Logo Passbolt
Product

Product

Editions

Pricing
Help

Docs

Community

Blog
Sign inGet started - freeGitHub4k+

Security and privacy by design

Passbolt is used by governments, the defence sector, regulated industries and privacy-conscious organizations. Passbolt security model is built on strong foundations:

  • End-to-end encryption

  • 100% open source

  • Interoperable crypto

  • Granular access rights

  • Audited & auditable

  • No tracking

Get the whitepaper More about security

Encryption you can trust

Signed operations

All secrets are signed, it is possible to verify cryptographically for each secret the identity of the user that has created it. The integrity cannot be compromised.

Full private key control

Users can choose to use their own PGP secret key for a full control of their data encryption. Alternatively, the secret key will be generated at the account creation.

Interoperability

Secrets can be decrypted and used easily on other systems thanks to the large OpenPGP software ecosystem. For instance, you can configure passbolt to automatically send you email notifications containing PGP encrypted secrets of the passwords you can access and decrypt them directly from your inbox.

End-to-end encryption

The secret key is never sent to the server, not even encrypted. Only you own it. Consequently, it is not possible for an attacker to decrypt the data or capture the user secret key, even if the server is compromised.

Open standards

Passbolt is based on OpenPGP, an open and extensible encryption standard which provides confidentiality and integrity, and relies on well known algorithms.

Granular access rights

User permissions are set at a password level and secrets are encrypted once for each user that can access it. Revoking a user access means removing the secret from the database and the ability to decrypt future versions.

Self-hostable server, for maximum privacy

If your data are truly yours, you should be able to control where they are located. This is why Passbolt server can be self-hosted inside your own infrastructure: from a raspberry pi inside your office to a High Availability setup hosted at your favorite supplier, you are the one in charge.

  • Fully autonomous, no 3rd party service

    Passbolt server works as a standalone component. It is fully open source and doesn’t require any third party service to be functional by default.

  • Behind your firewall

    Passbolt doesn’t require an internet connection access to be functional. It can be completely isolated, protected by your own firewall rules.

  • No trackers

    We cannot track what Passbolt servers are doing, we don’t know where they are and don’t want to know. Our servers do not send usage data or any form of analytics to us.

Security in the browser

Signed code

All critical operations are done by the extension. It is not possible to compromise the security of the cryptographic code if the server is compromised.

Automatic updates

Passbolt extension updates are rolled out automatically by default, preventing your users from running outdated or unsecure software.

Anti-phishing

Passbolt requires your users to set a security token that will be displayed when entering their passphrase. That helps prevent phishing attacks.

Strong authentication

Challenge based authentication

Passbolt relies on GpgAuth, an authentication protocol that requires both the server and client to solve a challenge, e.g. produce the proof of the private key ownership.

Bruteforce attack prevention

Each login attempt requires a separate challenge. Unlike other password managers that rely on a master password hash.

Multi factor authentication

Passbolt requires something the users know (passphrase) and that they own (private key) to login. It is possible to add additional factors using Yubikey, Duo, or TOTP.

Protection against data breaches

Have I been pwned?

Passbolt protects you from reusing a passphrase that has been used on hacked websites.

Password generator

Passbolt reduces password reuses for your users and its password generator proposes secure default options with high entropy. Go ahead, forget your passwords!

User input required

The user input is required in order to fill in credentials on a login form and only make relevant suggestions. This prevents unintentional data breaches.

Audited & auditable

Passbolt code, client and server is regularly audited by third parties. Passbolt is 100% auditable by anyone who would like to see for himself how our security model works in practice.

Logo of Cure53

Cure53

Passbolt security model, front-end code as well as back-end code has been fully audited by Cure53 in 2021.
Logo of AICPA SOC

SOC 2 Type II.

In 2021 we got successfully audited for SOC 2 Type II. Report is available to customers on demand.
Logo of Open source

100% open source

Passbolt is 100% open source, even the commercial version. If you don’t trust the third party audits, you have the freedom to audit it yourself.

Bug bounty

We reward security researchers who audit our code and identify vulnerabilities.

Mobile applications and go-passbolt-cli - December 2021

This report describes the results of a security assessment of the passbolt complex, spanning the passbolt mobile application, related backend API and CLI tool.

Browser integration and WebExtension API usage - August 2021

This report details the scope, results and conclusory summaries of a penetration test and security assessment against the passbolt browser extension with a particular focus on the browser integration and WebExtension API usage.

Passbolt cloud infrastructure - July 2021

For security reasons this report is not public. No major issue was found, only hardening suggestions who have been implemented during the course of the summer.

Backend and plugins - June 2021

This report describes the results of a security assessment of the passbolt complex, spanning the passbolt backend, API and a selection of passbolt plugins.

Browser extensions - June 2021

This report describes the results of a comprehensive security assessment targeting the passbolt browser extensions for Chrome and Firefox.

Security White Paper - February 2021

This report describes the results of a review of a cryptography & security white-paper, detailing on the security properties and architecture for passbolt.
Flag of European UnionMade in Europe. Privacy by default.