Passbolt
Luxembourg-based open source password manager for teams with GPG encryption and self-hosting options - built for collaboration
Quick Overview
| Company | Passbolt SA |
|---|---|
| Category | Password Manager (Team-focused) |
| Headquarters | Luxembourg City, Luxembourg |
| EU Presence | Yes - Luxembourg (EU) |
| Data Centers | EU (self-host option available) |
| Open Source | Yes (AGPL v3) |
| GDPR Compliant | Yes |
| End-to-End Encryption | Yes (GPG/OpenPGP) |
| Main Features | GPG encryption, team sharing, role-based access, self-hosting, API access, audit logs |
| Pricing | Free (Community) / From 4/user/month (Pro) |
| Best For | Teams and organizations needing collaborative password management with self-hosting options |
| Replaces | LastPass Business, 1Password Teams, Dashlane Business |
Detailed Review
Passbolt is an open source password manager designed specifically for team collaboration. Founded in Luxembourg in 2016, Passbolt addresses a gap in the market for a truly open, auditable password management solution that organizations can self-host while maintaining enterprise-grade security. Unlike consumer-focused password managers that added team features as an afterthought, Passbolt was built from the ground up for collaborative credential management.
EU Jurisdiction and Data Sovereignty
Headquartered in Luxembourg, Passbolt operates under the strict data protection framework of the European Union. Luxembourg's position as a financial hub has led to particularly robust privacy and security regulations. As an EU company, Passbolt is directly subject to GDPR, providing users with strong rights over their data and holding the company to high standards of data protection.
More importantly, Passbolt's self-hosting option allows organizations to maintain complete data sovereignty. By running Passbolt on your own infrastructure, your credentials never leave your control. This is particularly valuable for organizations in regulated industries, government agencies, and any entity concerned about third-party access to sensitive credentials.
GPG-Based End-to-End Encryption
Passbolt uses OpenPGP (GPG) for its end-to-end encryption, a battle-tested cryptographic standard that has been securing sensitive communications for decades. Each user has a GPG key pair, and passwords are encrypted specifically for the users who need access. This means that even administrators and Passbolt itself cannot decrypt your passwords.
The GPG approach has significant advantages for team collaboration. When you share a password with colleagues, it's encrypted individually for each authorized user's public key. This creates a true zero-knowledge architecture where the server only stores encrypted data. The cryptographic implementation has been audited by independent security researchers, with reports publicly available.
Team-First Design Philosophy
Unlike password managers that were designed for individuals and retrofitted for teams, Passbolt was built for collaboration from day one. The interface emphasizes sharing workflows, with intuitive controls for granting and revoking access. Groups can be created to manage permissions efficiently, and role-based access control ensures users only see credentials they need.
The folder structure supports organizing passwords by department, project, or any organizational scheme that makes sense for your team. Comments allow team members to add context to credentials, and the activity log tracks all changes for accountability. These features make Passbolt particularly suited for IT teams managing shared infrastructure credentials.
Fully Open Source
Passbolt is released under the AGPL v3 license, making it one of the most transparent password managers available. The complete source code for the server, browser extensions, and mobile apps is available on GitHub. This allows organizations to audit the code, verify security claims, and even contribute improvements back to the project.
The Community Edition provides full core functionality for free, making it accessible to organizations of any size. The Pro and Cloud editions add enterprise features like LDAP/AD integration, multi-factor authentication options, and priority support, but the fundamental security architecture is identical across all editions.
Self-Hosting and Deployment Options
Passbolt offers flexible deployment options to suit different organizational needs. Self-hosting is supported on Linux distributions with comprehensive documentation for manual installation, Docker, and Kubernetes deployments. This allows complete control over your password data, infrastructure, and update schedule.
For organizations that prefer managed infrastructure, Passbolt Cloud provides a hosted solution within EU data centers. This offers the convenience of SaaS while maintaining European data residency. The cloud version includes automatic updates, backups, and professional support.
API and Automation
Passbolt provides a comprehensive REST API that enables integration with other tools and automation of credential management tasks. DevOps teams can programmatically retrieve credentials for CI/CD pipelines, infrastructure provisioning, and automated testing. This is crucial for modern infrastructure-as-code workflows.
The CLI tool allows command-line access to passwords, making it easy to integrate Passbolt into scripts and automation. Webhooks can notify external systems of credential changes, enabling custom integrations and audit logging to external systems.
Enterprise Features
The Pro and Cloud editions include enterprise features essential for larger organizations. LDAP and Active Directory integration allows centralized user management with automatic provisioning and deprovisioning. Multi-factor authentication supports TOTP, Duo, and YubiKey for additional security layers.
Advanced audit logging tracks all credential access and changes, supporting compliance requirements. Tags provide flexible organization beyond folders. Account recovery features help manage situations where users lose access to their GPG keys. These features make Passbolt suitable for organizations with sophisticated security and compliance requirements.
Limitations to Consider
Passbolt's team-focused design means it's less suitable for individual use compared to consumer password managers. The GPG-based encryption, while robust, has a steeper learning curve for non-technical users. Mobile apps exist but are less mature than the web and browser extension interfaces.
Self-hosting requires technical expertise and ongoing maintenance. Organizations without dedicated IT resources may prefer the Cloud option or a simpler managed solution. Browser extension autofill, while improving, is not as seamless as some consumer-focused alternatives.
Who Should Use Passbolt
Passbolt is ideal for development teams, IT departments, and organizations that need to securely share credentials among multiple users. Companies concerned about data sovereignty will appreciate the self-hosting option and EU headquarters. Open source advocates will value the transparent, auditable codebase. Organizations in regulated industries can leverage the audit logging and compliance features. If you need a password manager designed for teams rather than adapted for teams, Passbolt is an excellent European choice.
Alternatives to Passbolt
Looking for other European password managers? Here are some alternatives worth considering:
Frequently Asked Questions
While you can use Passbolt individually, it's specifically designed for team collaboration. Individual users may find consumer-focused password managers like Proton Pass or Bitwarden more suitable, as they offer features better tailored to personal use like browser autofill and simpler setup.
GPG (OpenPGP) uses asymmetric encryption with public/private key pairs. Each user has their own key pair, and passwords are encrypted specifically for authorized users' public keys. This allows secure sharing without ever transmitting decrypted passwords. GPG has been used and audited for decades, providing battle-tested security.
Yes, self-hosting is one of Passbolt's key features. The Community Edition is completely free and includes full functionality. Installation is supported via manual setup on Linux, Docker containers, and Kubernetes. Complete documentation guides you through the setup process.
Community Edition is free and includes all core password management features. Pro Edition adds enterprise features like LDAP integration, MFA options, tags, and account recovery. Cloud is the hosted version with Pro features included, maintained by Passbolt in EU data centers. All editions share the same security architecture.
Yes, the Pro and Cloud editions include LDAP and Active Directory integration. This allows centralized user management with automatic provisioning when users are added to AD groups and deprovisioning when they're removed. This significantly simplifies user lifecycle management in enterprise environments.
Yes, Passbolt is GDPR compliant. As a Luxembourg company, it's directly subject to EU data protection regulations. The end-to-end encryption means Passbolt cannot access your password data even if requested. Self-hosting further enhances compliance by keeping all data within your own infrastructure.
Yes, Passbolt provides a comprehensive REST API and CLI tool for automation. DevOps teams can programmatically retrieve credentials for CI/CD pipelines, infrastructure provisioning, and automated testing. This enables secure credential management in modern infrastructure-as-code workflows.
The Pro and Cloud editions include account recovery features to handle this situation. Administrators can initiate a recovery process that allows users to regain access. The Community Edition requires generating a new key pair and having credentials re-shared, so backing up keys is important.