<p align="center" style="padding-top:30px"><img src="https://raw.githubusercontent.com/passwordcockpit/frontend/master/public/assets/images/logo.svg?sanitize=true" width="400" alt="Passwordcockpit logo"></p> <p align="center">Passwordcockpit is a simple, free, open source, self hosted, web based password manager for teams. It is made in PHP, Javascript, MySQL or MariaDB and it run on a docker service. It allows users with any kind of device to safely store, share and retrieve passwords, certificates, files and much more.</p> <p align="center"> <img alt="GitHub license" src="https://img.shields.io/github/license/passwordcockpit/passwordcockpit"> <img alt="GitHub last release" src="https://img.shields.io/github/v/release/passwordcockpit/passwordcockpit?sort=semver"> <img alt="Docker pulls" src="https://img.shields.io/docker/pulls/passwordcockpit/passwordcockpit"> </p>

Index

• Index
• Usage
• Permissions
  • Global permissions
  • Folder permissions
• Authentication
  • LDAP
• Encryption
  • Password PIN
• Available docker configurations
• Architecture and technologies
  • Frontend
  • Backend
  • Database
• Security
• Update to a newer version
• Vulnerabilities
• Contribute
  • Screenshots
    • Passwords manager
    • Users manager
    • Mobile design

Usage

Installation is done with docker-compose. Please check out the official install instructions for more information.<br> Passwordcockpit docker images are provided within its Docker Hub organization.<br><br> To start, just copy docker-compose.yml to a folder and setup the configuration as shown in the "Available docker configurations" chapter. Finally run docker-compose up from terminal.<br><br> When the service is up, navigate to PASSWORDCOCKPIT_BASEHOST (e.g. https://passwordcockpit.com) and login.<br><br> The default username is admin. The system generate the default password: Admin123!, this can be overridden by specifying the PASSWORDCOCKPIT_ADMIN_PASSWORD variable.

Permissions

Global permissions

Each user can have following permissions:<br><br> ⚫️ Nothing (a normal user)<br> 👥 Create and manage users<br> 📁 Create folders<br> 🗄 Access to all directories<br> 📊 Can view log

Folder permissions

Each folder has a list of associated users with their permissions:<br><br> ⛔️ No access (A user cannot access a folder to which is not assigned)<br> 👁 Read (A user can read the passwords from a folder to which he is associated)<br> ✏️ Manage (The user can add, modify and delete passwords inside the folder)<br><br> Users can be associated to a folder even if they do not have permission from the parent folder.

Authentication

Authentication can be done with database stored password or LDAP.

LDAP

To use LDAP, users must exist in Passwordcockpit. The match of PASSWORDCOCKPIT_LDAP_ACCOUNTFILTERFORMAT is done with the username.

When LDAP is enabled it is no longer possible to modify the profile data, since they will be synchronized at each login.

Encryption

There are 3 levels of encryption:

• Password PIN
• SSL encryption for transfering data to the server
• Database encryption for login informations, passwords and files.

Password PIN

A password can be crypted with a personal PIN in order to hide it from users with "Access to all directiories" permission and from users assigned to the same directory.

Available docker configurations

| Container volume | Description | Example | | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | | /var/www/html/upload | Contains passwords attached files. It is important to map for making data persistent. Access permissions of the host directory have to be the same as the user who runs docker. | ./volumes/upload | | /etc/ssl/certs/passwordcockpit.crt | SSL certificate file for HTTPS, used to overwrite the self-signed auto generated file. IMPORTANT: specify read-only to avoid the overwrite of your certificate by the container certificate | ./volumes/ssl_certificate/passwordcockpit.crt:/etc/ssl/certs/passwordcockpit.crt:ro | | /etc/ssl/certs/passwordcockpit.key | SSL certificate key file for HTTPS, used to overwrite the self-signed auto generated file. IMPORTANT: specify read-only to avoid the overwrite of your certificate by the container certificate | ./volumes/ssl_certificate/passwordcockpit.key:/etc/ssl/certs/passwordcockpit.key:ro |

| Environment variable | Description | Example | | ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | | PASSWORDCOCKPIT_DEBUG | Enable debugging mode, default value false | true
| PASSWORDCOCKPIT_DATABASE_USERNAME | Username for the database | username | | PASSWORDCOCKPIT_DATABASE_PASSWORD | Password for the database | password | | PASSWORDCOCKPIT_DATABASE_HOSTNAME | Hostname of the database server | mysql | | PASSWORDCOCKPIT_DATABASE_DATABASE | Name of the database | passwordcockpit | | PASSWORDCOCKPIT_BLOCK_CIPHER_KEY | Key for passwords and files encryption. IMPORTANT: do not lose this key, without it you will not be able to decrypt passwords and files | Q7EeZaHdMV7PMBGrNRre27MFXLEKqMAS | | PASSWORDCOCKPIT_AUTHENTICATION_SECRET_KEY | Key for encrypting JSON Web Tokens | zfYKN7Z8XW8McgKaSD2uSNmQQ9dPmgTz | | PASSWORDCOCKPIT_BASEHOST | Base host of the Passwordcockpit service | https://passwordcockpit.com | | PASSWORDCOCKPIT_SWAGGER | Enable swagger documentation, possible values: enable or disable. If enabled, documentation can be seen here: PASSWORDCOCKPIT_BASEHOST/swagger/index.html