{"id":15015894,"url":"https://github.com/passwordcockpit/passwordcockpit","last_synced_at":"2025-10-08T08:31:20.189Z","repository":{"id":101616401,"uuid":"160185905","full_name":"passwordcockpit/passwordcockpit","owner":"passwordcockpit","description":"Passwordcockpit is a simple, free, open source, self hosted, web based password manager for teams. It is made in PHP, Javascript, MySQL and it run on a docker service. It allows users with any kind of device to safely store, share and retrieve passwords, certificates, files and much more.","archived":false,"fork":false,"pushed_at":"2024-07-24T17:08:55.000Z","size":560,"stargazers_count":121,"open_issues_count":8,"forks_count":24,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-02T02:38:02.468Z","etag":null,"topics":["docker","docker-image","emberjs","free","laminas","mezzio","mysql","open-source","opensource","password","password-manager","password-vault","passwords","php","responsive","restful","self-hosted","selfhosted","web","webapp"],"latest_commit_sha":null,"homepage":"https://passwordcockpit.com","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/passwordcockpit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-03T12:15:00.000Z","updated_at":"2025-03-26T12:02:35.000Z","dependencies_parsed_at":null,"dependency_job_id":"8b1a256a-71f9-489b-8315-9559aa228e8b","html_url":"https://github.com/passwordcockpit/passwordcockpit","commit_stats":{"total_commits":154,"total_committers":9,"mean_commits":17.11111111111111,"dds":"0.23376623376623373","last_synced_commit":"533b7c1ee3b2c10c0b0683f69224f5654eb1859e"},"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"purl":"pkg:github/passwordcockpit/passwordcockpit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/passwordcockpit%2Fpasswordcockpit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/passwordcockpit%2Fpasswordcockpit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/passwordcockpit%2Fpasswordcockpit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/passwordcockpit%2Fpasswordcockpit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/passwordcockpit","download_url":"https://codeload.github.com/passwordcockpit/passwordcockpit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/passwordcockpit%2Fpasswordcockpit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278913318,"owners_count":26067630,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-image","emberjs","free","laminas","mezzio","mysql","open-source","opensource","password","password-manager","password-vault","passwords","php","responsive","restful","self-hosted","selfhosted","web","webapp"],"created_at":"2024-09-24T19:48:06.793Z","updated_at":"2025-10-08T08:31:19.892Z","avatar_url":"https://github.com/passwordcockpit.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\" style=\"padding-top:30px\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/passwordcockpit/frontend/master/public/assets/images/logo.svg?sanitize=true\" width=\"400\" alt=\"Passwordcockpit logo\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003ePasswordcockpit is a simple, free, open source, self hosted, web based password manager for teams. It is made in PHP, Javascript, MySQL or MariaDB and it run on a docker service. It allows users with any kind of device to safely store, share and retrieve passwords, certificates, files and much more.\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003cimg alt=\"GitHub license\" src=\"https://img.shields.io/github/license/passwordcockpit/passwordcockpit\"\u003e\n    \u003cimg alt=\"GitHub last release\" src=\"https://img.shields.io/github/v/release/passwordcockpit/passwordcockpit?sort=semver\"\u003e\n    \u003cimg alt=\"Docker pulls\" src=\"https://img.shields.io/docker/pulls/passwordcockpit/passwordcockpit\"\u003e\n\u003c/p\u003e\n\n\n# Index\n- [Index](#index)\n- [Usage](#usage)\n- [Permissions](#permissions)\n  - [Global permissions](#global-permissions)\n  - [Folder permissions](#folder-permissions)\n- [Authentication](#authentication)\n  - [LDAP](#ldap)\n- [Encryption](#encryption)\n  - [Password PIN](#password-pin)\n- [Available docker configurations](#available-docker-configurations)\n- [Architecture and technologies](#architecture-and-technologies)\n  - [Frontend](#frontend)\n  - [Backend](#backend)\n  - [Database](#database)\n- [Security](#security)\n- [Update to a newer version](#update-to-a-newer-version)\n- [Vulnerabilities](#vulnerabilities)\n- [Contribute](#contribute)\n  - [Screenshots](#screenshots)\n    - [Passwords manager](#passwords-manager)\n    - [Users manager](#users-manager)\n    - [Mobile design](#mobile-design)\n\n\n# Usage\nInstallation is done with `docker-compose`. Please check out the [official install instructions](https://docs.docker.com/compose/install/) for more information.\u003cbr\u003e\nPasswordcockpit docker images are provided within [its Docker Hub organization](https://hub.docker.com/u/passwordcockpit).\u003cbr\u003e\u003cbr\u003e\nTo start, just copy [`docker-compose.yml`](https://github.com/passwordcockpit/passwordcockpit/blob/master/docker-compose.yml) to a folder and setup the configuration as shown in the \"Available docker configurations\" chapter. Finally run `docker-compose up` from terminal.\u003cbr\u003e\u003cbr\u003e\nWhen the service is up, navigate to `PASSWORDCOCKPIT_BASEHOST` (e.g. `https://passwordcockpit.com`) and login.\u003cbr\u003e\u003cbr\u003e\nThe default username is `admin`. The system generate the default password: `Admin123!`, this can be overridden by specifying the `PASSWORDCOCKPIT_ADMIN_PASSWORD` variable.\n\n# Permissions\n## Global permissions\nEach user can have following permissions:\u003cbr\u003e\u003cbr\u003e\n⚫️ Nothing (a normal user)\u003cbr\u003e\n👥 Create and manage users\u003cbr\u003e\n📁 Create folders\u003cbr\u003e\n🗄 Access to all directories\u003cbr\u003e\n📊 Can view log\n\n## Folder permissions\nEach folder has a list of associated users with their permissions:\u003cbr\u003e\u003cbr\u003e\n⛔️ No access (A user cannot access a folder to which is not assigned)\u003cbr\u003e\n👁 Read (A user can read the passwords from a folder to which he is associated)\u003cbr\u003e\n✏️ Manage (The user can add, modify and delete passwords inside the folder)\u003cbr\u003e\u003cbr\u003e\nUsers can be associated to a folder even if they do not have permission from the parent folder.\n\n# Authentication\nAuthentication can be done with database stored password or LDAP.\n\n## LDAP\nTo use LDAP, users must exist in Passwordcockpit. The match of `PASSWORDCOCKPIT_LDAP_ACCOUNTFILTERFORMAT` is done with the username.\n\nWhen LDAP is enabled it is no longer possible to modify the profile data, since they will be synchronized at each login.\n\n# Encryption\nThere are 3 levels of encryption:\n- Password PIN\n- SSL encryption for transfering data to the server\n- Database encryption for login informations, passwords and files.\n\n## Password PIN\nA password can be crypted with a personal PIN in order to hide it from users with \"Access to all directiories\" permission and from users assigned to the same directory.\n\n# Available docker configurations\n| Container volume                       | Description                                                                                                                                                                                                                                                                                       | Example                              |\n| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - |\n| `/var/www/html/upload`                 | Contains passwords attached files. It is important to map for making data persistent. Access permissions of the host directory have to be the same as the user who runs docker.                                                                                                                                                                                                            | `./volumes/upload`                             |\n| `/etc/ssl/certs/passwordcockpit.crt`   | SSL certificate file for HTTPS, used to overwrite the self-signed auto generated file. **IMPORTANT: specify read-only to avoid the overwrite of your certificate by the container certificate**       | `./volumes/ssl_certificate/passwordcockpit.crt:/etc/ssl/certs/passwordcockpit.crt:ro` |\n| `/etc/ssl/certs/passwordcockpit.key` | SSL certificate key file for HTTPS, used to overwrite the self-signed auto generated file. **IMPORTANT: specify read-only to avoid the overwrite of your certificate by the container certificate** | `./volumes/ssl_certificate/passwordcockpit.key:/etc/ssl/certs/passwordcockpit.key:ro` |\n\n| Environment variable                        | Description                                                                                                                                                                                                                                                                                                   | Example                              |\n| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |\n| `PASSWORDCOCKPIT_DEBUG`         | Enable debugging mode, default value `false`                                                                                                                                                                                                                                                                    | `true`       \n| `PASSWORDCOCKPIT_DATABASE_USERNAME`         | Username for the database                                                                                                                                                                                                                                                                                     | `username`                           |\n| `PASSWORDCOCKPIT_DATABASE_PASSWORD`         | Password for the database                                                                                                                                                                                                                                                                                     | `password`                           |\n| `PASSWORDCOCKPIT_DATABASE_HOSTNAME`         | Hostname of the database server                                                                                                                                                                                                                                                                               | `mysql`                              |\n| `PASSWORDCOCKPIT_DATABASE_DATABASE`         | Name of the database                                                                                                                                                                                                                                                                                          | `passwordcockpit`                    |\n| `PASSWORDCOCKPIT_BLOCK_CIPHER_KEY`          | Key for passwords and files encryption. **IMPORTANT: do not lose this key, without it you will not be able to decrypt passwords and files**                                                                                                                                                                   | `Q7EeZaHdMV7PMBGrNRre27MFXLEKqMAS`   |\n| `PASSWORDCOCKPIT_AUTHENTICATION_SECRET_KEY` | Key for encrypting JSON Web Tokens                                                                                                                                                                                                                                                                            | `zfYKN7Z8XW8McgKaSD2uSNmQQ9dPmgTz`   |\n| `PASSWORDCOCKPIT_BASEHOST`                  | Base host of the Passwordcockpit service                                                                                                                                                                                                                                                                      | `https://passwordcockpit.com` |\n| `PASSWORDCOCKPIT_SWAGGER`                   | Enable swagger documentation, possible values: `enable` or `disable`. If enabled, documentation can be seen here: `PASSWORDCOCKPIT_BASEHOST/swagger/index.html`                                                                                                                                                          | `enable`                             |\n| `PASSWORDCOCKPIT_SSL`                       | Enable SSL, possible values: `enable` or `disable`. If enabled the port **4343** will be used, the system will generate a self-signed certificate that can be replaced with the one specified in the volumes configuration. If disabled the port **8080** will be used. **Standard ports 80 and 443 are no longer used because the container runs with a non-root user.**\u003cbr\u003e\u003cbr\u003e**Since it is a SPA if you use HTTPS the certificates must be valid or you must add a security exception to your browser.** | `enable`                             |\n| `PASSWORDCOCKPIT_SSL_RELAXED_IP`                       | When `PASSWORDCOCKPIT_SSL` is disabled, it can be set hosts where secure rule is relaxed. | `10.0.0.1,10.0.0.2`                             |\n| `PASSWORDCOCKPIT_ADMIN_PASSWORD`            | Admin password to log into passwordcockpit                                                                                                                                                                                                                                                                    | `Password123!`                           |\n| `PASSWORDCOCKPIT_AUTHENTICATION_TYPE`       | Type of the authentication, possible values: `ldap` or `password`                                                                                                                                                                                                                                             | `password`                           |\n| `APACHE_RUN_USER` | For running the Apache variants as an arbitrary user. | `1000` |\n| `APACHE_RUN_GROUP` | For running the Apache variants as an arbitrary group. | `1000` |\n| `PASSWORDCOCKPIT_UPLOAD_ACCEPTED_MIMETYPES` | Specify accepted mime types to check when uploading a file, default value `'pdf'`. Some extensions like `yml` are detected as `text/plain` mimetype, to accept these files you are forced to add the `txt` extension | `pdf, zip, doc` |\n\n\n| LDAP variables (only necessary if LDAP is enabled) | Description                                                | Example                                                          |\n| -------------------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------------------- |\n| `PASSWORDCOCKPIT_LDAP_HOST`                        | Hostname of the LDAP server                                | `ldap`                                                           |\n| `PASSWORDCOCKPIT_LDAP_PORT`                        | Port of the LDAP server                                    | `389`                                                            |\n| `PASSWORDCOCKPIT_LDAP_USERNAME`                    | Username for LDAP                                          | `uid=name,cn=users,dc=passwordcockpit,dc=com`                             |\n| `PASSWORDCOCKPIT_LDAP_PASSWORD`                    | Password for LDAP                                          | `password`                                                       |\n| `PASSWORDCOCKPIT_LDAP_BASEDN`                      | Base DN                                                    | `cn=users,dc=passwordcockpit,dc=com`                                      |\n| `PASSWORDCOCKPIT_LDAP_ACCOUNTFILTERFORMAT`         | Filter to retrieve accounts, it match the `username`                              | `(\u0026(memberOf=cn=group_name,cn=groups,dc=passwordcockpit,dc=com)(uid=%s))` |\n| `PASSWORDCOCKPIT_LDAP_BINDREQUIRESDN`              | Bind if DN is required, possible values: `'true'` or `'false'`, default value: `'false'` | `'true'`                                                           |\n| `PASSWORDCOCKPIT_LDAP_USESTARTTLS`              | Whether or not the LDAP client should use TLS (aka SSLv2) encrypted transport, possible values: `'true'` or `'false'`, default value: `'false'`  | `'false'`                                                           |\n| `PASSWORDCOCKPIT_LDAP_USESSL`              | Whether or not the LDAP client should use SSL encrypted transport, possible values: `'true'` or `'false'`, default value: `'false'` | `'false'`                                                           |\n| `PASSWORDCOCKPIT_LDAP_USER_ATTR_UNIQUE_IDENTIFIER`              | Configure user identifier attribute, default value: `'uid'` |`'uid'`                                                           |\n| `PASSWORDCOCKPIT_LDAP_USER_ATTR_NAME`              | Configure name of user attribute, default value: `'givenname'` |`'givenname'`                                                           |\n| `PASSWORDCOCKPIT_LDAP_USER_ATTR_SURNAME`              | Configure surname of user attribute, default value: `'sn'` |`'sn'`                                                           |\n| `PASSWORDCOCKPIT_LDAP_USER_ATTR_MAIL`              | Configure  mail's user attribute, default value: `'mail'` |`'mail'`                                                           |\n| `PASSWORDCOCKPIT_LDAP_USER_ATTR_PHONE`              | Configure phone's user attribute, default value: `null` |                                                         |\n\n# Available translations\nPassword cockpit is translated into:\n- English\n- Italiano\n- Français\n- Deutsch\n\n# Architecture and technologies\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/passwordcockpit/passwordcockpit/master/assets/architecture.svg?sanitize=true\" width=\"500\" alt=\"RESTful architecture diagram\"\u003e\u003c/p\u003e\nThe application itself follows the RESTful architecture.\u003cbr\u003e\nTo ease deployment into production, frontend and backend have been built and merged in a single docker image.\n\n## Frontend\nThe frontend is maintained on [passwordcockpit/frontend](https://github.com/passwordcockpit/frontend).\nFrontend has been developed using [`Ember.js`](https://emberjs.com/) and [`Bootstrap`](https://getbootstrap.com/). \u003cbr\u003e\nThe PIN password encryption is made with [`Stanford Javascritp Crypto Library`](https://github.com/bitwiseshiftleft/sjcl), using AES-CCM.\n\n## Backend\nThe backend is maintained on [passwordcockpit/backend](https://github.com/passwordcockpit/backend).\u003cbr\u003e\nThe server side application logic is based on PHP Standard Recommendation (PSR) using [`Mezzio`](https://docs.mezzio.dev/mezzio/), [`Laminas Components`](https://docs.laminas.dev/components/) and [`Doctrine`](https://www.doctrine-project.org/).\u003cbr\u003e\nHAL is used as a JSON specification to give a consistent and easy way to hyperlink between resources.\u003cbr\u003e\nLogin information are stored using `Bcrypt`.\u003cbr\u003e\nPassword entitites and files are crypted with [`laminas-crypt`](https://docs.laminas.dev/laminas-crypt/), using sha-256.\u003cbr\u003e\nUser sessions are handled with [`JWT tokens`](https://jwt.io/), encrypted with HS256.\u003cbr\u003e\nAll listed encryptions are customizable with a custom key, adding cryptographic salt to hashes to mitigate rainbow tables.\u003cbr\u003e\nAll API are documented with [`Swagger`](https://swagger.io/).\n\n## Database\nDatabase uses [`mysql`](https://www.mysql.com) or [`mariaDB`](https://mariadb.org)\n\n# Security\nTo ensure the security to your Passwordcockpit instance:\n- Enable SSL (https) or put the service behind a reverseproxy with SSL.\n- Set your `PASSWORDCOCKPIT_BLOCK_CIPHER_KEY` and `PASSWORDCOCKPIT_AUTHENTICATION_SECRET_KEY`.\n- Set your `PASSWORDCOCKPIT_ADMIN_PASSWORD`.\n- Disable Swagger.\n\u003cbr\u003e\u003cbr\u003e\nThe container runs as www-data user (non-root).\n\n# Update to a newer version\nUpdating is done by pulling the new image, throwing away the old container and starting the new one.\nBefore performing an update, it is best to back up the database and persistent files. This will ensure that you have a copy of your data in case something goes wrong during the update process. \n\n# Vulnerabilities\nIf you find any vulnerability within the project, you are welcome to drop us a private message to: security@passwordcockpit.com. Thanks!\n\n# Contribute\n[`Here`](https://github.com/passwordcockpit/passwordcockpit/blob/master/develop/README.md) you can find the steps to prepare the development environment.\n\n# Screenshots\n## Passwords manager\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/passwordcockpit/passwordcockpit/master/assets/passwordcockpit-screenshot-1.jpg\" width=\"600\" alt=\"Password manager screenshot \"\u003e\u003c/p\u003e\n\n## Users manager\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/passwordcockpit/passwordcockpit/master/assets/passwordcockpit-screenshot-2.jpg\" width=\"600\" alt=\"User manager screenshot\"\u003e\u003c/p\u003e\n\n## Mobile design\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/passwordcockpit/passwordcockpit/master/assets/passwordcockpit-screenshot-3.jpg\" width=\"300\" alt=\"Mobile design screenshot\"\u003e\u003c/p\u003e\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpasswordcockpit%2Fpasswordcockpit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpasswordcockpit%2Fpasswordcockpit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpasswordcockpit%2Fpasswordcockpit/lists"}