Passbolt 5.3 is now available (release notes: v5.3.0, v5.3.1). This release introduces custom fields (in beta), built on the encrypted metadata framework introduced this year with the 5.x series. This update also brings performance enhancements and some bug fixes.
Custom Fields
Custom fields, which is one of the most-requested features from the community, allow users to attach additional key–value pairs to a password entry or even create standalone key–value entries.
Teams often need to store information that doesn’t fit neatly into standard username and password fields. Custom fields make it possible to attach that extra context directly to credentials, keeping related information in one place. This helps reduce duplication, improve clarity, and make operational workflows easier to maintain, especially in setups with more complex infrastructure where automation is needed.
For example, teams can centralise CI/CD pipeline variables or store environment-specific configuration values with a credential, rather than cramming those details into a general text note.
Performance Enhancements
As part of ongoing performance optimisations, Passbolt 5.3 focuses on faster folder browsing. Loading a folder and its contained credentials is now more efficient, reducing the load on both the API and the client. This improvement is especially noticeable for organisations managing thousands of credentials, where navigating large password libraries and folders now feels noticeably smoother.
Bug Fixes and Improvements
The latest update addresses several community-reported issues including fixes resolving email notification errors occurring post-upgrade, addressing database health check issues on initial setups, and refining browser extension functionalities, such as group management dialogs and folder reloads.
Why are the new resource types still in beta?
While encrypted metadata has already passed a full Cure53 security audit (see the report), the features that depend on it, such as icons, multiple URIs, and custom fields, will stay in beta. The beta label will be removed once the last rough edges are polished, tentatively scheduled for v5.4 in August.
To help you decide when the feature set is ready for your environment, here is the remaining work scheduled for v5.4:
- Streamline administrator onboarding and guidance. Improve the first‑time experience and give administrators clearer steps for turning on the new resource types.
- KeePass (KDBX) import and export. Add support for icons, multiple URIs, and custom fields when exchanging data with KeePass. Many community members rely on KeePass as a backup or complementary tool, so this integration is essential.
- Fix latest performance hurdles. Most importantly we need to fix a bug in the cache system, when the cache becomes corrupted, in order for clients not to experience performance degradation.
- Zero‑knowledge mode. Offer an option to keep metadata fully confidential and not accessible to the server, for organisations that favour confidentiality over auditability. Read more about it here.
- Metadata key rotation. Provide an administrative mechanism for rotating the key used to encrypt shared resources metadata.
Even after these items ship in v5.4, some gaps will remain that you may want to evaluate before enabling the feature:
- Cryptographic verification of metadata origin. A signature mechanism is planned to confirm who encrypted each piece of metadata. Cure53 flagged this as an outstanding risk. A mitigation is in the work, see the proposal for details.
- Limited auditability. Organisations that rely on syslog or custom SIEM integrations will lose some visibility into operations on v5 content because metadata remains encrypted.
- Passbolt CLI compatibility. The command‑line utility is still being updated for the new resource types. If you have automations that depend on it, consider waiting.
- Custom integrations. Any bespoke integrations that call the API will need to handle the additional encryption layer and therefore will break if not adapted prior to the migration of the existing content. Updated SDKs are planned but not yet scheduled for release.
How to enable the new capabilities?
Self-hosted users can enable and explore these features now, while Passbolt Cloud customers will receive them once the beta label will be removed. If you have already enabled encrypted metadata for your organisation, custom fields will be available after upgrading your API to the latest version. If you didn’t enable encrypted metadata, check out this blog article.
What’s Next?
Passbolt 5.4 (August 13th, 2025)
Encrypted metadata will exit beta, becoming stable and available for all users.
Passbolt 5.5 (September 10th, 2025)
Tentatively this release might introduce support for SSH key management and standalone secure notes. The scope of this release might be impacted by the release v5.4 and is communicated to highlight the next big priorities.
Stay up to date
To remain informed about all Passbolt updates and community activities:
- Subscribe to our newsletter.
- Follow us on LinkedIn, Mastodon, and BlueSky.
- Join discussions and get the latest announcements on the community forum.
Sign up for email notifications about new releases on the changelog page.
Thank you to the community for your continued support and contribution.
