Video tutorial coming soon.
Deploy Passbolt CE on Ubuntu with Docker — end-to-end encrypted password sharing for teams, with browser extension, mobile app, and REST API support.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/passbolt/passbolt-ubuntu.sh
chmod +x passbolt-ubuntu.sh
sudo bash passbolt-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/passbolt/passbolt-ubuntu.shchmod +x passbolt-ubuntu.shScript installs Docker, MariaDB, and Passbolt CE. GPG server keys are generated automatically. You will be prompted for your domain name and admin email.
sudo bash passbolt-ubuntu.shAfter install, create your admin account by visiting the setup URL printed in the terminal. Install the browser extension and generate your personal GPG key during setup.
Log in with the browser extension installed. The extension manages your GPG private key locally — Passbolt never sees your master password.
http://<your-server-ip>| Port | Purpose |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
Passbolt is an open-source, end-to-end encrypted password manager built for teams. Unlike personal password managers, Passbolt is designed for sharing — you can share individual passwords or folders with specific colleagues, control who can view vs. edit, and audit who accessed what and when. All encryption happens in the browser using GPG: your passwords are encrypted with your public key before leaving your device, and only you (and those you explicitly share with) can decrypt them. The server never sees plaintext passwords.
Teams sharing passwords via Slack, email, or sticky notes is a serious security risk. Passbolt replaces this with a structured, auditable, end-to-end encrypted workflow. IT administrators can manage access — when someone leaves the team, you revoke their access instead of rotating dozens of shared passwords. Every password access is logged, giving you an audit trail for compliance. And unlike cloud password managers, your data lives on your server under your control.
Passbolt listens on port 80 (HTTP, redirects to HTTPS) and port 443 (HTTPS). These are the only ports that need to be publicly accessible — the MariaDB port (3306) should never be exposed. Passbolt enforces HTTPS in production and will not function over plain HTTP. Ensure your DNS A record points to your server before running the installer if you want automatic Let's Encrypt certificate provisioning.
Vaultwarden (Bitwarden-compatible) is the best personal and family password manager — simpler to set up, better mobile apps, but sharing is less granular than Passbolt. 1Password and LastPass Teams have more polished UIs and better mobile support but cost money and store data in the cloud. HashiCorp Vault is better for machine-to-machine secret management (CI/CD, service tokens) rather than human-managed passwords. For pure personal use, Vaultwarden is the better choice; Passbolt shines specifically for team credential sharing.
Skip Passbolt if you are a solo user or a small family — Vaultwarden is simpler, has better mobile apps, and is easier to self-host without the GPG key management complexity. Passbolt's setup is heavier: it requires a domain name, HTTPS certificate, SMTP server, and browser extension on every user's device. For machine-to-machine secrets (CI/CD tokens, API keys in scripts), HashiCorp Vault or Infisical is a better fit. Passbolt is specifically optimized for human-to-human team credential sharing with an audit trail.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Both are self-hosted, open-source password managers, but with different design goals. Vaultwarden (Bitwarden-compatible) is optimized for personal and family use — excellent mobile apps, easier setup, and familiar UI. Passbolt is optimized for team sharing — granular per-password access control, mandatory GPG encryption that the server cannot bypass, full audit logs, and a REST API for automation. Passbolt also has better LDAP integration and is GPLv3 licensed. Vaultwarden is typically easier to get started with; Passbolt is better when you need structured team access management.
If you lose your personal GPG private key, you permanently lose access to all passwords shared with you — there is no recovery without the key. An admin can create a new account for you and re-share passwords, but any passwords only you had access to are gone forever. This is by design — true end-to-end encryption means no server-side recovery. Always backup your GPG key to an offline encrypted location (USB drive, printed paper key) immediately after creating your account.
Yes — Passbolt has official iOS and Android apps available in the App Store and Google Play. The mobile apps connect to your self-hosted instance and support fingerprint/Face ID unlock. Unlike the browser extension (which stores your GPG key in browser storage), the mobile app stores the key in the device's secure enclave. Mobile apps require Passbolt CE 3.x or later and a valid HTTPS certificate on your server.
Yes — Passbolt has a full REST API documented at passbolt.com/api. Authentication uses GPG-signed requests, not simple tokens. The `passbolt-cli` Go tool wraps the API for easy shell script use: `passbolt get resource --id UUID`. In CI/CD pipelines, you can retrieve secrets during build by authenticating with a dedicated service account GPG key. This avoids hardcoding credentials in pipeline configurations.
As an admin, go to Users → Create User — enter their name and email. Passbolt sends them an invitation email with a setup link. They visit the link, install the browser extension, and generate their personal GPG key during setup. Once their account is active, you can share passwords and folders with them individually or by adding them to a group. All this requires working SMTP email configuration on your server.
Disable or delete their Passbolt account in Users → Edit User → Disable/Delete. Immediately after, rotate any passwords they had access to — Passbolt's audit log shows exactly which passwords they viewed so you know what to rotate. Because each person has their own GPG key, disabling their account prevents future logins. You do not need to change every shared password proactively — only the ones they actually accessed, as shown in the activity log.
Yes — Passbolt supports TOTP (Time-based One-Time Password) as a second factor. Users can enable it in their profile settings by scanning a QR code with any authenticator app (Google Authenticator, Aegis, Authy). Admins can make 2FA mandatory for all users in Administration → Security Policies → MFA Policy. Passbolt CE does not support hardware keys (YubiKey) — that feature is in Passbolt Pro.
Passbolt CE (Community Edition) is free and open-source under GPLv3. It includes all core features: end-to-end encryption, team sharing, LDAP sync, REST API, mobile apps, and TOTP 2FA. Passbolt Pro adds enterprise features: hardware key support (YubiKey, FIDO2), advanced SSO integrations (Azure AD, Okta, Google Workspace), dedicated support, audit log export, and an account recovery option for lost GPG keys. Pro is billed per user per month. Most self-hosting teams are well-served by CE.