Passwork

What Is Passwork?

The enterprise password management market splits into two camps. Cloud-hosted solutions like 1Password and LastPass trade convenience for control — credentials live on someone else's servers, encrypted but ultimately dependent on the vendor's infrastructure choices. Self-hosted solutions flip that equation: more operational burden, but absolute certainty about where credentials reside.

Passwork has occupied the self-hosted camp since 2014. Headquartered in Barcelona under the legal entity Passwork Europe S.L., the company builds a corporate password and secrets manager that installs on the customer's own servers. Nothing leaves the organisation's perimeter. The source code is auditable for enterprise licence holders, meaning security teams can verify the encryption implementation rather than trusting a vendor's claims.

The platform has evolved beyond basic password storage into a full secrets management solution. REST API, Python SDK, CLI tools, and Docker containers give DevOps teams programmatic access to credentials. Kubernetes secrets integration allows automated credential injection into container orchestration workflows. With a globally distributed team of 95 people, Passwork serves enterprises across Europe that treat credential management as critical infrastructure rather than a convenience tool.

Key Features

True Self-Hosted Deployment

Passwork runs on the customer's own servers with no cloud dependency whatsoever. Installation supports Linux and Windows, with or without Docker. Clustered deployment configurations use multiple application servers and MongoDB replica sets for high availability. This architecture means credentials never traverse the public internet, never sit on a third-party cloud, and never leave the organisation's physical or virtual perimeter. For organisations in defence, government, or critical infrastructure, this is not a preference — it is a requirement.

Double-Layer AES-256 Encryption

Credentials are encrypted twice: once at the server level and once at the client level. Even an attacker with full server access would face a second encryption layer they cannot bypass without client-side keys. The zero-knowledge architecture ensures that Passwork's own team, even during support sessions, cannot decrypt stored credentials. This double-layer approach exceeds what most cloud-hosted competitors offer.

Auditable Source Code

Enterprise licence holders receive access to Passwork's source code for internal security review. Compliance teams and external auditors can inspect the encryption implementation, key management, and data handling logic directly. This removes the "trust us" dynamic that frustrates security teams evaluating cloud-hosted alternatives. For organisations completing SOC 2 audits or ISO 27001 certifications of their own, auditable vendor code simplifies the supply chain risk assessment.

DevOps and Secrets Management

Passwork version 7 expanded significantly into secrets management territory. The REST API covers user management, system settings, and vault operations. Python connectors and Docker containers enable credential automation in CI/CD pipelines. Kubernetes secrets integration creates cluster secrets directly from Passwork vaults, keeping sensitive credentials out of Git repositories and environment variables. An AI explanation layer added in recent versions helps teams document and categorise stored secrets automatically.

Enterprise Directory Integration

LDAP, Active Directory, Azure AD, and SAML SSO integration connects Passwork to existing identity infrastructure. LDAP group mapping synchronises access groups directly with directory security groups, so permission changes propagate automatically. This eliminates the manual access management overhead that plagues standalone password tools in large organisations.

Pricing

Passwork's pricing reflects its enterprise positioning. The Standard licence starts at EUR 3 per user per month on annual billing, covering core password management features including vaults, browser extensions, mobile apps, and basic audit logging.

Advanced and Enterprise licences are custom-priced and add SSO, SAML, LDAP group mapping, clustered deployment, Kubernetes integration, and auditable source code. Optional maintenance renewals offer up to 50% discount on annual renewals after the initial subscription period.

The self-hosted model means organisations also bear infrastructure costs — server hardware or virtual machines, MongoDB database hosting, and IT staff time for deployment and maintenance. For a 100-person team, the total cost of ownership sits higher than cloud-hosted alternatives, but the security and compliance value proposition justifies that premium for the target market.

EU Compliance & Privacy

Passwork's compliance story is architecturally airtight. Because the software runs entirely on the customer's own infrastructure, data never leaves the organisation's jurisdiction. There are no Standard Contractual Clauses to negotiate, no data processing agreements to audit, and no Schrems II transfer impact assessments to complete. The credentials are where you put them, full stop.

The company itself operates as Passwork Europe S.L. under Spanish and EU law. ISO/IEC 27001 certification and NIS2 alignment provide framework-level compliance. ENS (Spain's National Security Framework) compliance adds a sector-specific certification relevant for Spanish public sector deployments.

For organisations that need to prove to regulators that credentials never leave EU soil, self-hosting is the strongest possible position.

Who It's Best For

Security-conscious enterprises in defence, government, critical infrastructure, or financial services where credentials must remain on controlled infrastructure with no third-party access.

DevOps and platform engineering teams managing secrets across Kubernetes clusters, Docker containers, and CI/CD pipelines. The REST API, Python SDK, and native Kubernetes integration make Passwork a credential backend for automated workflows.

Compliance teams preparing for audits who need to inspect vendor source code rather than accept security claims at face value. Auditable source access simplifies supply chain risk assessments.

Large organisations with Active Directory infrastructure that want password management to integrate with existing directory services via LDAP and SAML SSO.

The Verdict

Passwork is purpose-built for organisations that consider credential storage a security-critical function rather than a productivity feature. The self-hosted architecture, auditable source code, and DevOps integration set it apart from cloud-hosted competitors. The trade-offs are honest: deployment requires IT resources, the user experience lacks the polish of consumer-grade tools, and documentation could be stronger. For security-first teams that accept those trade-offs, Passwork delivers control that no cloud-hosted alternative can match.

Frequently Asked Questions

Is Passwork GDPR compliant?

Yes. Passwork is self-hosted, so all credential data stays on the customer's own servers within their chosen jurisdiction. The company operates as Passwork Europe S.L. under Spanish and EU law, with ISO/IEC 27001 certification.

Can I review Passwork's source code?

Yes. Enterprise licence holders receive access to auditable source code for internal security review, allowing compliance and security teams to verify the encryption implementation and data handling independently.

How does Passwork compare to 1Password?

Passwork is entirely self-hosted with zero cloud dependency, giving full infrastructure control. 1Password offers a polished cloud experience with broader consumer features. Passwork's DevOps integrations (Kubernetes, REST API, Docker) and auditable source code differentiate it for engineering-focused organisations.

Does Passwork work with Kubernetes?

Yes. Passwork integrates with Kubernetes for automated secrets management. Teams can create Kubernetes secrets from Passwork vaults and automate credential injection into CI/CD pipelines via the REST API, Python SDK, or Docker containers.

What are the server requirements for Passwork?

Passwork runs on PHP and MongoDB, installable on Linux or Windows with or without Docker. Clustered deployments support high availability through multiple application servers and MongoDB replica sets. A modest server with 2 CPU cores and 4GB RAM handles teams up to 200 users.