Manage secrets at scale without losing control. Passbolt gives DevOps teams a single, secure system to handle both human and machine credentials across infrastructure, pipelines, and environments. Built for teams operating across cloud, CI/CD, and production systems, without trade-offs between usability and control.
DevOps teams manage operational credentials across an ever-growing stack: K8s secrets, AWS accounts, GCP projects, API tokens, SSH keys, CI/CD pipelines, shared root access, and production systems. These stored credentials must remain securely accessible and shareable across teams without becoming scattered across local files, personal vaults, spreadsheets, or internal documentation.
Most existing DevOps tools are built either for machine secrets and automation workflows or for basic password sharing with limited infrastructure controls, leading DevOps teams to split workflows across multiple systems while still managing operational access manually.
Passbolt fills the gap between infrastructure-level credential control and operational usability, providing a self-hosted platform that remains practical for daily team use while still supporting API, CLI, and CI/CD integration workflows when needed.
"Our security posture has improved significantly. With Passbolt, we've eliminated browser-stored passwords, enforced strong credential practices, and made secure password management part of everyone's daily workflow. We gained far more than time- It's a real relief."
Discover how Boxtal eliminated browser-stored passwords and made secure credential management part of every engineer's daily workflow.
Discover how CTIE streamlined password sharing and boosted security using Passbolt's open-source, no-trust architecture solution for government IT services.
Learn how the Municipality of Macerata centralised and secured access to its operational credentials with a self-hosted, open-source solution.
Cloud-native secret managers such as AWS Secrets Manager or HashiCorp Vault are primarily designed for machine secrets, infrastructure automation, and application-level integrations. Many DevOps teams still need a separate system to manage shared operational access used by engineers across production systems, cloud accounts, SSH access, and administrative workflows.
Passbolt focuses on this human operational credential layer. It provides a self-hosted, open-source system for securely sharing and managing operational credentials across teams with granular permissions, group-based access control, and day-to-day usability, while still supporting API, CLI, and CI/CD workflows when needed.
Rather than replacing existing secret managers, Passbolt often fits alongside them in hybrid DevOps environments.
Provisioning and revoking access across multiple systems is often manual and inconsistent. Passbolt allows access to be granted and revoked instantly through group-based permissions, ensuring credentials do not remain active unnecessarily.
Yes. Passbolt allows DevOps teams to store and manage operational credentials such as SSH keys, API tokens, cloud account credentials, shared service accounts, and human access credentials in a single system with consistent access controls.
Many teams primarily use Passbolt for shared operational access and human credential workflows, while integrating it alongside dedicated secret managers for deeper machine-to-machine or application-level secret automation when needed.
Passbolt integrates with CLI and API so pipelines can retrieve secrets securely at runtime. This eliminates the need to store credentials in environment variables, config files, or repositories, reducing the risk of secret exposure in code or container images.
Passbolt provides a CLI and REST API that integrate with standard DevOps workflows including CI/CD pipelines, infrastructure-as-code tools, and scripting environments. Being open-source and OpenPGP-based means it also supports custom integrations without vendor constraints.
Yes. Passbolt is fully self-hosted, meaning your credentials never leave your environment. You maintain complete control over your data, storage, and access, with no dependency on external SaaS platforms that may conflict with internal security policies.
Because Passbolt is open-source and self-hosted, you own your data entirely. There is no vendor lock-in: your credentials are stored on your own infrastructure and remain fully accessible and exportable at any time.
Yes. Passbolt is headquartered in Luxembourg, EU, and is designed to support compliance with GDPR and NIS2 requirements. Passbolt can be fully self-hosted which means data never leaves your jurisdiction, giving your legal and compliance teams full assurance over data residency.
Learn more about Passbolt's compliance and independent audit reports here.
Passbolt uses OpenPGP-based encryption, where each credential is encrypted individually using public-private key pairs. This ensures that even in a breach scenario, credentials cannot be bulk-decrypted. It also supports external decryption workflows with a full audit trail.
Learn more about Passbolt's security in the whitepaper here.
Made in Europe. Privacy by default.Get in touch with us to discuss your credential management requirements.