLT_PLUGINS_PASSWORD_POLICIES_ENABLED | Enable the password policy plugin | true |
| PASSBOLT_PLUGINS_PASSWORD_POLICIES_ENABLED | Enable the password policy plugin | true |
| PASSBOLT_REGISTRATION_PUBLIC | Defines if users can register | false |
| PASSBOLT_SECURITY_SET_HEADERS | Send CSP Headers | true |
| PASSBOLT_SECURITY_CSP | CSP Headers (true, false or custom CSP string) | true |
| PASSBOLT_SECURITY_COOKIE_SECURE | Set MFA cookie secure flag | true |
| PASSBOLT_SECURITY_USER_AGENT | Enable the storage and display of the user agent | true |
| PASSBOLT_SECURITY_USER_IP | Enable the storage of the userIp address | true |
| PASSBOLT_SECURITY_USERNAME_LOWER_CASE | Force username to lowercase | false |
| PASSBOLT_SECURITY_USERNAME_CASE_SENSITIVE | Enable the username case sensitive | false |
| PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED | Disable the SMTP settings endpoints | false |
| PASSBOLT_SECURITY_PROXIES_ACTIVE | Enable proxy when the instans runs behind a load balancers/proxies that you control | false |
| PASSBOLT_SECURITY_MFA_DUO_VERIFY_SUBSCRIBER | Enable the subscription verification for MFA DUO | false |
| PASSBOLT_SECURITY_MFA_MAX_ATTEMPTS | Set the max attempts for the MFA authentication | '4' |
| PASSBOLT_SECURITY_GET_LOGOUT_ENDPOINT_ENABLED | Disable GET /logout nedpoint, closing potential CSRF issue and prevent logout usaga via browser URL | true |
| PASSBOLT_SECURITY_DIRECTORY_SYNC_ENDPOINTS_DISABLED | Disable the directorySync endpoints | false |
| PASSBOLT_SECURITY_EMAIL_ANONYMISE_ADMINISTRATOR_IDENTITY | Enable anonymisation of the administrator identity | false |
| PASSBOLT_SECURITY_SSO_SSL_VERIFY | Enable the SSL verification for SSO | true |
| PASSBOLT_SSL_FORCE | Redirects http to https | true |
| SECURITY_SALT | CakePHP security salt | __SALT__ |
| SESSION_DEFAULTS | Session engine configuration | 'php' |