Stars
Forks
Watchers
Developer links
Passbolt
Security-conscious IT departments pick Passbolt for its cryptography: every user holds an OpenPGP key pair, and shared credentials are encrypted individually to each recipient's public key - real end-to-end encryption, not a vault password handed around. All crypto runs client-side in the mandatory browser extension (distributed and signed through the Chrome and Firefox stores, deliberately separating the crypto code from the server that stores ciphertext); private keys and passphrases never touch your instance, and the server admin cannot read a single secret. Authentication uses the challenge-based GpgAuth protocol, secrets are digitally signed to verify sender integrity, and metadata encryption extends protection to resource names and URLs. Day to day it behaves like a polished commercial manager: auto-fill and auto-save in forms, strong password generation, anti-phishing protection, TOTP storage, folder hierarchies shared per-user or per-group with fine-grained permissions and instant cryptographic revocation. Native iOS, Android, and desktop apps ship alongside a JSON API, CLI, and SDKs for CI/CD secret retrieval and rotation. The PHP server runs on MariaDB and is AGPL-licensed open source - including the paid tiers' codebase - with published security audits.
Benefits
- The Server Can't Read Your Secrets
- All encryption happens client-side - your instance stores only ciphertext, unreadable even to admins.
- Sharing That's Actually Encrypted
- Each recipient gets a copy encrypted to their own public key, revocable at the cryptographic level.
- Built for Teams, Not Retrofitted
- Groups, folders, and fine-grained permissions were the design center, not an afterthought.
- Automation-Ready Secrets
- JSON API, CLI, and SDKs retrieve and rotate machine credentials in CI/CD pipelines.
Features
- OpenPGP Key Architecture
- Per-user key pairs with signed secrets and challenge-based GpgAuth authentication.
- Browser Extension
- Signed, store-distributed extension handles crypto, auto-fill, auto-save, and password generation.
- Granular Sharing
- Share single items or whole folder trees with users or groups under fine-grained permissions.
- TOTP and Secure Notes
- Store one-time-password credentials and encrypted notes alongside passwords.
- Metadata Encryption
- Resource names, URLs, and descriptions encrypted with dedicated shared keys.
- Native Apps and API
- iOS, Android, and desktop clients plus a JSON API, CLI, and SDKs.