Managed hosting from

£25/month +VAT

Small resource profile: 1 vCPU, 2 GB RAM, 10 GB SSD storage. Typically suits teams of up to 100 users sharing credentials. Deployment, upgrades, daily backups, monitoring, SSL and UK hosting included, with no per-user fees. How our pricing works

the icon of the card in the content

The password manager built for teams

Personal password managers bolt sharing on afterwards. Passbolt starts from it: credentials shared with exactly the right people at exactly the right level, encrypted end to end, with an activity trail behind every change. Node deploys, manages and supports Passbolt as a production service hosted in the UK, and we trust it enough to run our own credentials on it.

What Passbolt is

Passbolt is an open source password manager designed for collaboration. Every secret is encrypted end to end with OpenPGP before it leaves the browser, and sharing is granular: individual users or groups, with read, update or owner rights per credential. Folders keep large credential sets organised, TOTP entries handle two-factor secrets, and browser extensions for Chrome, Firefox and Edge put autofill where your team works.

It is AGPL licensed, developed in Luxembourg, SOC 2 Type II audited and GDPR aligned, with the full source open for inspection. A JSON API and command line client make it scriptable, so credentials can be injected into deployment pipelines rather than pasted into chat.

Why self-hosted Passbolt instead of 1Password or LastPass

No per-seat subscription: commercial password managers charge per user, every month, and the bill climbs with every hire. A managed Passbolt deployment is a flat fee for the whole team.

Your vault off the target list: the 2022 LastPass breach showed the risk of concentrating millions of customers' vaults with one vendor. A self-hosted vault on your own tenant is simply not part of that attack surface.

UK data residency: the server, the encrypted database and the backups stay on UK infrastructure under UK jurisdiction, with an Article 28 data processing agreement as standard.

Open and audited: Passbolt pairs a public codebase with a SOC 2 Type II audit, so trust rests on inspection rather than marketing.

Least privilege by design: rights are granted per credential, per user or group. Leavers are removed once and lose everything they should lose, with the activity log to prove it.

Built for how teams actually share

Shared inboxes, wifi codes, registrar logins, client portal credentials: every business has secrets that belong to roles rather than people. Passbolt models that properly with groups and folders, so the marketing team sees the social accounts, engineers see the infrastructure, and nobody emails a password again. The JSON API and CLI take it further, letting n8n workflows and deployment scripts fetch credentials programmatically instead of hardcoding them.

We run our own credentials on it

This is not a catalogue entry we picked from a list. Node's engineers keep the platform's own operational credentials in Passbolt, with encrypted backups and a tested disaster recovery drill behind it. The hardening, backup and recovery patterns we sell are the ones we rely on ourselves.

Keycloak and single sign-on

Passbolt Community Edition authenticates users with a personal private key and passphrase, which is part of its security model. For organisations that want single sign-on, Passbolt Pro adds SSO via OAuth and SAML providers; we deploy Pro with your licence and integrate it with your tenant's own Keycloak realm, alongside every other app on the Node platform.

How Node runs Passbolt for you

Deployment: a hardened production configuration with TLS, a properly protected server key and email delivery for account recovery flows.

Upgrades and maintenance: we track Passbolt releases, test and apply upgrades and security patches, and keep the underlying stack current.

Backups and recovery: encrypted backups of the database and server keys, with restores we actually test. Losing a password vault is not a recoverable business event, so we treat it accordingly.

Monitoring and support: availability and health monitoring around the clock, with UK-based support when your admins need it.


The economics of team passwords: a 50-person company on a commercial password manager pays per seat, per month, forever, for software that holds its most sensitive data on someone else's cloud. A managed Passbolt deployment from Node is a flat monthly fee, with the vault encrypted end to end on UK infrastructure you control. Protect everyone, pay the same, own the keys.

Adoption and community

6,000+ GitHub stars Passbolt states that more than 50,000 organisations worldwide use it, including governments and the defence sector, and the platform is SOC 2 Type II audited, GDPR aligned and made in Europe.

“We use passbolt too, I'm not sure I ever had to mess with pgp once. It seems to work well / just works.”

Hacker News

“We went with self-hosted Passbolt. Free, open source, and based on PGP. Only downside is having to explain PGP to the less technical users...”

Hacker News

“I've been using Passbolt for some time in a small company, it seems to be secure (pgp) and it has good browser plugins”

Hacker News

Quotes are from public community discussions, linked to their original sources.

Frequently asked questions

Where are our passwords stored and who can access them?

Your Passbolt server runs on UK infrastructure inside your own private tenant, under UK jurisdiction with an Article 28 data processing agreement. Secrets are encrypted end to end with OpenPGP, so each entry is only readable by the users it has been shared with. Node engineers operate the server; they cannot read your vault.

Can you migrate us from 1Password, LastPass or KeePass?

Yes. Passbolt imports from CSV exports and KeePass KDBX files, so we bring your existing credentials across, help you organise them into folders and groups, and run both systems in parallel until the team has switched over.

Should we choose Passbolt or Vaultwarden?

Both are excellent and we host both. Passbolt is built team-first: granular sharing with read, update and owner permissions, groups, folders and an activity trail, managed through browser extensions and a JSON API. Vaultwarden suits teams who want the familiar Bitwarden apps for personal and shared vaults. We will recommend honestly based on how your team works.

Does Passbolt support single sign-on?

Passbolt Community Edition authenticates each user with a private key and passphrase rather than a password. Single sign-on with Keycloak, Entra ID or Google is a Passbolt Pro feature; if you licence Pro we deploy and integrate it with your tenant's identity realm.

What does the managed service include?

Deployment in a hardened production configuration, server key management, upgrades and security patching, TLS, encrypted backups of the database and server keys, monitoring, and UK-based support. Your admins manage users, groups and sharing; we run the platform.

Can it run on our own infrastructure instead?

Yes. We host Passbolt on Node's UK infrastructure by default, or deploy it into your own environment, on premises or in your cloud accounts, with the same managed service either way.

Talk to us about Passbolt.

Tell us how your team shares credentials today and we will size a deployment, plan the import and get everyone onto a proper audit trail.

Our heritage

These projects were delivered by Tokyo Digital, acquired by Node in May 2023 and now a wholly owned subsidiary of Node DT Group. The same team builds and runs the Node platform today.