Host Your Own Padloc Instance
As a cloud-based password manager, Padloc allows you to access your data anywhere, anytime, be it from our desktop client, our Android or iOS app or directly through the browser. While our online-first approach brings a lot of advantages like convenience, portability and reduced risk of data loss, it also comes with potential security and privacy implications.
As custodians of your most sensitive and private data and we recognise the immense responsibility that comes with this, and Padloc is built from the ground up with a focus on security, privacy and transparency. In fact, Padloc is designed in a way that not even we can access to any of your secrets, even if we wanted to!
Nevertheless, we know that for many people storing their data - encrypted or not - on a server they don’t control seems like a dangerous idea. We get it! That’s why we want to give people the option to run Padloc on their own terms, on a server they alone have access to! The following guide will show you how to deploy your own instance of the Padloc server and web app.
Although there are a couple of ways you can deploy your own Padloc instance, using Docker is definitely the easiest and most robust way. Don’t worry though, you won’t need any previous experience with Docker - setting it up is relatively easy and we’ll explain everything step-by-step. Before we get started, please make sure you…
- have a machine to run Padloc on (you can use your personal computer to test out some of the steps but you’ll need a server if you really want to use Padloc productively).
- have Docker and Docker Compose installed.
- have a SSL certificate or know how to get/make one.
- have a domain and know how to point it to your server.
Please note: While we are doing our best to make deploying your own Padloc instance as easy as possible, some technical knowledge will be required. Specifically, you’ll need to be somewhat comfortable with using the terminal and have at least a basic understanding of server technology and how to provision and manage a server.
To run the Padloc server and web app, we’ll be using the
padloc/pwa docker images (PWA stands for
App in case you’re
wondering). Docker compose will allow us to configure and deploy both services
with a single command. First, we’ll have to add a little configuration
though. Let’s get started by creating a Docker Compose configuration file.
Choose a directory where you’d like to store your configuration files.
Then inside that directory, create a file named
the following contents:
This will tell Docker Compose to start the Padloc server and web app in two separate docker containers.
Let’s give it a whirl! Open your terminal and run:
Congratulations, you’re now running your very own Padloc server and web app!
They’re listening on ports
8080, respectively, which is the
By default, this will also create folders for the database files, attachments and web app code in the same directory you ran the command from. We’ll talk about how you can configure these things in a bit.
Go ahead and open
http://[your_ip_address]:8080 in your browser. You should
see the following (you may need to wait a minute until the PWA is built):
You’ll notice that the app is reporting that it is offline because it doesn’t know where to reach the Padloc server yet. Your browser will also report that the connection is not secure because we haven’t configured SSL yet. Let’s fix that!
Adding a Reverse Proxy
So you’ve successfully started you own Padloc server and web app, and their listening on their respective ports. Cool! In practice however, it’s never a good idea to expose these directly to the internet. We also haven’t set up SSL yet, which is crucial for securely hosting your own Padloc instance! Both of these problems can be solved by using a reverse proxy.
Let’s configure Docker Compose to serve your Padloc server and web app behind a
NGINX container. First, we’ll need to make a few
adjustments to our
We’ve added the
nginx service which will listen on ports
ports used for http and https, respectively). We’ve also removed the
directive for the
pwa services which means they won’t we
accessible from the outside anymore. Instead, we’ve added the
directive which will make them accessible only to other services within the
same docker network. The
nginx service will take care of routing requests
to the appropriate container.
Next, we’ll need to add a configuration file for the NGINX server. It should
nginx.conf and be in the same directory as your
This file will tell NGINX to do the following:
- Redirect any request request to the
/server/path to our server instance
- Redirect all other requests to the web app
- Serve all requests via https
- Redirect any http request to https
Note that we’re assuming that you want to serve both server and web app from
the same domain, with the server available on the
/server/ path. If you want
to use different paths or serve the pwa and server from two different domains,
you’ll have to make the appropriate adjustments to the
nginx.conf file. For a
quick primer on how to configure NGINX, check out the NGINX beginners
Most aspects of the Padloc server and web app can be configured via
Instead of setting these variables directly we’ll be using a feature in Docker
Compose that allows you to load them from a file. In the same directory as your
docker-compose.yml file, create a file named
.env. It should look
This file is pretty much self-documenting, but let’s go over the individual sections in a little more detail:
Server and Web App Location
PL_PWA_URL are the locations where you want to host your
padloc server and web app and will tell the server instance and web app where to
reach each other. Depending on which domains/paths you want to use for this
you may need to make a few changes to your
nginx.conf. The existing configuration
expects the PWA to be served on the root of your host and the server on the
path on the same host. So for example let’s say the domain you want to host
Padloc on is
padloc.my-server.com, then your configuration should look as follows:
PL_PWA_PORT variables determine which ports the
Padloc server and web app will listen on. Note that this only applies if you’re
docker-compose.yml setup from the Basic Setup
section and have your own reverse proxy setup.
Docker containers and their file systems are ephemeral by nature, which means that any data that is supposed to persists needs to be mirrored to the host machine. Docker solves this with so called volumes, which allow you to mount directories from the host machine into the docker container.
To make it easy for you, we’ve already added the necessary configuration to
docker-compose.yml from the Basic Setup section and
bound the directory paths to their respective environment variables. To change
the location where certain files are stored on the host machine, simply
change the appropriate value in your
||This is where the Padloc database files are stored.|
||This is where attachment files are stored (see Attachments).|
||This is where the
To learn more about data management in Docker, check out this link.
Padloc requires the ability to send emails for some functionality like verifying emails during signup, 2-Factor authentication and other things. To set up email sending you’ll need a working SMTP server, which can be provisioned from a number of providers, like Postmark or Sendgrid. If you have a Gmail account, you can also use Googles SMTP server for free (with limitations). Or if you just want to test things locally, Mailcatcher is a great tool for faking an SMTP server for testing purposes.
Once you’ve set up your SMTP server of choice, fill out the
section of your config file with the appropriate values. Here is an example of
a configuration using the Gmail SMTP Server:
PL_EMAIL_SERVER=smtp.gmail.com PL_EMAIL_USERfirstname.lastname@example.org PL_EMAIL_PORT=465 PL_EMAIL_PASSWORD=ruby_bliel PL_EMAIL_SECURE=true
To securely host your Padloc instance, you’ll need to configure it to be served via https. For this, you’ll need a SSL certificate. There are a couple of ways to obtain one, but for most use cases we strongly recommend Let’s Encrypt, which is free and very easy to set up.
Once you’re obtained an SSL certificate to use with your Padloc instance,
all you need to do is update the
SSL SETTINGS section of the config file
with the paths to your certificate and private key files. For example, if you
used Let’s Encrypt to obtain a certificate on linux, your config could look like this:
Deploying your Padloc Instance
That’s it! You should be all good to go now. Go ahead and start up your setup via Docker Compose again:
docker-compose up -d
-d flag will tell Docker Compose to keep all services running in the
background. Both the web app and server are now available publicly at the
locations you’ve configured. To open the web app, simple open your browser and
visit the URL you’ve specified in the
To stop everything, simply run the following from the same directory: