Passbolt
Open-source team password manager built on OpenPGP end-to-end encryption. Share credentials with granular permissions, audit every access, and keep private keys on user devices. Community edition is free with unlimited users
Quick Start
curl -LO https://download.passbolt.com/ce/docker/docker-compose-ce.yaml && curl -LO https://github.com/passbolt/passbolt_docker/releases/latest/download/docker-compose-ce-SHA512SUM.txt && sha512sum -c docker-compose-ce-SHA512SUM.txt && docker compose -f docker-compose-ce.yaml up -d Overview
Passbolt is an open-source password manager built specifically for teams. Where tools like Vaultwarden focus on individual vault management using the Bitwarden protocol, Passbolt is designed from the ground up for credential sharing and collaboration — with an encryption model that makes the architecture itself the security guarantee.
Every secret is encrypted with the recipient’s OpenPGP public key before it leaves the browser. The Passbolt server stores only ciphertext; it cannot read the passwords it holds. Private keys are generated on the user’s device and never transmitted to the server. This means that a compromised server does not expose your credentials, and Passbolt the company cannot decrypt your data even if compelled to.
Sharing is the core workflow. You can share a single credential or an entire folder with a user or group, with read or write permissions. When you share a secret, Passbolt re-encrypts it with the recipient’s public key so only they can decrypt it. Revoking access cryptographically removes their ability to decrypt future versions. For teams managing shared infrastructure, client accounts, or service credentials, this is a meaningfully different model from a shared vault with a single master password.
The Community edition is free with unlimited users and covers the core use cases: password management, folder sharing, browser autofill, mobile apps, MFA, role-based access control, and the open API. The Business plan adds LDAP and Active Directory provisioning, SSO with Microsoft, Google, and OpenID, full activity audit logs, and support. At $4.90 per user per month with a 10-user minimum, it targets organisations with compliance requirements or directory infrastructure.
The API and CLI are first-class. Passbolt is designed to be queried programmatically, which makes it practical for DevOps use: scripts can retrieve credentials at runtime, rotate secrets via the API, and the Ansible lookup plugin allows playbooks to pull secrets directly from Passbolt without hardcoding them in inventory files.
Passbolt: Pros & Cons
| Pros (The Wins) | Cons (The Friction) |
|---|---|
| OpenPGP E2E encryption: Server stores only ciphertext; private keys never leave devices. | Paid for SSO and LDAP: Business plan ($4.90/user/month, 10 user min) for enterprise features. |
| Free unlimited users: Community edition has no per-seat fee on self-hosted. | Email server required: User invites and account recovery depend on working SMTP. |
| Granular team sharing: Share credentials with read/write permissions per user or group. | Not Bitwarden-compatible: Requires Passbolt extensions, not existing Bitwarden clients. |
| Independently audited: Multiple third-party audits per year; used by governments and enterprises. | PGP key onboarding: Private key setup is less familiar than a standard master password. |
Use Cases
Specific ways to use Passbolt for your workflow.
Deployment Strategy
Recommended ways to host Passbolt in your own environment.