Passbolt — Open-Source Team Password Manager

Introduction

Passbolt is a password manager designed for team collaboration. Unlike consumer-grade vaults, it uses OpenPGP keys for end-to-end encryption so the server never sees plaintext credentials. The community edition is fully open source under AGPL.

What Passbolt Does

• Stores and organizes passwords, notes, and TOTP tokens in encrypted vaults
• Shares credentials between team members using asymmetric OpenPGP encryption
• Integrates with browsers via official extensions for Chrome, Firefox, and Edge
• Supports LDAP and SSO directory sync for onboarding users automatically
• Provides a JSON API for scripting and CI/CD secret retrieval

Architecture Overview

The backend is a CakePHP application backed by MySQL or MariaDB. Every secret is encrypted client-side with the recipient's public GPG key before reaching the server. The browser extension and web app handle key management and decryption locally. An optional CLI written in Go lets DevOps teams interact with the vault from scripts and pipelines.

Self-Hosting & Configuration

• Deploy with Docker Compose or install directly on Ubuntu/Debian with the official package
• Generate a server GPG key pair during initial setup
• Configure SMTP for email-based account recovery and notifications
• Enable HTTPS via a reverse proxy or the built-in Let's Encrypt helper
• Integrate with LDAP or Azure AD for centralized user provisioning

Key Features

• True end-to-end encryption using OpenPGP — the server stores only ciphertext
• Granular folder and group-based sharing with role permissions
• Browser extensions with autofill and password generator
• Mobile apps for iOS and Android with biometric unlock
• Audit log tracking who accessed or modified each credential

Comparison with Similar Tools

• Bitwarden / Vaultwarden — broader consumer feature set but uses symmetric AES, not per-user asymmetric keys
• 1Password — commercial SaaS with polished UX, no self-hosted community edition
• KeePassXC — offline vault, no built-in sharing or team features
• HashiCorp Vault — infrastructure secrets engine, not a user-facing password manager
• Teampass — PHP-based team vault, older UI and less active development

FAQ

Q: What happens if a team member loses their private key? A: An account recovery mechanism allows admins to re-encrypt shared passwords for the user after identity verification. The process is documented in the admin guide.

Q: Can I migrate from Bitwarden or KeePass? A: Yes. Passbolt supports CSV and KDBX import, and community scripts exist for Bitwarden JSON exports.

Q: Is the Community Edition production-ready? A: Yes. CE includes the full vault, sharing, browser extensions, and API. The Pro and Cloud editions add LDAP sync, SSO, tags, and premium support.

Q: How is Passbolt audited? A: Passbolt commissions regular third-party security audits. Reports are published on the project's security page.

Sources

• https://github.com/passbolt/passbolt_api
• https://www.passbolt.com/docs