Passbolt Review for MSPs: The Open Source Team Vault, Tested

Passbolt is one of the few password managers built for teams that hands you the encryption keys and the server.

For MSP owners and technicians weighing it against the usual commercial vaults, the question isn't whether Passbolt is secure (it is), but whether an open source, self-hostable tool can carry client credentials across a real service desk without creating more work than it saves. This Passbolt review answers that for MSPs specifically.

TL;DR: Passbolt for MSPs

What Passbolt Is

Passbolt is an open source password manager built for teams, designed so a group can share credentials without ever exposing the plaintext to the server. It started in 2017 out of Luxembourg, and in January 2025 the company raised $8 million to expand the product, per TechCrunch. The core engine is licensed under AGPLv3, so the Community edition is genuinely free to self-host with unlimited users.

The adoption numbers tell you who's using it. Passbolt reports around 38,000 teams on the free edition and roughly 2,000 paying customers, and about 75% of all users run it on their own infrastructure rather than the hosted cloud. That ratio matters. Passbolt isn't a SaaS tool with a self-host option bolted on as an afterthought. Self-hosting is the main event, and the product is shaped around technical teams who want to own where their secrets live.

For an MSP, that framing is the whole pitch. You're not handing a third party the master vault for every client you support. You're running a self hosted password manager you control, on a box you patch, with an audit trail you own. Whether that control is worth the operational weight is the real subject of this review.

How Passbolt Handles Security

Passbolt's security model is the reason it shows up in serious comparisons. It's built on OpenPGP, the same public-key cryptography standard behind GPG email encryption. Every user gets a keypair. The public key lives on the server, the private key stays on the user's device, and a passphrase unlocks that private key locally. The server never sees a private key and never sees a plaintext password. That's what zero-knowledge means in practice, and Passbolt's architecture enforces it rather than promising it in a marketing line.

When a technician shares a credential, Passbolt encrypts that secret to the recipient's public key. The decryption happens in the browser through the passbolt extension or the desktop app, never on the server. So even if someone breaches your Passbolt host, they get ciphertext, not credentials. For an MSP holding the keys to dozens of client environments, that property is close to non-negotiable.

The trade-off is that OpenPGP key management is heavier than a typical master-password vault. Each user's private key is the linchpin. Lose it without a recovery kit, and the data encrypted to it is gone. Passbolt layers MFA, account recovery policies, and key backups on top, but the model demands more discipline from end users than a consumer tool does. Reviewers consistently call the security excellent and the onboarding learning curve real. Both are true.

Passbolt Pricing and Editions

Passbolt pricing splits into a free Community edition and paid Pro and Cloud tiers, with Enterprise quoted on request. The Community edition is the open source self hosted password manager most people start with: AGPLv3, unlimited users, core sharing and folder features, and zero license cost. You pay in infrastructure and admin time, not seats.

Paid tiers add the features an MSP or larger IT team needs to run this at scale: LDAP and Active Directory provisioning, single sign-on, immutable audit logs, custom roles, and tighter MFA controls. Those audit logs start at the Business tier, and they're the piece that turns Passbolt from a vault into something you can put in front of a SOC 2 or GDPR auditor.

Two things stand out for MSP buyers. First, the 10-seat minimum on paid tiers means a tiny shop testing the waters either self-hosts the free edition or pays for ten seats whether it needs them or not. Second, the cloud option is EU-hosted by default, which is a selling point for European data-residency requirements and a consideration if your clients are US-based and contractually picky about where data sits. Always confirm current passbolt pricing on their site before you quote a client, since per-seat numbers and minimums shift.

Deployment and Self-Hosting

Self-hosting is where Passbolt either wins you over or wears you down. The supported paths are broad: a passbolt docker deployment with Docker Compose, a native install on Debian, Ubuntu, CentOS, or RHEL, a VM image, and yes, even a Raspberry Pi for a lab or a very small team. The Docker route is the most common because it bundles the dependencies and makes upgrades less painful.

What running it takes is honest work. You're standing up a LAMP-style stack (the app, a MariaDB or MySQL database, a web server, and valid TLS), generating the server GPG key, and then keeping all of it patched. Passbolt ships frequent updates, and because this is your credential vault, you can't let it drift. For an MSP that already runs internal infrastructure, this is a Tuesday. For a shop that outsources everything, it's a new system to babysit.

The cloud edition exists precisely for teams that want the security model without the ops burden. You give up some control over where the box lives, but you stop owning patches, backups, and uptime. For many MSPs the calculus lands on self-hosting the vault that holds client secrets and paying for cloud only where a client demands a managed arrangement. Passbolt is one of the few tools that lets you make that choice per deployment instead of forcing one model. If you're mapping how a password vault for teams slots into the rest of your tooling, our MSP security stack guide shows where credential management sits next to EDR, MFA, and backup.

Where Passbolt Fits an MSP

Passbolt earns its place when your priorities are control, auditability, and cost. Here's where it lands cleanly for service providers:

• Team sharing with real permissions. Role-based access control, nested folders, and inherited permissions mean a junior tech sees only the client folders they're assigned, while a lead sees the tree. No shared spreadsheet, no "the password is in the ticket" chaos.
• Audit logs that survive scrutiny. The Business tier's immutable log records who accessed which secret, when, from which device and IP. That's the evidence a SOC 2 or GDPR review wants, and it's the difference between asserting access control and proving it.
• Automation through the API. Passbolt ships a documented REST API and CLI, so it's a password manager with api access you can wire into provisioning scripts, onboarding workflows, and your own tooling instead of clicking through a UI for every new hire.

Data sovereignty is the quiet advantage. When you self-host, client credentials never touch a vendor's multi-tenant cloud. For MSPs serving healthcare, legal, or government clients, "the secrets live on hardware we control in a location we name" is a contract-winning sentence. Passbolt also fits the consolidation mindset that's reshaping MSP tooling. It won't run your whole stack, but it's a clean, ownable piece of it, the kind of component that slots into a broader, consolidated IT operations approach. That's the direction Flamingo, an AI-native all-in-one MSP/IT platform, is pushing too: cut the vendor sprawl and lock-in everywhere else without forcing you into one rigid suite.

Where Passbolt Falls Short for MSPs

The honest gaps are real, and they cluster around the exact thing MSPs need most: managing many clients at once.

• No native multi-tenant. This is the big one. Passbolt is built for one organization. There's no built-in concept of isolated client tenants under a single management pane. MSPs work around it with strict folder structures and groups, or by running separate instances per client, but both add overhead the commercial MSP-focused vaults handle natively.
• Self-hosting is an ongoing commitment. Patching, backups, key recovery, and uptime are now your job. Skip a security update on the box holding every client's credentials and you've created the exact risk the tool was supposed to remove.
• Mobile and support trail the commercial pack. Passbolt has native mobile apps now, but reviewers note the experience and the support depth still lag the polished consumer-grade managers. The free edition leans on community forums, and fast vendor support is a paid tier.

The 10-seat minimum on paid plans is a smaller friction, but it's there. And the OpenPGP model that makes Passbolt so secure is also the thing that confuses non-technical client users the first time they hit a passbolt login and have to manage a private key and passphrase. Budget for onboarding time, especially if you're rolling it out to client staff rather than just your own techs. Reviewers at dbtechreviews flagged the setup friction as a genuine barrier, and that critique still has teeth for less technical teams.

Passbolt vs Bitwarden for MSPs

The passbolt vs bitwarden question comes up in every self-hosted password manager thread, because Bitwarden (and its lightweight community port, Vaultwarden) is the obvious passbolt alternative. Both are open source, both self-host, both serve teams. They differ in philosophy.

Neither is a clean multi-tenant MSP product out of the box. Bitwarden has leaned harder into a provider program and a smoother cross-platform experience, which makes it easier to hand to non-technical client users. Passbolt counters with the OpenPGP model, granular sharing, and a self-hosting story that technical teams trust more. If your team values cryptographic rigor and owns its infrastructure, Passbolt wins the comparison. If you need the smoothest path to deploying a password vault for teams across many clients with minimal hand-holding, Bitwarden's provider tooling is further along. Both routinely land on lists of the best open source password manager options for good reason.

What the Ratings Say

Across review platforms, Passbolt scores well, with the caveat that volumes are modest. It holds a 4.7 out of 5 on Capterra from 35 reviews and a 4.3 out of 5 on G2 from 14 reviews. The expert team at PasswordManager.com rated it 4.2 out of 5. Passbolt has no Trustpilot listing as of June 2026, so there's no consumer-volume score to weigh there.

The pattern in the written reviews is consistent: strong praise for the encryption model, the granular sharing, and the responsive community, balanced against repeated notes about self-hosting complexity and a learning curve for non-technical users. That's the same picture this review keeps arriving at from the MSP angle.

Who Should Use Passbolt, and Who Should Skip It

Here's the call, split by who you are.

Passbolt fits you if you run a security-first MSP, you already self-host internal infrastructure, and you want client credentials to live on hardware you control with an audit trail you own. It fits if data sovereignty is a selling point with your clients, if you have the technical depth to manage OpenPGP keys and patch a server, and if you'd rather invest admin time than pay per-seat to a SaaS vendor. For teams that want a self hosted password manager or an on premise password vault with a real zero-knowledge model and a password manager multi user setup that respects roles, it's one of the strongest options available.

Skip it, or at least look harder at alternatives, if you need turnkey multi-tenant client separation on day one, if your team has no appetite for running and patching infrastructure, or if you're rolling vaults out to large numbers of non-technical client users who'll struggle with key management. In those cases, a commercial tool with a built-in provider program will cost more but demand less of your techs.

Passbolt isn't trying to be the easiest password manager. It's trying to be the one you don't have to trust blindly, because you hold the keys and the server. For MSPs who treat that as the whole point, it's worth the setup tax. For everyone else, run the math on what your team's time is worth before you commit. The same discipline applies to every tool you evaluate, which is why we put vendors through the same wringer in reviews like our HaloPSA breakdown. Own the vault, or pay someone to own it for you, but never lose track of who holds the keys to your clients' front doors.