Imagine a common scenario: a new team member joins and needs access to the staging server. Someone often sends username and password via Slack, WhatsApp, or even writes them in an Excel row shared by email as the quickest solution. Those credentials are now scattered in at least three different places, and no one knows who has accessed them.
The Verizon Data Breach Investigations Report consistently ranks the use of leaked or weak credentials as the largest attack vector in corporate cyber security incidents. This problem is not just about a lack of awareness, but about the absence of a proper system to manage credentials securely and collaboratively.
Cloud-based password manager solutions are available, but handing over control of sensitive data to a third party brings its own risks: changing privacy policies, security incidents on the vendor side, and non‑compliance with local data regulations. Self‑hosting gives you full sovereignty over company data because the data never leaves the infrastructure you control.
What is Passbolt?
Passbolt is an open‑source password manager designed specifically for team collaboration. Built from the ground up to facilitate credential sharing among users within an organisation through very granular access controls, it differs from personal password managers such as KeePass or 1Password. As of 2026, more than 50,000 organisations worldwide have adopted Passbolt, including French government ministries, Bosch, various European research universities, and government IT agencies in Luxembourg.
Passbolt is available in two main editions:
- Community Edition (CE): Completely free and open‑source for users who need basic password management features.
- Pro Edition: Adds enterprise features such as LDAP/Active Directory synchronisation and advanced audit reports for organisational compliance needs.
Why Choose Passbolt for Your Company?
OpenPGP‑Based Security: Encryption the Server Cannot Read
Passbolt’s security architecture is built on the OpenPGP standard, an open cryptographic protocol proven over decades. Each user has a cryptographic key pair: a private key stored on the user’s device and a public key used to encrypt data before it is stored. The private key is never sent to the server.
This ensures that even if the Passbolt server is compromised, an attacker will only obtain encrypted data that is useless without the user’s private key. This is a fundamental difference from other password manager solutions that still rely on server‑side encryption.
- End‑to‑end encryption: The private key never leaves the user’s device in cleartext.
- 1:1 encryption: Each password is encrypted individually, so a leak of one entry does not affect others.
- Signed operations: Every operation is cryptographically signed to verify the user’s identity.
- Challenge‑based authentication: The login process based on GpgAuth requires both server and client to prove key ownership, not just match a password hash.
Secure and Structured Team Collaboration
Passbolt allows sharing credentials among users and groups with permissions that can be fine‑tuned per entry. The marketing team can access social media credentials without seeing the database server credentials reserved for the infrastructure team. Every sharing operation is granular and fully traceable.
Data Sovereignty and Regulatory Compliance
Passbolt helps organisations meet compliance requirements such as GDPR, ISO 27001, SOC 2, and other sector‑specific regulations because the data runs on your own server. Sensitive data remains secure without being sent to a third‑party service. Passbolt has obtained SOC 2 Type II certification and has been independently audited by the security firm Cure53, with the report published openly.
100% Open Source and Auditable
All of Passbolt’s source code, including the Pro version, is available on GitHub. This transparency allows internal security teams and the global community to audit and verify the cryptographic implementation. There are no hidden backdoors in the code.
Additional Features Relevant for Teams
- Multi‑factor authentication (MFA): Supports TOTP, Yubikey, and Duo.
- Browser extension: Available for Chrome, Firefox, Edge, and Brave – a mandatory component for decryption.
- Mobile and desktop apps: Make it easy to access credentials from anywhere.
- API and CLI: Integrate with CI/CD pipelines for secret management.
- Anti‑phishing token: A unique three‑character coloured token that appears on every sensitive operation to help detect fake pages.
Installation Prerequisites
Hardware Requirements
Passbolt does not require a high‑powered server for small to medium‑sized teams. The minimum specifications recommended by the Passbolt team are:
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 1 core | 2 cores |
| RAM | 1 GB | 2 GB |
| Storage | 10 GB | 20 GB+ (depends on audit log volume) |
Software Requirements
- OS: Ubuntu 24.04 LTS or Debian 13 (recommended for package installation); other distributions such as RHEL, AlmaLinux, and RockyLinux 9 are also supported.
- Docker and Docker Compose: if using the container method.
- MariaDB or PostgreSQL: as the database backend (MariaDB is installed automatically with the package method).
- Nginx: as the web server (configured automatically by the installer).
- PHP 8.x: application runtime (installed automatically).
Domain and SSL Certificate
Passbolt must be accessed over HTTPS. This technical requirement must be met because the browser extension relies on a secure origin URL to perform cryptographic operations. You need to prepare a subdomain pointing to the server’s IP before starting the installation, e.g., passbolt.example.com.
The Passbolt installer can integrate Let’s Encrypt automatically, making management easier without needing to renew certificates manually.
SMTP Server
Passbolt requires access to an SMTP server to send notification emails, new user invitations, and account verification links. You can use transactional services such as Brevo and Mailgun, or your company’s internal SMTP relay.
NTP Service
Accurate time synchronisation is crucial for the operation of this system. GPGAuth‑based authentication is very sensitive to time differences between server and client. Make sure an NTP service such as systemd‑timesyncd or chrony is active and working properly on your server.
Note: Use a clean server without other services already installed. The Passbolt installer script may change existing system configurations, including Nginx and MariaDB.
Installing Passbolt
Method 1: Installation via Docker Compose
Docker Compose is the recommended method if you want better isolation, high portability, or are already familiar with the container ecosystem. This method packages Passbolt, a MariaDB database, and all its dependencies into separate containers.
Step 1: Install Docker
Install Docker if not already available:
curl -fsSL https://get.docker.com | sudo shStep 2: Download the docker‑compose file
Download the official configuration file and verify its integrity using the SHA512 checksum provided by the Passbolt team:
# Download the docker-compose file
curl -LO https://download.passbolt.com/ce/docker/docker-compose-ce.yaml
# Download the checksum file
curl -LO https://github.com/passbolt/passbolt_docker/releases/latest/download/docker-compose-ce-SHA512SUM.txt
# Verify file integrity
sha512sum -c docker-compose-ce-SHA512SUM.txtA valid output of the verification command is:
docker-compose-ce.yaml: OKStep 3: Configure Environment Variables
Open the docker-compose-ce.yaml file and adjust the following environment variables. Change the version tag from “latest” to a specific version available on Docker Hub for production environments.
The most important variables to configure are:
# Full URL of your Passbolt server (must be HTTPS)
APP_FULL_BASE_URL=https://passbolt.example.com
# Email configuration (SMTP)
EMAIL_DEFAULT_FROM_NAME=Passbolt
[email protected]
EMAIL_TRANSPORT_DEFAULT_HOST=smtp.example.com
EMAIL_TRANSPORT_DEFAULT_PORT=587
[email protected]
EMAIL_TRANSPORT_DEFAULT_PASSWORD=smtp_secret_password
EMAIL_TRANSPORT_DEFAULT_TLS=trueStep 4: Start the Containers
sudo docker compose -f docker-compose-ce.yaml up -dWait until all containers are in the running state. Check their status with:
sudo docker compose -f docker-compose-ce.yaml psStep 5: Configure HTTPS with Let’s Encrypt (Docker)
The recommended approach for HTTPS on a Docker installation is to use Traefik as a reverse proxy. Traefik will handle automatic issuance and renewal of Let’s Encrypt certificates and forward all requests to the Passbolt container.
5a. Add a Traefik Service to docker‑compose
Open the docker-compose-ce.yaml file and add the traefik service below the existing db and passbolt services:
version: '3.7'
services:
db:
# ... existing database configuration ...
passbolt:
# ... existing passbolt configuration ...
traefik:
image: traefik:3.7.0
restart: always
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yaml:/traefik.yaml:ro
- ./conf/:/etc/traefik/conf
- ./shared/:/sharedTraefik acts as a proxy in front of the Passbolt service, handling ports 80 and 443, and automatically renewing Let’s Encrypt certificates.
5b. Create the Traefik Configuration File
Create a traefik.yaml file in the same directory as docker-compose-ce.yaml. Replace [email protected] with your email address for Let’s Encrypt notifications:
global:
sendAnonymousUsage: false
log:
level: DEBUG
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: false
file:
directory: /etc/traefik/conf/
watch: true
api:
dashboard: false
insecure: false
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
email: [email protected]
storage: /shared/acme.json
keyType: EC256
httpChallenge:
entryPoint: web5c. Create the conf Folder and Additional Configuration Files
Create the folder and two security configuration files for Traefik with the following commands:
mkdir confCreate conf/headers.yaml for HTTP security headers:
http:
middlewares:
SslHeader:
headers:
FrameDeny: true
AccessControlAllowMethods: 'GET,OPTIONS,PUT'
AccessControlAllowOriginList:
- origin-list-or-null
AccessControlMaxAge: 100
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
ContentSecurityPolicy: "default-src 'self' 'unsafe-inline'"
CustomFrameOptionsValue: SAMEORIGIN
ReferrerPolicy: same-origin
PermissionsPolicy: "vibrate 'self'"
STSSeconds: 315360000Create conf/tls.yaml for minimal TLS configuration:
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
curvePreferences:
- CurveP521
- CurveP384
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA2565d. Configure the Passbolt Service for Traefik
Edit the passbolt service section in docker-compose-ce.yaml with two important changes:
- Remove the
portsdefinition from the passbolt service because Traefik will handle ports 80 and 443, not the Passbolt container directly. - Add Docker labels so that Traefik knows how to route requests to Passbolt. Replace
passbolt.domain.tldwith your actual domain:
version: '3.7'
services:
db:
# ... no changes ...
passbolt:
# ... other configuration (without 'ports') ...
labels:
traefik.enable: "true"
traefik.http.routers.passbolt-http.entrypoints: "web"
traefik.http.routers.passbolt-http.rule: "Host(`passbolt.domain.tld`)"
traefik.http.routers.passbolt-http.middlewares: "SslHeader@file"
traefik.http.routers.passbolt-https.middlewares: "SslHeader@file"
traefik.http.routers.passbolt-https.entrypoints: "websecure"
traefik.http.routers.passbolt-https.rule: "Host(`passbolt.domain.tld`)"
traefik.http.routers.passbolt-https.tls: "true"
traefik.http.routers.passbolt-https.tls.certresolver: "letsencrypt"
traefik:
# ... traefik configuration from step 5a ...For non‑root images
Add the following label under the existing ones if you are using a non‑root Passbolt image, so that Traefik knows which port the container uses:
traefik.http.services.passbolt-https.loadbalancer.server.port: "8080"5e. Restart the Stack
Restart the entire stack after completing all the above configurations. Traefik will automatically handle the issuance of Let’s Encrypt certificates and their future renewal:
sudo docker compose -f docker-compose-ce.yaml up -dWait a few moments for Traefik to obtain the certificate from Let’s Encrypt. Passbolt should now be accessible via HTTPS on the configured domain.
Step 6: Create the First Admin Account
Create the first administrator account using the following command after the container is running and HTTPS is configured. Replace YOUR_EMAIL, YOUR_NAME, and YOUR_LASTNAME with your actual data:
sudo docker compose -f docker-compose-ce.yaml \
exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \
passbolt register_user \
-u [email protected] \
-f FirstName \
-l LastName \
-r admin" -s /bin/sh www-dataMethod 2: Installation via Ubuntu 24.04 Package
This method uses the official Passbolt installer script that automates the entire process: from setting up the repository, installing packages, configuring MariaDB, Nginx, to setting up HTTPS with Let’s Encrypt. This is the easiest option for a new deployment.
Step 1: Add the Passbolt Repository
# Download the repository setup script
curl -LO https://download.passbolt.com/ce/installer/passbolt-repo-setup.ce.sh
# Download the checksum file
curl -LO https://github.com/passbolt/passbolt-dep-scripts/releases/latest/download/passbolt-ce-SHA512SUM.txt
# Verify and run the repository setup script
sha512sum -c passbolt-ce-SHA512SUM.txt && sudo bash ./passbolt-repo-setup.ce.sh \
|| echo "Bad checksum. Aborting" && rm -f passbolt-repo-setup.ce.shStep 2: Install the Passbolt CE Package
sudo apt install passbolt-ce-serverAn interactive terminal‑based wizard will run during the installation. It guides you through the following configurations in order:
- MariaDB database configuration: creation of a database user and database name for Passbolt.
- Nginx configuration: choose the option to set up HTTPS automatically.
- Let’s Encrypt configuration: enter the domain name and an email address for certificate renewal notifications.
Step 3: Automatic HTTPS Configuration (Let’s Encrypt)
Select the Let’s Encrypt option when the wizard asks about Nginx configuration, then enter the domain name that points to your server. Reload Nginx after the process finishes:
sudo systemctl reload nginxAfter that, verify that the fullBaseUrl value in the configuration file already uses the https:// protocol:
sudo grep "fullBaseUrl" /etc/passbolt/passbolt.phpIf the installation is already done but you need to reconfigure HTTPS, run:
sudo dpkg-reconfigure passbolt-ce-serverInitial Configuration and Administrator Setup
Web Installer: Browser Configuration Wizard
Open a browser and navigate to your Passbolt domain for the Ubuntu package installation. A web‑based configuration wizard will run automatically through the following steps:
1. Health Check
The first wizard page shows the results of the server environment readiness checks. These include GPG status, database connectivity, SSL configuration, and application settings. Fix any issues marked in red before proceeding.
2. Database Configuration
Enter the database connection details: hostname, port, database name, username, and password. Use the data that was created during the earlier installation steps.
3. GPG Key Server
The wizard offers the option to generate or import a GPG key pair. This key will be used by the server for authentication. Choose “Generate” for a new installation. If you need a specific RSA 3072‑bit key without a passphrase, run the following commands before opening the wizard:
gpg --batch --no-tty --gen-key <<EOF
Key-Type: RSA
Key-Length: 3072
Key-Usage: sign,cert
Subkey-Type: RSA
Subkey-Usage: encrypt
Subkey-Length: 3072
Name-Real: Passbolt Server
Name-Email: [email protected]
Expire-Date: 0
%no-protection
%commit
EOFExport the key to import it into the wizard:
gpg --armor --export-secret-keys [email protected]Important: GPG Key Type The default key type since GnuPG 2.2.0+ is ECC (Curve25519/Ed25519). This key type is not yet fully compatible in all Passbolt environments. Explicitly use RSA as shown in the example above to ensure compatibility.
4. SMTP Setup
Enter the SMTP configuration details: email server hostname, port, username, password, and sender address. Use the “Send Test Email” button in the wizard to verify that the email configuration is correct before continuing.
5. Create the First Administrator Account
Enter the name and email address of the first administrator. After the wizard finishes, the system will send an invitation email containing a setup link to the registered address.
Administrator Account Setup via Browser Extension
Click the link in the invitation email. The browser will ask you to install the Passbolt browser extension. This extension is mandatory because all cryptographic operations (encryption and decryption of passwords) happen on the client side, not on the server. The extension is available for:
- Chrome / Chromium / Brave
- Firefox
- Microsoft Edge
Continue the setup process after the extension is installed:
- Create a user GPG key: Passbolt will generate a unique cryptographic key pair for your account, protected by a passphrase of your choice. This passphrase is the master key to access all your stored passwords.
- Download the Recovery Kit: this step is crucial. The Recovery Kit is a backup of your private key. Store this file in a safe, offline, or encrypted location. All encrypted data cannot be recovered if the device is lost and there is no Recovery Kit.
- Set a Security Token: choose a unique combination of three characters and a colour. This token will always appear in the Passbolt interface whenever a sensitive operation is performed, helping you detect phishing pages.
The administrator account is now ready. You will be directed to the Passbolt dashboard and can start inviting team members.
Tips for Managing Team Passwords in Passbolt
Creating and Managing Groups
Groups in Passbolt represent the team structure within your organisation. Each group can have one or more group managers responsible for managing membership. Common example structures include:
| Group Name | Example Password Content |
|---|---|
| Infrastructure Team | Server credentials, VPN, cloud provider, database |
| Developer Team | API keys, staging environment, private repositories |
| Marketing Team | Social media accounts, analytics dashboards, email marketing |
| Finance Team | Bank accounts, payment platforms, internal SaaS |
| All Employees | Office WiFi credentials, attendance system, HR portal |
Open Users & Groups > Create Group to create a new group, then add members and decide who will be the group manager.
Access Control Management
Each password or folder shared with users or groups can be configured with three access levels:
| Access Level | Capability |
|---|---|
| Can View | Can only view and copy the password. Cannot change or delete it. |
| Can Update | Can view, copy, and update the password value and its metadata. |
| Is Owner | Full control: view, change, delete, and manage other people’s access rights. |
The principle of least privilege (the minimum necessary access) must be applied consistently. A marketing team member does not need Can Update access to a server password. Give them Can View access or no access at all.
Using Folders for Better Organisation
Passbolt supports folders and subfolders to group passwords hierarchically. Folders can be personal (visible only to you) or shared (shared with the team). Add tags and descriptions to each entry to make searching easier.
Audit Logs: Track Who Accessed What
Every action in Passbolt is recorded in an audit log. These records include who accessed a particular password, when the access happened, and from which device the action originated. This feature is invaluable for security incident investigations and internal audit compliance. Access the audit log via Administration > Action Logs (administrator only).
Use the following command to clean old logs and maintain database performance (example: keep the last 90 days of logs):
# Preview the logs to be deleted (without actually deleting)
sudo su -s /bin/bash -c \
"/usr/share/php/passbolt/bin/cake passbolt action_logs_purge --dry-run -r 90" \
www-data
# Perform the log cleanup after the preview looks safe
sudo su -s /bin/bash -c \
"/usr/share/php/passbolt/bin/cake passbolt action_logs_purge -r 90" \
www-dataInviting New Users
Administrators can invite new users via Users > Create User. The system will send an invitation email to the registered address. New users must install the browser extension and complete their GPG key setup before they can use Passbolt.
Emphasise to every new user the importance of storing their Recovery Kit in a safe place. Administrators cannot recover a user’s private key if it is lost. This guarantee ensures that no other party – not even an admin – can access the passwords.
Backup and Maintenance Strategies
What Should Be Backed Up?
Three critical components must always be backed up regularly:
- Database: all password data is stored here in encrypted form.
- Server GPG keys: the public and private keys used by the server for authentication.
- Application configuration files:
passbolt.phpor environment variables.
Backup for Package Installation (Ubuntu)
Backup the Database
sudo su -s /bin/bash -c \
"/usr/share/php/passbolt/bin/cake passbolt sql_export" \
www-dataBackup Server GPG Keys
# Server private key
sudo cp /etc/passbolt/gpg/serverkey_private.asc ~/backup/serverkey_private.asc
# Server public key
sudo cp /etc/passbolt/gpg/serverkey.asc ~/backup/serverkey.asc
# Application configuration file
sudo cp /etc/passbolt/passbolt.php ~/backup/passbolt.phpArchive and Move Off‑site
# Create a compressed archive
tar -cvzf /home/passbolt_backup_$(date +%Y%m%d).tar.gz ~/backup/
# Transfer to another backup server or storage
scp /home/passbolt_backup_$(date +%Y%m%d).tar.gz backup_user@backup_server:/path/to/backups/Backup for Docker Installation
Backup the Database from the Container
sudo docker compose -f docker-compose-ce.yaml exec db bash -c \
'mariadb-dump -u${MYSQL_USER} -p${MYSQL_PASSWORD} ${MYSQL_DATABASE}' \
> ~/backup/passbolt_db_$(date +%Y%m%d).sqlBackup GPG Keys from the Container
# Private key
sudo docker compose -f docker-compose-ce.yaml cp \
passbolt:/etc/passbolt/gpg/serverkey_private.asc \
~/backup/serverkey_private.asc
# Public key
sudo docker compose -f docker-compose-ce.yaml cp \
passbolt:/etc/passbolt/gpg/serverkey.asc \
~/backup/serverkey.ascAlso back up the environment variables from the env/ folder containing passbolt.env and mysql.env.
Automating Backups with Cron
Create a backup script and schedule it via cron to run automatically every night:
# Edit crontab for root or a user with appropriate access
sudo crontab -e
# Run the backup every day at 02:00
0 2 * * * /usr/local/bin/passbolt_backup.sh >> /var/log/passbolt_backup.log 2>&1Backup Best Practices: Store backups in a location separate from the main server (off‑site). Encrypt backup files before storing them. Regularly perform restore simulations to ensure backups can be recovered correctly. Untested backup files are unreliable assets.
Updating Passbolt to the Latest Version
Regular updates are essential to get the latest security patches and features.
Update for Package Installation (Ubuntu/Debian)
sudo apt update
sudo apt upgrade passbolt-ce-serverUpdate for Docker Installation
# Pull the latest image version
sudo docker compose -f docker-compose-ce.yaml pull
# Restart containers with the new image
sudo docker compose -f docker-compose-ce.yaml up -d
# Run database migrations if needed
sudo docker compose exec passbolt su -s /bin/bash -c \
"source /etc/environment && ./bin/cake passbolt migrate" \
www-dataRoutine Health Checks
Run a health check periodically to ensure all Passbolt components are working properly. Use the --hide-pass option to show only items that have issues:
# Package installation
sudo su -s /bin/bash -c \
"/usr/share/php/passbolt/bin/cake passbolt healthcheck --hide-pass" \
www-data
# Docker installation
sudo docker compose exec passbolt su -s /bin/bash -c \
"source /etc/environment && ./bin/cake passbolt healthcheck --hide-pass" \
www-dataConclusion
Conventional password sharing practices are very risky because they lack audit trails and clear access management. Self‑hosted Passbolt emerges as a comprehensive solution offering proven asymmetric cryptography‑based security, structured team collaboration, and full data sovereignty without third‑party dependence. The reliability of this system has been demonstrated by tens of thousands of organisations and reinforced by independent security audits that are publicly published. The best step is to start a small‑scale installation to evaluate its workflow before a security incident occurs in your organisation.
