Passbolt

Passbolt is a security‑first, open‑source password manager engineered for collaborative environments. From a technical standpoint it operates as a full‑stack web application that exposes a RESTful API for programmatic access while delivering a rich user interface through modern JavaScript frameworks. The core business logic is written in PHP 8+ using the CakePHP framework, which provides a convention‑over‑configuration architecture and built‑in support for role‑based access control, caching, and task scheduling. The front‑end is a single‑page application built with React (or Preact for lightweight builds) that consumes the API via JSON over HTTPS, enabling seamless integration with browser extensions and native clients.

Architecture

• Back‑end: PHP 8.x + CakePHP 4.x, with a strict type‑hinting policy enforced by PHPStan (level 6) and Psalm (level 4). The application follows a layered architecture: Controllers → Services → Repositories, allowing developers to extend or replace business logic without touching the HTTP layer. Authentication is delegated to OpenID Connect and OAuth2, while end‑to‑end encryption relies on the WebCrypto API and GnuPG for key management.
• Database: PostgreSQL is the default relational store, chosen for its strong support of JSONB columns (used for storing encrypted payloads) and robust transactional guarantees. MySQL/MariaDB are also supported via the Doctrine ORM layer.
• Cache & Queue: Redis is used for session storage, distributed caching, and as a message broker for background jobs (e.g., audit logging, email notifications).
• Containerization: A full Docker Compose stack is shipped with the source, featuring separate containers for PHP-FPM, Nginx, PostgreSQL, Redis, and a reverse‑proxy (Traefik). Kubernetes manifests are also available in the deploy/k8s directory, enabling horizontal scaling of the API tier and automated rolling updates.

Core Capabilities

• End‑to‑end encryption: Each user owns a GPG key pair; secrets are encrypted client‑side before transmission, ensuring that the server never sees plaintext credentials.
• Fine‑grained sharing: Permissions are defined at the group, resource, and even field level, with audit trails exposed via a dedicated API endpoint.
• Plugin architecture: Developers can hook into lifecycle events (e.g., beforeCreate, afterDelete) to implement custom workflows. The plugin system uses Composer autoloading and a simple service locator pattern, making it trivial to ship reusable extensions.
• Webhooks & API: A comprehensive RESTful API (v1) exposes CRUD operations for users, groups, resources, and shares. Webhook endpoints allow external services to react to events such as resource creation or permission changes.

Deployment & Infrastructure

Passbolt can be deployed on any LAMP‑style stack or within a container orchestration platform. The minimal hardware requirements are modest (1 CPU, 2 GB RAM for small teams), but the architecture supports horizontal scaling of the API tier behind a load balancer. Air‑gap installations are fully supported; all cryptographic operations occur client‑side, so the server can run offline. For high availability, PostgreSQL replication and Redis Sentinel are recommended.

Integration & Extensibility

The open‑source nature of Passbolt means that developers can fork the repository, modify the UI or backend logic, and merge pull requests back into the community edition. The API follows HATEOAS principles, making it straightforward to build custom clients (CLI, mobile, desktop). The plugin system exposes hooks for authentication providers, enabling SSO via LDAP or Microsoft Azure AD. Additionally, the application emits OpenTelemetry metrics and logs in JSON format, allowing integration with Prometheus or ELK stacks.

Developer Experience

The codebase is heavily typed and linted, with a continuous integration pipeline that runs PHPStan, Psalm, PHPUnit, and Cypress tests. Documentation is split into a docs/ directory (API reference, deployment guides) and an online help center. The community edition is released under the MIT license, ensuring that commercial or internal use incurs no cost. A dedicated Slack channel and GitHub Discussions forum provide active community support, while the contribution guidelines encourage clear pull requests with unit tests.

Use Cases

• Enterprise credential management: Centralized storage for SSH keys, API tokens, and database passwords with audit trails.
• DevOps automation: CI/CD pipelines can retrieve secrets from Passbolt via its API, keeping credentials out of code repositories.
• Regulated environments: Air‑gap deployments for defense or finance sectors where data residency and zero‑knowledge guarantees are mandatory.
• Open source projects: Teams that need a low‑cost, self‑hosted solution without vendor lock‑in.

Advantages

Passbolt offers a unique blend of performance, flexibility, and security. Its use of client‑side encryption removes the need for complex key management on the server, while the modular plugin system allows developers to tailor functionality. The open‑source license eliminates vendor lock‑in, and the mature PHP ecosystem ensures that new developers can onboard quickly. Compared to SaaS alternatives, Passbolt delivers full control over data residency and compliance, making it the preferred choice for teams that demand both developer freedom and rigorous security.