Passbolt 5.1 is now available (release notes). This new version introduces support for what we call “encrypted resource metadata”. While that might sound a little cryptic (pun intended), it’s a meaningful step forward. Why? Version 5.1 extends end-to-end encryption to the context around credentials, like the name you give a password in passbolt or the URL where it’s used to log in.
In this blog post, you’ll find an overview of the benefits and capabilities of the new encrypted resource metadata feature introduced in passbolt 5.1, how to manage it, and why we believe it solidifies the security foundation we’ve been working toward from the beginning. You’ll also get a preview of what’s coming next with features that will build on the foundation this release puts in place.
Why Encrypted Resource Metadata Matters
This is a key milestone for the product, further extending passbolt’s security model to improve confidentiality for the contextual information surrounding credentials. For organisations that rely on passbolt to keep critical access data under lock and key, encrypted resource metadata in 5.1 brings practical business benefits:
- Stronger breach resilience: If an attacker were to gain access to your database or backups, they’ll see only unreadable ciphertext, not even the names of credentials or the URLs that could reveal which systems your organisation uses.
- Compliance peace of mind: Hiding a resource’s identifying details supports data-minimisation mandates in frameworks such as GDPR, ISO 27001 and SOC 2, and narrows what must be disclosed if an incident occurs.
What happens if you do not enable this feature just now? Your passwords and secrets remain fully encrypted, and metadata is still protected by access controls and TLS during transmission. What version 5.1 introduces is an additional layer of security. For this added protection, we recommend upgrading to 5.1 when you are ready.
It is especially important to start planning your migration, if you have some custom integrations built in. A dedicated migration guide will be published soon to help with the process.
What You Can Do with Encrypted Resource Metadata
Until now, metadata of resources, i.e. credentials, remained in plain text, such as
- Resource names: the human-readable titles given to stored passwords or secrets,
- URLs: usually associated with the login page.
- Usernames: typically the email of the user or shared account.
With the release of 5.1, end-to-end cryptographic protection now not only includes credentials, but their metadata as well. How it works in a nutshell:
- Personal or trusted team encryption: Resource metadata is encrypted based on OpenPGP using your personal key or a shared key trusted by your team. Small teams can run everything under personal keys, while larger groups can opt for the shared key to keep workflows smooth and auditable.
- Trust layer built in: Passbolt guides administrators and users through verifying or rotating a shared metadata key.
- Search capability preserved: Even with metadata locked down, users can still full-text-search their credentials.
Want to dig into the details? Check out our dedicated blog post: The road to Passbolt v5 – Encrypted metadata and other core security changes.
How to Enable and Configure the Feature in Passbolt
Encrypted resource metadata is an opt-in feature in version 5.1. Early adopters can turn it on, test real-world workflows and feed back improvements, while more cautious teams can wait until it becomes the default later in the 5.x cycle.
To activate encrypted resource metadata in your passbolt instance, go to the organization settings, enable it and set it as the default. This ensures that client applications (web and mobile) will create resources using the encrypted resource metadata format by default.
From the same settings area, administrators can also generate a shared metadata key to allow trusted access to encrypted metadata across the team.
Watch the Video: Encrypted Resource Metadata in Action
Want to see encrypted resource metadata in action? One of the passbolt developers has put together a demo screencast that walks you through the new feature set introduced in the 5.1 release.
Security Audit of the Implementation
As is customary for high-risk security features such as encrypted resource metadata, this implementation has been audited by security researchers from Cure53 with a public report publication coming soon.
What Will 5.2 and 5.3 Bring?
As part of our commitment to maintaining a monthly release schedule and a publicly visible three-month planning window, here’s what to expect from the upcoming passbolt 5.2 and 5.3 releases.
Passbolt 5.2 (June 11, 2025)
Version 5.2 is planned for release on June 11, 2025, and will introduce support for multiple URIs per credential, customizable icons and, if no impediments, custom fields. These features build on the new user interface introduced in version 5.0. You can find more details about passbolt 5.2 in the previous 5.0 announcement.
Passbolt 5.3 (July 9, 2025)
The 5.3 release, scheduled for July 9, 2025, will introduce the support for SSH keys, further expanding the range of sensitive access data types that can be securely managed within passbolt.
More information about upcoming features is available in the passbolt roadmap. You can make feature requests in the community forum.
Availability of Passbolt 5.1
Server
The passbolt 5.1 server is available now for immediate download of the Community and Pro editions. You can find comprehensive upgrade guides and detailed documentation on our website to assist you with the transition.
Clients
Encrypted resource metadata can be managed by administrators exclusively through the browser extensions. As of today, the passbolt Chrome extension and the passbolt Microsoft Edge plugin fully support this functionality. Support for the passbolt Firefox add-on will follow in the coming days pending store reviewers validation. If you already have one of these extensions installed, it will update automatically and the new feature will become available right away, with no action required. Passbolt is available on more browsers.
The updated passbolt Windows desktop app, along with the passbolt iOS and passbolt Android mobile apps will be made available in the next few days. These new versions include support for encrypted resource metadata, so users will need to update to access the feature. However, administration tasks such as enabling the feature or managing metadata keys remain available only via the browser extension for now.
Feedback
We encourage you to share your valuable feedback with our community on the passbolt forum.
For our self-hosting customers who participated in the beta program, your contributions have been invaluable in shaping this release - thank you!
Stay Up To Date
Stay up to date with passbolt releases by subscribing to our newsletter.
Or, get updates on the social media channels below:
• Mastodon
• BlueSky
Feel free to join our community forum—release updates are regularly posted there in the Announcements' section.
Lastly, you can also visit our GitHub repo, click the “Watch” button in the top right, select “Custom” and then choose the “Releases” option to get notified as soon as new releases are published.
