Security and privacy by design
Passbolt is used by governments, the defence sector, regulated industries and privacy-conscious organizations. Passbolt security model is built on strong foundations:
- End-to-end encryption
- 100% open source
- Interoperable crypto
- Granular access rights
- Audited & auditable
- No tracking
Encryption you can trust
All secrets are signed, it is possible to verify cryptographically for each secret the identity of the user that has created it. The integrity cannot be compromised.
Full private key control
Users can choose to use their own PGP secret key for a full control of their data encryption. Alternatively, the secret key will be generated at the account creation.
Secrets can be decrypted and used easily on other systems thanks to the large OpenPGP software ecosystem. For instance, you can configure passbolt to automatically send you email notifications containing PGP encrypted secrets of the passwords you can access and decrypt them directly from your inbox.
The secret key is never sent to the server, not even encrypted. Only you own it. Consequently, it is not possible for an attacker to decrypt the data or capture the user secret key, even if the server is compromised.
Passbolt is based on OpenPGP, an open and extensible encryption standard which provides confidentiality and integrity, and relies on well known algorithms.
Granular access rights
User permissions are set at a password level and secrets are encrypted once for each user that can access it. Revoking a user access means removing the secret from the database and the ability to decrypt future versions.
Self-hostable server, for maximum privacy
If your data are truly yours, you should be able to control where they are located. This is why Passbolt server can be self-hosted inside your own infrastructure: from a raspberry pi inside your office to a High Availability setup hosted at your favorite supplier, you are the one in charge.
Once downloaded and installed, Passbolt server is yours:
- Fully autonomous, no 3rd party service: Passbolt server works as a standalone component. It is fully open source and doesn’t require any third party service to be functional by default.
- Behind your firewall: Passbolt doesn’t require an internet connection access to be functional. It can be completely isolated, protected by your own firewall rules.
- No trackers: We cannot track what Passbolt servers are doing, we don’t know where they are and don’t want to know. Our servers do not send usage data or any form of analytics to us.
Security in the browser
All critical operations are done by the extension. It is not possible to compromise the security of the cryptographic code if the server is compromised.
Passbolt extension updates are rolled out automatically by default, preventing your users from running outdated or unsecure software.
Passbolt requires your users to set a security token that will be displayed when entering their passphrase. That helps prevent phishing attacks.
Challenge based authentication
Passbolt relies on GpgAuth, an authentication protocol that requires both the server and client to solve a challenge, e.g. produce the proof of the private key ownership.
Bruteforce attack prevention
Each login attempt requires a separate challenge. Unlike other password managers that rely on a master password hash.
Multi factor authentication
Passbolt requires something the users know (passphrase) and that they own (private key) to login. It is possible to add additional factors using Yubikey, Duo, or TOTP.
Protection against data breaches
Have I been pwned?
Passbolt protects you from reusing a passphrase that has been used on hacked websites.
Passbolt reduces password reuses for your users and its password generator proposes secure default options with high entropy. Go ahead, forget your passwords!
User input required
The user input is required in order to fill in credentials on a login form and only make relevant suggestions. This prevents unintentional data breaches.
Passbolt code, client and server is regularly audited by third parties.
Passbolt security model, front-end code as well as back-end code has been fully audited by Cure53 in 2021.
In 2021 we got successfully audited for SOC 2 Type II. Report is available to customers on demand.
Passbolt is 100% auditable by anyone who would like to see for himself how our security model works in practice.
100% open source
Passbolt is 100% open source, even the commercial version. If you don’t trust the third party audits, you have the freedom to audit it yourself.
We reward security researchers who audit our code and identify vulnerabilities.
Passbolt SSO - April 2023
This report describes the results of a security assessment of the passbolt complex, spanning the passbolt SSO feature, related backend API and browser extensions.
User directory integration & DirectoryTree LdapRecord library - August 2023
This report describes the results of a security assessment of the passbolt complex, spanning the external DirectoryTree LdapRecord library and related backend API.
Passbolt Crypto and Account recovery - August 2022
This report describes the results of a security assessment of the passbolt complex, spanning several of the newer passbolt features, including the account recovery feature and the ECC key support.
Security White Paper - March 2021
This report describes the results of a review of a cryptography & security white-paper, detailing on the security properties and architecture for passbolt.
Browser extensions - July 2021
This report describes the results of a comprehensive security assessment targeting the passbolt browser extensions for Chrome and Firefox.
Backend and plugins - July 2021
This report describes the results of a security assessment of the passbolt complex, spanning the passbolt backend, API and a selection of passbolt plugins.
Passbolt cloud infrastructure - August 2021
For security reasons this report is not public. No major issue was found, only hardening suggestions who have been implemented during the course of the summer.
Browser integration and WebExtension API usage - September 2021
This report details the scope, results and conclusory summaries of a penetration test and security assessment against the passbolt browser extension with a particular focus on the browser integration and WebExtension API usage.
Mobile applications and go-passbolt-cli - January 2021
This report describes the results of a security assessment of the passbolt complex, spanning the passbolt mobile application, related backend API and CLI tool.