Passbolt is a strong open-source password manager for teams. SealedKeys takes a different approach: fully managed EU cloud, dedicated secret types for SSH and API keys, and no server to maintain. An honest comparison.
| Feature | SealedKeys | Passbolt |
|---|---|---|
Zero-knowledge architecture Both encrypt client-side | ||
Open-source encryption code Both publish encryption implementations | ||
Managed cloud — no server required | — Community edition requires self-hosting | |
EU data residency (managed cloud) Passbolt Cloud is EU-hosted; SealedKeys is Hetzner EU | ||
SSH key storage (dedicated type) | — Passwords only — no typed SSH key field | |
API key storage (dedicated type) | — No dedicated API key type | |
TOTP in-vault generation | — Not a Passbolt feature | |
SAML 2.0 SSO Passbolt Business; SealedKeys Pro | ||
Audit log Both include audit trail | ||
Security health dashboard | — Not a feature | |
Breach monitoring (HIBP) | — Not a feature | |
Contractor offboarding checklists | — Not a feature | |
Fully open-source application | — Encryption code open-source; app is not | |
Self-hosted option | — Cloud-only | |
Browser extension (primary client) | — Web app; extension is roadmap | |
Price (managed, per user/month) Passbolt Business Cloud; SealedKeys Pro | £3.49 | ~£4/user |
Features and prices correct as of May 2026. Verify directly with each vendor before making a decision.
Passbolt Community (free) requires self-hosting — Docker, a server, regular updates, backups and security patching are on you. Passbolt Cloud removes this, but adds cost. SealedKeys is fully managed from day one with zero ops overhead.
Passbolt is a password manager — it stores passwords. SSH private keys, API tokens and recovery codes are stored as generic password entries with no purpose-built field layout. SealedKeys has dedicated typed fields for each secret category.
SealedKeys includes TOTP two-factor authentication code generation on all plans. If a team member needs the TOTP code for a shared account, it lives in the vault alongside the password. Passbolt does not support in-vault TOTP.
SealedKeys includes a security health dashboard that scores your vault, flags weak or reused passwords, and checks every credential against the Have I Been Pwned breach database. Passbolt has no equivalent.
Passbolt's primary client is a browser extension — technically capable, but unfamiliar to non-developers. SealedKeys is a web app that any team member can access without installing anything.
Passbolt's entire application stack is open source — you can audit every line of code, not just the encryption layer. SealedKeys publishes the encryption implementation but not the application server code.
Passbolt Community can be self-hosted on your own infrastructure, keeping all data within your network perimeter. SealedKeys is cloud-only.
Passbolt is designed around a browser extension with auto-fill capabilities. For teams that need password auto-fill in the browser, Passbolt has a more mature implementation.
Passbolt has been around since 2016 with an active open-source community, community forums and a larger set of third-party integrations than SealedKeys.
The free Community edition of Passbolt requires self-hosting — you run it on your own server (Docker or package install). Passbolt also offers a managed cloud product (Business and Enterprise tiers) which removes the ops burden, but at additional cost. SealedKeys is managed cloud only with no self-hosted option.
Yes. Export your Passbolt vault as a CSV file and import it into SealedKeys using the generic CSV importer. Login entries map directly. You will then want to move SSH keys and API tokens stored as generic passwords into the appropriate SealedKeys secret types.
Both use zero-knowledge client-side encryption. Passbolt uses OpenPGP (GPG keys per user); SealedKeys uses AES-256-GCM with PBKDF2-SHA256 key derivation. Both publish their encryption code. SealedKeys completed an independent penetration test in May 2026 with zero exploitable findings. Passbolt has a longer track record and fully open-source codebase.
There are no current plans to open-source the application server. The encryption implementation — the security-critical code — is published on GitHub and independently audited.
The most common reasons: they don't want to maintain a self-hosted server (even with Passbolt Cloud, migrations and upgrades remain an ops concern), they need dedicated SSH and API key field types rather than generic password entries, or they need TOTP generation and security health monitoring that Passbolt doesn't offer.
25 items free. Import your Passbolt CSV export. Running in 2 minutes.