Website

Short description

Passbolt is a 100% fully open-source hybrid credential platform. It is built-first for modern IT teams, yet simple enough for everyone. A sovereign, battle-tested solution that delivers for a team of 5, or an organization of 5,000.

Why I think this tool should be added

This password manager is fully open source. Great for teams, individuals and people who like to self host. Has browser extensions, iOS/Android apps, Windows, Linux, and Passbolt CLI. Free and paid plans. (The free version is only in the self hosted pricing. No free version for storage on Passbolt’s servers).

Descriptions found on their website:

Flexible hosting
Hosted in Passbolt cloud in Europe, or behind your firewall. Can be used in a air-gap environment.

Self-hostable server, for maximum privacy
If your data are truly yours, you should be able to control where they are located. This is why Passbolt server can be self-hosted inside your own infrastructure: from a raspberry pi inside your office to a High Availability setup hosted at your favorite supplier, you are the one in charge.

Behind your firewall
Passbolt doesn’t require an internet connection access to be functional. It can be completely isolated, protected by your own firewall rules.

No trackers
We cannot track what Passbolt servers are doing, we don’t know where they are and don’t want to know. Our servers do not send usage data or any form of analytics to us.

Fully autonomous, no 3rd party service
Passbolt server works as a standalone component. It is fully open source and doesn’t require any third party service to be functional by default.

Audited & auditable
Passbolt code, client and server is regularly audited by third parties. Passbolt is 100% auditable by anyone who would like to see for himself how our security model works in practice.

• Cure53
  Passbolt security model, front-end code as well as back-end code has been fully audited by Cure53 in 2021.
• SOC 2 Type II.
  In 2021 we got successfully audited for SOC 2 Type II. Report is available to customers on demand.
• 100% open source
  Passbolt is 100% open source, even the commercial version. If you don’t trust the third party audits, you have the freedom to audit it yourself.
• Bug bounty
  We reward security researchers who audit our code
  and identify vulnerabilities.

Security first
We prioritize security even if that means delaying more visible or popular work. We are transparent and provide clear information about the limitations of our systems. We accept and work with these residual risks and do not claim to be perfect.

Third-Party Penetration Testing
We perform an independent third-party penetration test at least annually to assess the security posture of our services. You can read more about our latest test results on the dedicated incident pages.

1:1 encryption
Passbolt encrypts each password individually for granular, containerised data privacy, ensuring that the compromise of one password does not affect others.

Interoperable
Passbolt is built on top of a JSON API and uses interoperable cryptography (OpenPGP). All operations can be run from any server using our CLI or SDKs.

End-to-end encryption
Enhances security by ensuring that the private key, generated and stored on the user’s device, never passes through the server, maintaining data integrity and confidentiality.

Randomly generated private key
Private keys provide an extra layer of security, allowing only key holders with the passphrase to access and decrypt data, while also ensuring a cryptographically-backed audit trail.

Full private key control
Users can choose to use their own PGP secret key for a full control of their data encryption. Alternatively, the secret key will be generated at the account creation.

https://www.passbolt.com/docs/
Passbolt API

Some Audits more can be found here https://www.passbolt.com/security:

https://www.passbolt.com/docs/files/PBL-13-report.pdf
https://www.passbolt.com/docs/files/PBL-12-report.pdf
https://www.passbolt.com/docs/files/PBL-11-report.pdf
https://www.passbolt.com/docs/files/PBL-09-report.pdf
https://www.passbolt.com/docs/files/PBL-08-report.pdf
https://www.passbolt.com/docs/files/PBL-07-report.pdf

Downsides:

• No Passkey Support,
• Storage of credit cards,
• No storage of SSH Keys
• Email support is only available if a paid user

But these feature are on the roadmap to be added

Section on Privacy Guides

Password Managers

Ive looked into this before. One element gave me pause. As per their site:

Passbolt requires a browser extension to work in order to guarantee the security of your credentials. The browser extension also helps auto-fill credentials for known websites, generate strong passwords and more.

While this does not violate any criteria for PG password managers, it does contradict other PG guidance:

In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface. They have privileged access within your browser, require you to trust the developer, can make you stand out, and weaken site isolation

I ultimately felt that, when multiple secure & private FOSS password managers exist, I’d prefer one that doesnt demand a compromise on my desktop browser

The solution we opted-for since the beginning of passbolt was to split the application in two parts. One that would be served by the server (the encrypted data), and one that would be served by another channel (the logic to decrypt/encrypt and display the plaintext data). This is done using the browser extension marketplace, e.g. the Firefox AMOand Chrome Webstore. Each of them requires the extension to be cryptographically signed by Passbolt developers with a secret key, to make sure nobody can change that code while it is being transmitted from the marketplace.

Other security benefits

There are some other additional security benefits to using a webextension. One of the biggest one is the ability to roll out updates automatically to all users. As we have seen, not all users care to update their passbolt server as soon as a release is available, even when it contains security fixes. We get it, we’re all busy, and it’s complicated to keep track. The auto-update ability of the extension can provide an additional safety net.

What we want to highlight here is that we believe that in the case of a password manager, an extension is actually a requirement to improve security. While it’s pretty damn near impossible to make people change their mindwith facts on the internet, it’s still worth it to clarify our approach to risk management.

What do we mean by code integrity?

A regular website serves users content in the form of html, javascript, css assets. So when you are browsing on your favorite webmail, everything is coming from one place. It may be cached on a content delivery network (CDN) for speed, but it’s pretty much the same. So in the event of an attacker accessing the server, they may be able to change these assets, such as showing you modified email content, change the look and feel, or change the application logic, for example to make you send an email without your consent. For most applications this is an acceptable risk. After all, if an attacker has access to the server, they can already read your email and send emails in your name.

In the case of a password manager the security model is different. We believe it is desirable that if an attacker has access to the server, or is able to perform a man in middle attack, they should not be able to insert logic that would allow them to decrypt and exfiltrate the data. It is not possible to mitigate that risk when the application logic and the data are coming from the same server. This topic is not new. While there are some attemptsto solve this problem, to our knowledge, no practical open standard has emerged yet.

I believe Privacy Guides recommends tools for private individuals and not yet for businesses, which this tool is clearly made for. And hence I don’t think PG should add this in their recommendations.

And while what PG recommends can be used by everyday folks, they can also be used by businesses should they choose to so there’s more flexibility with other options than Passbolt even though they do seem to do a lot of things right at first glance.

Individuals can use it though. It is advertised for businesses but does state:

It is built-first for modern IT teams, yet simple enough for everyone.

You forgetting Psono Password Manager is in the recommendations?

So built for everyone in a business that chooses to use this. It does not, atleast as I read it, mean that individuals can use it on their own as well.

Yeah, I’m not liking the way its expressed. That obviously doesn’t mean the product is bad but only that it is a team/business first product and not a consumer first one even though consumers can use it just for themselves. One can make of that what they will.

NGL this is a really good response on the company’s part

I don’t doubt the extension is secure - at a glance, their cybersec as a whole seems pretty up to snuff.

But browser extensions do increase digital fingerprinting. Taken at face value, it’s a trade-off they make for the security of their extension. So ultimately, a consideration for individual threat models.

I am not suggesting this should be grounds for the tool’s exclusion, just sharing my two cents

It is fully open source, and they are open to contributors. But they are focused on making a Teams product first. Which I see as a good thing because it trickles down to the non business individual user.

In the case of sharing credentials, their implementation is a lot easier and extremely secure because it is made for Teams, but all because it says it is made for team doesn’t mean it has to be just a team. It can be your family.

This is one thing they implement for the sharing component.

1:1 encryption
Passbolt encrypts each password individually for granular, containerised data privacy, ensuring that the compromise of one password does not affect others.

I mean, just look a their pricing page. It’s clearly for businesses first. And I explained why PG should not do it in my earlier comment.

This doesn’t seem like a bad product (again, on first glace), but there are still reasons for PG to not recommend it as it is not for everyone as much as you like to read that statement to mean it. ‘Everyone’ means everyone in the team or in the business if you’re considering to be their client. ‘Everyone’ does not mean individuals in this context.

That’s my reading of the product. And that’s all I have. But you may continue making the case for it to others. I’m done.

I once spoke with someone on their forum a long time ago. Have since deleted the account and my post/comments along with it.

But I asked if the product is meant for teams and one of their users said it was business oriented. But they did say it could be used by individuals as well. As, that what this one individual used it for.

As, there is different paid plans for Pro.

Self Hosted:

• Community plan: Free [they state free forever]

• Business Plan: $4.90 per month billed annually,

• Enterprise Plan: not stated

Cloud Hosted (their servers):

• No free version,

• Business: $5.40 per month billed annually,

• Enterprise: not stated,

Here is the forum: [https://community.passbolt.com/]

I have been using it for 2 years now and I love it. But it is up to other users. On how they feel about the product and its usability/features it has at the moment.

I say give it a shot as It does have a free version. Just test it out. If you are a user who is alright with browser extensions and know how to self host.

It is missing some features like passkeys and credit card storage. But it is on the roadmap.

They claim this for what they consider when adding new features or updates:

Security first
We prioritize security even if that means delaying more visible or popular work. We are transparent and provide clear information about the limitations of our systems. We accept and work with these residual risks and do not claim to be perfect.

[Passbolt Pro for Individuals? - #2 by remy - Community Feedback - Passbolt community forum]

josephmarsden

Apr 2019

Hi, I’ve currently been using 1Password so far for my password manager and am looking to move to a self hosted solution (Passbolt) to move everything away from the cloud, so to speak.

However, I was disappointed to see that Passbolt’s Free version is limited in terms of features compared to 1Password and the Pro version, which does claim to offer many of said features, is only offered as a €19/mo subscription (by comparison, I pay €4.24/mo currently for 1Password which is cloud hosted.)

I would love to see a Pro version targeted more at individuals at a reduced cost for non-commercial use. Is this something that has been considered or planned at all?

remy

Apr 2019

Hello Joseph,

We do propose individual custom subscription for one or two users depending on your needs. Feel free to shoot us an email at sales@passbolt.com.

Best,

Just like HA here, I think that it is not recommended because it is more on the “self-host it” to have a good enough experience.

There are definitely some shortcomings as you mentioned, like with the Passkeys etc but it is indeed quite good in its own category, especially when compared to Psono/PassIt etc…when it comes down to password sharing.

So yes, it’s good but requires you to either self-host or be a business with somebody tech-savvy enough. In which case, you’ll probably be using Bitwarden anyway.

Hence, the target audience is quite limited and doesn’t really fit the “single individual who would like ease of use + FOSS + privacy respecting tool” scenario.

Understandable

Forget the browser extension and business oriented marketing. It appears to be using PGP to encrypt passwords, and by default leaves metadata unencrypted.

PGP is not at all what you what for something like this, you should be using more or less standard symmetric encryption with a key derived from a master password or some asymmetric scheme specifically designed for this use case for when you need to allow sharing credentials among different users. In theory you could set up a secure system for secret management using PGP, but it’s so completely not the right tool for the job I can only imagine it was designed by amateurs who don’t really understand cryptography (what happens when my key expires? see that concept doesn’t even make sense for a password manager’s use case).

Metadata being unencrypted means ONLY the password is secured. Username, URL, notes, etc are all plaintext. They allow you to optionally encrypt this data, but who would possibly want it disabled, let alone disabled by default?

Putting these two together, you can see that the way metadata encryption works for shared resources is with a single PGP keypair that all users have encrypted with their own individual keypair. This is not how you do this correctly, even remotely.

Stay far away from this service, IMO.

If all that you’re saying is true (not that I have a reason to doubt it), then this thread pretty much should end here for the debate of adding Passbolt to PG recommendations.

They literally just fixed some of this if you read their roadmap. The reason it is disabled by default. Is if you read the documentation some things make break with legacy items.

Which metadata will be encrypted?

The “raison d’être” of passbolt is secure collaboration for organizations. So all data that is needed by the server to orchestrate authentication and collaboration features in the backend side will remain unencrypted.

Information such as end-user names and email addresses, their permissions, the group names and memberships, or operational information such as whether a resource needs to be rotated (because for example someone who had access left the organization), the creation and modification dates, will remain in cleartext.

Other existing metadata such as names, URI as well as new data fields added to the default resource types (such as icons, multiple URIs, autofill hints, etc.) will be encrypted. We hope that this will create an incentive for everyone to switch to the new and more secure model.

Finally, of course, all existing secrets will remain encrypted. Moreover new secret types such as credit cards, passkeys, certificates, etc. also be encrypted by default.

Requirements and Warnings

Requirements:

• API version v5.2 or higher
• A shared metadata key (generated automatically on installation)
  CAUTION

Legacy cleartext metadata is less secure and not recommended for new resources. Consider using encrypted metadata for all new resources.

To implement encrypted metadata:

1. Configure encryption settings on this page
2. Configure key distribution in Metadata Key
3. Enable content types in Allow Content Types
4. Migrate existing resources using Migrate Metadata if needed

Warnings:

• Enabling encrypted metadata has an impact on the auditability of resource metadata that won’t be stored in clear anymore
• Migrating content to encrypted metadata might break your in-house integration with passbolt
• See Metadata Key for key distribution configuration

Again, PG focuses on consumer privacy tech and tools. They are not trying to be an authority in enterprise security recommendations. This reason alone should be enough for PG to not add or even consider the tool.

–

Again, I only comment so its clear to others reading too (if its already not thus far in the thread). It already has more than one too many red flags.

What I am saying read the documentation cause this is a baseless claim with no evidence. They clearly haven’t read the whitepaper or the audits. It seems they just searched for what they wanted to find a flaw with and then comment that in the forum. Is all I am saying.

Do you have any kind of relationship with them that would be a conflict of interest for your participation in this discussion?

No just use the product and why is that always someone’s argument when they don’t have a logical response to anything.

Everyone has a conflict of interest I just hate baseless claims that don’t hold up to water. When the person that hasn’t actually read the documentation spews nonsense.