linuxserver · wsmlby · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/readme-vars.yml b/readme-vars.yml
@@ -31,6 +31,8 @@ param_usage_include_env: true
 param_env_vars:
   - {env_var: "WEBUI_PORT", env_value: "8080", desc: "for changing the port of the web UI, see below for explanation"}
   - {env_var: "TORRENTING_PORT", env_value: "6881", desc: "for changing the port of tcp/udp connection, see below for explanation"}
+opt_param_env_vars:
+  - {env_var: "WEBUI_PASSWORD", env_value: "yourpassword", desc: "set a persistent WebUI password for the admin user at startup"}
 opt_param_usage_include_vols: true
 opt_param_volumes:
   - {vol_path: "/downloads", vol_host_path: "/path/to/downloads", desc: "Location of downloads on disk."}
@@ -58,6 +60,15 @@ app_setup_block: |
   A bittorrent client can be an active or a passive node. Running your client as an active node has the advantage of being able to connect to both active and passive peers, and can potentially increase the number of incoming connections. This requires an open port on the host machine which might differ from container's internal one.
 
   Similarly to the WEBUI_PORT, to set the port to 6887 you need to pass -p 6887:6887, -p 6887:6887/udp and -e TORRENTING_PORT=6887 arguments to Docker.
+
+  ### WEBUI_PASSWORD variable
+
+  You can set a persistent WebUI password at container startup by passing `-e WEBUI_PASSWORD=yourpassword`. This will configure the `admin` user's password on every container start, overriding both the auto-generated temporary password and any password previously set via the web UI.
+
+  If `WEBUI_PASSWORD` is not set, the default qBittorrent behaviour applies: a temporary password is printed to the container log on each startup until you set a password through the web UI.
+
+  >[!NOTE]
+  >Like all Docker environment variables, `WEBUI_PASSWORD` is visible to anyone with access to the container's configuration (e.g. via `docker inspect`). For sensitive deployments, use Docker secrets with the `FILE__WEBUI_PASSWORD` mechanism described below.
 # init diagram
 init_diagram: |
   "qbittorrent:latest": {

diff --git a/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run b/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run
@@ -9,6 +9,22 @@ if [[ ! -f /config/qBittorrent/qBittorrent.conf ]]; then
     cp /defaults/qBittorrent.conf /config/qBittorrent/qBittorrent.conf
 fi
 
+# set WebUI password from environment variable if provided
+if [[ -n ${WEBUI_PASSWORD} ]]; then
+    HASH=$(printf '%s' "${WEBUI_PASSWORD}" | python3 -c "
+import hashlib, os, base64, sys
+password = sys.stdin.read().encode('utf-8')
+salt = os.urandom(16)
+dk = hashlib.pbkdf2_hmac('sha512', password, salt, 100000)
+print('@ByteArray(' + base64.b64encode(salt).decode() + ':' + base64.b64encode(dk).decode() + ')', end='')
+")
+    if grep -qF 'WebUI\Password_PBKDF2=' /config/qBittorrent/qBittorrent.conf; then
+        sed -i "s|^WebUI\\\\Password_PBKDF2=.*|WebUI\\\\Password_PBKDF2=${HASH}|" /config/qBittorrent/qBittorrent.conf
+    else
+        printf 'WebUI\\Password_PBKDF2=%s\n' "${HASH}" >> /config/qBittorrent/qBittorrent.conf
+    fi
+fi
+
 if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
     # chown download directory if currently not set to abc
     if grep -qe ' /downloads ' /proc/mounts; then