Passbolt is an open-source password manager designed for team use. It can be self-hosted on your own server, self-managed on rented server space, or fully hosted by Luxemburg developer Passbolt SA. In this in-depth Passbolt review, we will look at security, features, value for money and more.
- Audited 100% open source code
- End-to-end encryption
- Self-hosted or fully hosted
- Free Community Edition
- Autofill with browser add-ons
- Browser-based cryptography (but as strong as it gets)
- Fully hosted plans use Google and AWS servers
Passbolt Community Edition (CE) is free and open source software which you can self-host or install for yourself on a third-party server.
Fully hosted enterprise plans are also available which offer a range of additional features, plus email or phone support (free users are limited to support from the community forum).
Payments are made by card using the Stripe payment processor. Those wanting to try out the additional Enterprise features can sign-up for a demo. This is a fully functioning hosted Passbolt instance, but “data will be deleted periodically. Do not use it to store sensitive information.” Demo data lasted for a day when we tested it.
- Passwords sharing
- Self-hosted or hosted
- Users management
- Groups management
- Email notifications
- Chrome and Firefox browser add-ons
- Dark theme (premium only)
- 2FA (premium only)
- LADAP synchronized user directory (premium only)
Slack integration, audit logs, and mobile apps are all promised in the near future for premium users.
Passbolt supports two-factor authentication (2FA) via Time-based One-Time Password (TOTP), Yubikey, or Duo.
We are honestly a little perplexed by the huge popularity of dark themes, but here it is anyway.
Privacy and security
Passbolt SA is registered in Luxemburg and is therefore subject to GDPR and other EU data regulation. Luxemburg has no particular ties to the United States’ NSA-led Five Eyes spying alliance, but a 2013 spying scandal, which resulted in the Prime Minister resigning demonstrates that the country’s Service de Renseignement de l’État (SREL) spying agency is far from passive.
Probably more relevant is that Passbolt SA uses Google Cloud Platform and Amazon Web Services (AWS) to host fully hosted accounts, both of which can be reasonably assumed to be subject to extensive NSA-style surveillance. Passbolt uses end-to-end encryption, though, so this shouldn’t matter.
And, of course, you can self-host Passbolt anywhere – on hardware completely under your control, or on hardware rented from providers in any country you like.
It is worth noting that only passwords are encrypted at rest – not comments or the list of people you share a password with. That said, it is usually possible to encrypt data at the system level using full-disk encryption systems such as EncFS if this bothers you.
All code used by Passbolt is fully open-source. And although, as Passbolt itself says, “the code review work will never be done,” much of it has, in fact, been extensively reviewed and audited. Which is great.
Browser-based cryptography cannot be considered as secure as dedicated software client solutions, but Passbolt implementation of it is very strong.
Ease of use
Setup and installation
The easiest way to set up a Passbolt instance is let Passbolt SA do it for you. This costs money, however, removes complete control from your hands to Passbolt SA, and means hosting your data on US servers (albeit e2ee).
You can instead self-host an instance (Community Edition or Premium) on your own server hardware or on server space rented from a third-party provider. Step-by-step instructions are available for doing this on a variety of server platforms.
The Virtual Machine image didn’t work for us for some reason (quite possible our own fault), but the Ubuntu instructions were very clear and worked a charm. If you can cut-and-paste commands into a Terminal window then the installation is a breeze.
Support for Docker ensures you can install Passbolt on almost any platform, while US hosting company Digital Ocean pretty much automates the process for installing Passbolt on one of its “Droplets” for you.
Use as a team member
Once your Passbolt instance is set up then you can start sharing passwords among team members. When they receive an invitation to join, team members will be asked to download the Passbolt plugin for Firefox or Chrome. This is not optional, as Passbolt needs the browser add-on to validate key pairs.
Creating a new account is then just a case of following a few easy instructions.
Once done, team members can log in to the web portal. From here you can create new passwords to share them with other team members.
You can also create groups of team members and share passwords with whichever groups you like.
In addition to being a vital component in the PGP cryptography scheme, the browser add-ons let you easily autofill web logins. Suggested passwords are matched to the URL you are visiting or you can search or browse for the password you want.
You can even create new passwords on-the-fly.
One thing we like about the add-on’s approach to auto-filling passwords is that it must be manually invoked by clicking on its icon. This means that the team password manager works side-by-side with any personal password manager you might also use which auto-fills forms as soon as you visit a web page.
Passbolt does not autofill things like credit card details, which is entirely appropriate for software aimed at group use. By default, the team administrator will receive email notifications whenever a new password is created.
There is very little not to like about Passbolt. It is a very functional and highly audited open-source team password manager which you can self-host for maximum privacy, or let Passbolt SA do the hard work for you.
Premium features are quite limited at the moment, making the Community Edition a very attractive option for anyone with the fairly minimal technical chops required to set up an instance themselves. That said, the upcoming mobile apps, in particular, which will be available to Premium users only, may alter this equation.
Browser-based cryptography remains imperfect, but it is very convenient, and Passbolt has clearly gone to great lengths to ensure it is as good it gets.