Passbolt

What Is Passbolt?

When a team needs to share passwords — server credentials, API keys, service accounts, shared inboxes — the usual approach is one of three things: a spreadsheet (catastrophically insecure), a shared note in Slack (marginally better), or a commercial password manager like 1Password or LastPass (better, but your credentials live on someone else's servers, under someone else's jurisdiction).

Passbolt exists for teams that find none of those options acceptable. Built in Luxembourg by a small, focused team, Passbolt is an open-source password manager designed from day one for team credential sharing. Unlike 1Password (proprietary, Canadian) or LastPass (proprietary, American, breached in 2022), Passbolt publishes its entire codebase under the AGPL licence, supports self-hosted deployment on your own infrastructure, and uses OpenPGP end-to-end encryption where the server never sees plaintext passwords.

Founded in 2016, Passbolt is not trying to be the password manager for everyone. It has no consumer plan. The mobile apps are limited. The interface is functional rather than beautiful. But for teams and organisations that need to share credentials securely — and need to prove, audit, and control exactly how those credentials are stored — Passbolt occupies a space that no commercial alternative can match.

The comparison that matters is not Passbolt versus 1Password for individual use. It is Passbolt versus the alternatives when your compliance officer asks: "Where are our passwords stored, who can access them, and can we prove it?"

Key Features

OpenPGP End-to-End Encryption

Passbolt's encryption model is its most important differentiator. Every user has an OpenPGP key pair generated on their device. When a password is shared, it is encrypted with the recipient's public key on the sender's device. The server stores only ciphertext — encrypted data that cannot be decrypted without the user's private key, which never leaves their device.

This is fundamentally different from the encryption model used by most commercial password managers, where the vendor's server handles key derivation and could theoretically be modified to intercept master passwords. With Passbolt, the server is cryptographically unable to access password contents, even if compromised.

Self-Hosted Deployment

Passbolt can be installed on your own Linux server, Docker environment, or Kubernetes cluster. The Community Edition is free for unlimited users and includes core password sharing with OpenPGP encryption. Self-hosting means your credentials never leave your network — they are stored in a database you control, on servers you manage, in a jurisdiction you choose.

For organisations in regulated industries — finance, healthcare, government, defence — self-hosting is not a preference; it is a requirement. Passbolt is one of the very few team password managers that genuinely supports this deployment model with a production-ready, well-documented installation process.

Granular Sharing and Permissions

Passbolt's sharing model is built around users and groups with fine-grained permissions. Passwords can be shared with individuals or groups, with read-only or full-access permissions. Folder structures allow logical organisation by team, project, or system. The permission model supports the principle of least privilege: team members see only the credentials they need.

Activity logs track who accessed, created, modified, or shared every credential, providing an audit trail for compliance requirements. For organisations subject to SOC 2, ISO 27001, or sector-specific regulations, this auditability is essential.

LDAP and Active Directory Integration

Passbolt Pro and Enterprise editions synchronise with LDAP and Active Directory, automatically provisioning and deprovisioning users based on directory group membership. When someone leaves the organisation or changes teams, their Passbolt access is updated automatically. This eliminates the dangerous gap between HR offboarding and credential access revocation.

TOTP Management

Beyond passwords, Passbolt supports storing and sharing TOTP (time-based one-time password) codes. Teams can share not just the password for a service but also the second-factor authentication code, all within the same encrypted sharing model. This is particularly useful for shared service accounts where multiple team members need to authenticate.

Browser-First Interface

Passbolt's primary interface is a browser extension available for Chrome, Firefox, and Edge. The extension provides autofill, password generation, and quick search across the vault. A web application provides the full management interface for folders, groups, and administrative settings. The browser-centric approach means Passbolt works on any operating system with a supported browser, though it also means the experience outside the browser is limited.

Pricing

Passbolt's pricing reflects its open-source roots and team focus.

The Community Edition is free for unlimited users when self-hosted. It includes core password sharing, OpenPGP encryption, user management, and the browser extension. For small teams with technical capability to self-host, this is a genuinely capable free option.

Pro (from EUR 49/month for the self-hosted licence) adds tags, folders, TOTP management, LDAP/AD integration, and advanced sharing features. This is the tier where Passbolt becomes practical for larger organisations with directory services and compliance requirements.

Cloud pricing is based on user count, with managed hosting in EU data centres. All Pro features are included. This is the option for teams that want Passbolt's security model without the overhead of self-hosting.

Enterprise is custom-priced and adds SSO (SAML, OIDC), account recovery, mobile apps, priority support, and SLA guarantees.

Compared to 1Password Business at $7.99/user/month, Passbolt's per-user cost can be lower for self-hosted deployments (Community Edition is free) or comparable for cloud deployments. The value proposition is not price — it is control.

EU Compliance & Privacy

Passbolt SA is incorporated in Luxembourg, one of the founding EU member states and home to major European institutions. The company operates under Luxembourg law and GDPR.

Self-hosted deployments place data entirely under the customer's control — there is no data processing by Passbolt at all. Cloud deployments use EU-based infrastructure. The OpenPGP encryption model means that even in cloud deployments, Passbolt cannot access the plaintext content of stored passwords.

For organisations preparing for NIS2 compliance, undergoing SOC 2 audits, or subject to sector-specific data protection regulations, Passbolt's combination of EU jurisdiction, open-source auditability, self-hosting capability, and end-to-end encryption provides a compliance posture that proprietary, US-based alternatives cannot replicate.

Who It's Best For

DevOps and engineering teams sharing server credentials, API keys, and service account passwords. The OpenPGP model and self-hosting capability align with security-first engineering cultures.

Regulated organisations — finance, healthcare, government — that need credential management with full audit trails, data sovereignty, and compliance-ready architecture.

European enterprises seeking a password manager headquartered in the EU with no US jurisdictional exposure and full GDPR compliance.

Open-source advocates who want to inspect, audit, and contribute to the security tools they depend on.

The Verdict

Passbolt is not for everyone. It has no consumer plan, the mobile experience is limited, and the self-hosted setup demands technical competence. But for what it is designed to do — secure team credential sharing with full data sovereignty and open-source transparency — Passbolt is the most credible option in the European market. The OpenPGP encryption model is genuinely stronger than what most competitors offer, the AGPL licence ensures permanent auditability, and the Luxembourg headquarters provide an EU legal foundation. If your organisation's threat model includes "what if our password manager's vendor is compromised or compelled to hand over data," Passbolt is the answer.

Frequently Asked Questions

Is Passbolt as easy to use as 1Password?

No. 1Password has a more polished interface, better mobile apps, and a smoother onboarding experience. Passbolt requires more technical setup (especially for self-hosting) and its browser-centric interface takes time to learn. The trade-off is greater security, transparency, and control. For teams with technical capability, the learning curve is manageable.

Can I migrate from LastPass to Passbolt?

Yes. Passbolt supports importing credentials from LastPass (CSV export), 1Password, KeePass, and generic CSV files. The migration preserves passwords and basic metadata, though folder structures may need to be recreated. The process is well-documented in Passbolt's migration guides.

How does Passbolt handle user offboarding?

When a user is removed from Passbolt (manually or via LDAP/AD sync), their access to all shared passwords is immediately revoked. Their OpenPGP key is deactivated, and they can no longer decrypt any shared credentials. Activity logs retain a record of what the user had access to, which is important for compliance and for identifying which credentials should be rotated.

Is the Community Edition production-ready?

Yes. The Community Edition includes core password sharing, OpenPGP encryption, user management, and the browser extension. Many organisations run it in production for teams of all sizes. The main limitations compared to Pro are the absence of folders, tags, TOTP management, and LDAP integration — features that become important as team size grows.

Does Passbolt support hardware security keys?

Yes. Passbolt supports multi-factor authentication using TOTP and hardware security keys (FIDO2/WebAuthn). Users can register YubiKeys or other FIDO2-compatible keys for strong second-factor authentication when logging into the platform.