If you’re tired of handing your company’s keys to a North American cloud vendor and hoping for the best, Passbolt is pitching a different deal: run your own password manager, on your own server, under your own roof.
Passbolt is open-source, built by a team in Luxembourg, and designed for sharing credentials inside small teams without turning Slack into a password dumpster fire. The hook is “self-hosting”, yes, even on a little home server sitting next to your router. The catch is the same as it’s always been with self-hosting: you own the control, and you own the mess when something breaks.
And in 2024, stolen credentials are still one of the most reliable crowbars criminals use to pry into networks. Verizon’sDBIR 2024flags stolen logins as a recurring intrusion path. So the question isn’t whether password management matters. It’s whether you want the responsibility that comes with running the vault yourself.
An open-source European alternative, don’t confuse “European” with “magically safer”
The password-manager market is dominated by closed, tightly integrated products that live in a vendor’s cloud. Passbolt’s argument is basically: “Here’s the code, audit it if you want, and host the server wherever you trust.” That can mean anything from a dedicated box in a data center to a mini-PC at home.
Open source buys you transparency, not a force field. Code can be audited independently, sure, but only if someone actually does the work. Security still comes down to threat modeling, patch speed, and operational discipline. A Luxembourg address doesn’t patch your server at 2 a.m.
Where Passbolt really aims is team use: shared secrets, access rights, group-based permissions, and the ability to revoke access when someone leaves. That matters because a password manager isn’t storing your Netflix login, it’s storing the credentials to bank accounts, admin consoles, internal tools, and API keys. Misconfigure it and you’ve built a single point of failure with a bow on top.
Cost-wise, cloud services shift pain into a subscription and vendor dependency. Self-hosting can cut the direct software bill, but you pay in time, hardware, backups, monitoring, and the occasional “why is this down right now” panic. If you’re doing this to save money, you may be doing it for the wrong reason. The real payoff is control.
Self-hosting at home: hardware, OS, network exposure, and the DNS headache
Running Passbolt on a home network boils down to four chunks:hardware, theoperating system, thenetwork, and how peoplereach the service.
Hardware doesn’t have to be fancy. A small x86 mini-PC, an Intel NUC-style box, a micro-server, or a NAS that can run containers can do the job for a household or small team. What matters is boring reliability: stable storage, decent power, enough memory to avoid weird behavior. If the vault is mission-critical, redundancy stops being a nerd hobby and starts being a business requirement.
On the OS side, most people land on a well-supported Linux distro. You can install via packages or use containers. Containers can make deployment and isolation easier, but they also demand you get serious about persistent storage, image updates, and backups. And no, the attack surface isn’t just “the Passbolt app.” It’s the host OS, web server, database, and dependencies too.
Network exposure is where people get reckless. There are two common setups:
1) LAN-only:accessible only on your home Wi‑Fi/wired network. Less exposure, fewer sleepless nights.
2) Remote access:reachable from outside the house so you can pull credentials on the road. That means port forwarding, a reverse proxy, or, if you’re serious, a home VPN. A VPN reduces direct internet exposure, but it’s another component you must maintain. Opening the service straight to the internet can be done, but then you’d better be religious about TLS, fast patching, and logging.
Then there’s DNS and your public IP. Most Americans don’t have a static IP at home, which pushes you toward dynamic DNS. This is the part people underestimate until they’re locked out because a subdomain is misconfigured or a TLS certificate expires. A “clean” self-hosted setup starts looking a lot like running a small production service, because that’s what you’re doing.
Encryption, GPG keys, and the part nobody wants to manage: crypto identities
Passbolt’s core security model leans on OpenPGP-style encryption with a key pair per user. That’s good engineering, but it shifts the real-world problem from “where are the passwords stored?” to “how do we manage cryptographic identities?”
In plain English: you now have to care about creating keys, protecting private keys, rotating them, and revoking them when someone leaves or a device is compromised. Your security depends not only on strong passwords in the vault, but also on the safety of users’ machines and their private keys.
This also forces policy decisions small teams love to avoid. Who approves new users? Who can create groups? Who can revoke access? What happens when someone loses access? Passbolt can make sharing traceable and manageable, especially compared with the classic small-business method of “send the password in email and pray.” But you only get that benefit if you actually configure permissions and enforce discipline.
And don’t kid yourself: a well-maintained server won’t save you from a compromised laptop. Session theft, malicious browser extensions, and infostealer malware go after the exact environments where secrets flow. The basics still matter: keep browsers updated, limit extensions, encrypt disks, and use strong authentication where available. A password manager becomes a prime target because it’s the master key ring.
The real price of self-hosting: patches, backups, uptime, and “who’s on call?”
Self-hosting buys control by dumping responsibility in your lap. First up:updates. If your server is exposed, even partially, you need a steady patch rhythm for the OS, web server, database, and the app itself. A huge share of incidents come from the gap between “patch released” and “patch installed.” Attackers don’t wait; they scan for known holes at scale.
Second:backups. A password manager isn’t a side project. Lose it and you can freeze your entire operation. Minimum viable competence here means automated backups, stored off the main server, and actually tested. A backup you’ve never restored is a comforting bedtime story, not a recovery plan. For home setups, an external drive or encrypted offsite storage can work, if the schedule matches how often the vault changes.
Third:availability. Your ISP hiccups. Your router reboots. Power blips. A drive dies. Cloud vendors sell redundancy and uptime (not perfect, but real). At home, you get whatever you built. A UPS, basic monitoring, and alerts help, but that’s more gear and more work. The “set it and forget it” fantasy is how self-hosted services end up abandoned and vulnerable.
Finally, there’s the human factor: logs, internal access to those logs, and the risk of concentrating too much power in one admin. In a family, the risk is simpler and uglier: nobody can get into anything after an incident because there’s no recovery process. Control is real. So are the obligations.
Quick answers people actually need
Can Passbolt be LAN-only?Yes. Keeping it limited to your local network cuts internet exposure. If you need remote access, a VPN is the cleaner approach.
Is self-hosting cheaper than cloud?Sometimes on paper. In practice, admin time, hardware, backups, and monitoring can cost more than a subscription if the vault is critical.
What should I worry about first?Patch regularly, run tested backups, use proper TLS, and set clear rules for access management and revocation.