- Available docker configurations
- Architecture and technologies
Installation is done with
docker-compose. Please check out the official install instructions for more information.
Passwordcockpit docker images are provided within its Docker Hub organization.
To start, just copy
docker-compose.yml to a folder and setup the configuration as shown in the "Available docker configurations" chapter. Finally run
docker-compose up from terminal.
When the service is up, navigate to
https://passwordcockpit.com) and login.
The default username is
admin. The system generate the default password:
Admin123!, this can be overridden by specifying the
Each user can have following permissions:
Each folder has a list of associated users with their permissions:
Users can be associated to a folder even if they do not have permission from the parent folder.
Authentication can be done with database stored password or LDAP.
To use LDAP, users must exist in Passwordcockpit. The match of
PASSWORDCOCKPIT_LDAP_ACCOUNTFILTERFORMAT is done with the username.
When LDAP is enabled it is no longer possible to modify the profile data, since they will be synchronized at each login.
There are 3 levels of encryption:
- Password PIN
- SSL encryption for transfering data to the server
- Database encryption for login informations, passwords and files.
A password can be crypted with a personal PIN in order to hide it from users with "Access to all directiories" permission and from users assigned to the same directory.
Available docker configurations
||Contains passwords attached files. It is important to map for making data persistent. Access permissions of the host directory have to be the same as the user who runs docker.||
||SSL certificate file for HTTPS, used to overwrite the self-signed auto generated file. IMPORTANT: specify read-only to avoid the overwrite of your certificate by the container certificate||
||SSL certificate key file for HTTPS, used to overwrite the self-signed auto generated file. IMPORTANT: specify read-only to avoid the overwrite of your certificate by the container certificate||
||Username for the database||
||Password for the database||
||Hostname of the database server||
||Name of the database||
||Key for passwords and files encryption. IMPORTANT: do not lose this key, without it you will not be able to decrypt passwords and files||
||Key for encrypting JSON Web Tokens||
||Base host of the Passwordcockpit service||
||Enable swagger documentation, possible values:
||Enable SSL, possible values:
||Admin password to log into passwordcockpit||
||Type of the authentication, possible values:
||For running the Apache variants as an arbitrary user.||
||For running the Apache variants as an arbitrary group.||
|LDAP variables (only necessary if LDAP is enabled)||Description||Example|
||Hostname of the LDAP server||
||Port of the LDAP server||
||Username for LDAP||
||Password for LDAP||
||Filter to retrieve accounts, it match the
||Bind if DN is required, possible values:
Password cockpit is translated into:
Architecture and technologies
To ease deployment into production, frontend and backend have been built and merged in a single docker image.
The frontend is maintained on passwordcockpit/frontend.
Frontend has been developed using
The PIN password encryption is made with
Stanford Javascritp Crypto Library, using AES-CCM.
The backend is maintained on passwordcockpit/backend.
The server side application logic is based on PHP Standard Recommendation (PSR) using
Laminas Components and
HAL is used as a JSON specification to give a consistent and easy way to hyperlink between resources.
Login information are stored using
Password entitites and files are crypted with
laminas-crypt, using sha-256.
User sessions are handled with
JWT tokens, encrypted with HS256.
All listed encryptions are customizable with a custom key, adding cryptographic salt to hashes to mitigate rainbow tables.
All API are documented with
To ensure the security to your Passwordcockpit instance:
- Enable SSL (https) or put the service behind a reverseproxy with SSL.
- Set your
- Set your
- Disable Swagger.
If you find any vulnerability within the project, you are welcome to drop us a private message to: email@example.com. Thanks!
Here you can find the steps to prepare the development environment.