Installing from APT repositories


3.3.2. Installing from APT repositories#

The LinOTP components are available via apt repositories to install the server on Debian.


If you own an active support and subscription license, you will have received instructions to additional install options including access to our Smart Virtual Appliance, that includes all required repositories, packages and a preconfigured FreeRADIUS server.

Debian Buster#

The public community repository is availble on


Only a minimal OS installation is required to install LinOTP.

Download the repository’s public key and store it in the APT trust database:

$ curl | \
sudo tee /etc/apt/trusted.gpg.d/linotp-archive-current.asc

Add the repository to your APT setup:

$ echo 'deb buster linotp' | \
sudo tee /etc/apt/sources.list.d/linotp.list


Feel free to use https://… since the repository is also available via HTTPS.

Install the Apache web server and MariaDB database (other database servers, as well as external databases, may be used but that requires additional configuration):

$ sudo apt-get update
$ sudo apt-get install apache2 mariadb-server
$ sudo mysql_secure_installation

Next install LinOTP and the keyring package:

$ sudo apt-get install linotp-archive-keyring linotp

Use the linotp CLI to add your first admin-user for /manage:

$ linotp local-admins add <username>
$ linotp local-admins password <username>

For details about the new administration of administrators introduced with LinOTP3 see Logins for administrative interfaces

Some configuration screens will pop up, when installing the LinOTP package. This configuration will take care of creating the logging directory /var/log/linotp, setting up the webserver, configureing the Database, and generating an encryption key at /etc/linotp/encKey.

If you install the database after LinOTP or if you would like to change the used database type you can reinitialize the setup procedure with:

$ sudo dpkg-reconfigure linotp


During reconfiguration you are asked, if you want to create a new encryption key. If you do so, you will not be able to read your old data in the token database. But the encryption key is backed up to /etc/linotp2/encKey.old.