
Passbolt vs 1Password is a decision that affects security posture, compliance scope and operational workload. This comparison focuses exclusively on differences that matter when choosing between a self-hosted, open‑source Passbolt deployment and the cloud, commercial model of 1Password. It covers cryptography, deployment, migration, TCO, compliance and hands‑on operational tasks to help security teams in England choose the right fit.
Side‑by‑side feature snapshot
Quick summary table
| Feature |
Passbolt (Self‑host) |
1Password (Cloud/Hosted) |
| Primary model |
Open‑source, self‑host or hosted SaaS |
Commercial cloud service with optional business plans |
| Encryption model |
Client‑side end‑to‑end encryption (GPG‑derived keys) |
Client‑side encryption (SRP + AES) managed by 1Password clients |
| Self‑host option |
Yes — Docker, Kubernetes, Terraform guides and GitHub repo |
No official self‑host offering for core product |
| SSO / Enterprise SSO |
LDAP/SAML/OAuth via Passbolt Enterprise |
SAML, OIDC, SCIM, strong SSO integrations |
| Browser/mobile autofill |
Extensions available; mobile support improving |
Mature autofill on desktop and mobile with wide browser support |
| Audits & compliance |
Third‑party pentests (e.g., Cure53 references), GDPR friendly when self‑hosted |
SOC2, and regular third‑party security assessments (see vendor pages) |
| Pricing model |
Free core; paid tiers for enterprise hosting/support |
Per‑user SaaS subscription; family and business tiers |
| Best for |
Teams needing self‑host control, on‑prem compliance |
Teams preferring managed service, polished UX |
Security model and cryptography
Core cryptography differences
Passbolt is built around open standards and a model that places private keys under customer control when self‑hosted. The system uses GPG‑derived key pairs for users and stores only encrypted secrets on the server. 1Password uses client‑side encryption with a secret key and master password; encryption/decryption happens in the client and vaults are stored encrypted on 1Password servers. Both use strong symmetric encryption for stored items, but control of key custody differs: Passbolt enables organisations to retain keys on‑premises, while 1Password manages encrypted vaults in the cloud.
For verification, reference vendor security pages: Passbolt security and 1Password security.
Practical implications for England and GDPR
- When hosting Passbolt on local infrastructure, data controllers retain custody of encryption keys and server logs, simplifying data subject requests under UK GDPR enforced by the ICO: ICO.
- 1Password’s cloud model is compliant for many customers, but data controllers must rely on the vendor's subprocessors and contracts. 1Password publishes compliance materials and SOC2 reports on request.
Deployment, self‑hosting and maintenance
Self‑host options and recommended stacks
Passbolt provides official and community resources to deploy via Docker and Kubernetes. Typical stack recommended by practitioners:
- Base OS: Ubuntu LTS or Debian
- Reverse proxy: NGINX with TLS (Let's Encrypt or company CA)
- Container runtime: Docker Compose or Kubernetes
- Database: MariaDB or MySQL with encrypted backups
- Storage: Volume snapshots with lifecycle
Useful resources: Passbolt Docker repo, Docker, Terraform.
Step‑by‑step high level: self‑hosting with Docker
- Provision a VM with Ubuntu LTS and a static IP.
- Install Docker and Docker Compose.
- Clone the official Passbolt Docker repo and configure environment variables for database, SMTP and domain.
- Generate GPG keys for each user or integrate with company key management.
- Configure TLS and a secure reverse proxy.
- Configure automated backups, snapshots and test restores.
A full Terraform + Kubernetes reference architecture should include IaC for networks, monitoring (Prometheus/Grafana), and runbooks for failover.
Backup and disaster recovery checklist
- Encrypted backups of database and uploads (daily full, hourly binlog where applicable).
- Offsite encrypted copies and retention policy aligned with compliance.
- Test restoration quarterly; maintain clear RTO/RPO targets.
- Key escrow policy and secure key rotation procedures.
Migration, import/export and interoperability
How to migrate from 1Password to Passbolt (practical steps)
- Export 1Password vaults using 1Password export tools: 1Password export.
- Convert export CSV/JSON into Passbolt import format. If needed, sanitize fields and remove unsupported metadata.
- Create user accounts in Passbolt and provision GPG keys or use an enterprise SSO flow and auto‑provisioning.
- Use Passbolt import scripts (community tools exist on GitHub) or the admin UI to import credentials.
- Validate items, test autofill and rotate credentials post‑migration.
Note: Exports include plaintext sensitive data during the process. Use ephemeral, encrypted transfer and delete temporary files immediately.
Browser and mobile UX comparison
- 1Password: polished browser extensions across Chrome, Edge, Safari and mature mobile apps with strong autofill and OS integration.
- Passbolt: browser extensions are functional and improving; mobile support relies on web vault or third‑party helpers. Autofill parity is the main UX gap for users migrating from 1Password.
Pricing, TCO and enterprise considerations
Pricing models and hidden costs
- 1Password charges per user per month (business tiers include SCIM and advanced controls). Direct vendor pricing page: 1Password pricing.
- Passbolt offers free community edition; enterprise support and hosted options carry subscription costs. Self‑hosting introduces infrastructure, backup, support and personnel costs.
TCO calculation must include:
- Licenses/subscriptions
- Infrastructure (VMs, storage, network)
- Backup and monitoring costs
- Operational staff hours for maintenance and incident response
- Migration and training effort
A simple TCO model: annual TCO = (SaaS cost per user * users) OR (infrastructure + ops salary allocation + support contracts + amortized migration). For small teams (<50 users) SaaS often costs less; for large regulated organisations self‑host can be more cost‑effective when control and compliance reduce external vendor risk.
Compliance and audits
- Passbolt self‑hosted deployments place audit scope on the organisation; third‑party pentests can be commissioned (for example, firms such as Cure53 provide reports). See security references: Cure53.
- 1Password publishes security documentation and offers compliance attestations for enterprise customers.
Benchmarks and recommended sizing
- Small teams (<=100 users): a single VM with 2 vCPU and 4–8GB RAM plus a managed database is sufficient for Passbolt.
- Medium/large deployments: scale database I/O, add read replicas for reporting, and separate file storage. Load testing should simulate browser extension API patterns (frequent small reads/writes).
Real‑world benchmarks should measure login latency, bulk import time and concurrent key operations. Monitoring should capture database latency, container restarts and TLS handshake times.
Security audits and third‑party validation
Practical checklist for decision makers
- Control vs convenience: choose Passbolt for custody and control; choose 1Password for managed convenience.
- Compliance needs: self‑host to reduce subprocessors; use vendor attestations for cloud models.
- Migration effort: estimate CSV/JSON conversion and post‑migration credential rotation costs.
- UX expectations: test browser and mobile autofill with real workflows before rolling out.
Detailed downloadable comparison
A downloadable CSV/JSON comparison should include feature flags used in the decision: SSO, SCIM, MFA, device trust, vault sharing, API, audit logs, retention policies, backup options and SLAs.
FAQs
Is Passbolt more secure than 1Password?
Security depends on custody and configuration. Passbolt self‑hosted provides control over keys and infrastructure; 1Password offers strong client‑side encryption with a managed backend. The more control required, the greater the case for Passbolt.
Can 1Password be self‑hosted?
1Password does not provide an official self‑hosted version for core vault storage; the product is designed as a cloud service. Enterprise integrations are available for SSO and SCIM.
How difficult is migration from 1Password to Passbolt?
Migration requires exporting vault data, transforming formats and provisioning keys. For teams with limited DevOps, professional migration support shortens time and reduces risk.
Will autofill and mobile UX be identical after switching?
Not identical. 1Password typically offers a more refined mobile and OS autofill experience. Passbolt’s browser extensions are robust for desktop workflows; mobile UX may require additional configuration.
What are the main hidden costs of Passbolt self‑hosting?
Operational staff time, secure backups, monitoring, incident response, and periodic security testing add to TCO. Infrastructure and licensing for enterprise features also apply.
Does Passbolt comply with UK GDPR when self‑hosted?
When self‑hosted in the UK/EU and configured correctly, Passbolt can meet GDPR obligations since the organisation controls data and processing. Legal counsel should validate controls.
Are there third‑party audits for either product?
Both vendors reference third‑party audits and security reviews. Organisations should request up‑to‑date reports and verify scopes directly with vendors.
What is the recommended backup cadence for a Passbolt deployment?
Daily encrypted full backups and more frequent transaction logs (hourly or continuous replication) are recommended, with regular restore tests.
Conclusion
Choosing between Passbolt vs 1Password is a trade‑off between control and operational responsibility versus managed convenience and polished UX. For organisations requiring on‑prem key custody, tighter compliance controls and complete infrastructure ownership, Passbolt self‑hosted is the practical option. For organisations prioritising minimal ops overhead, broad platform autofill and a turnkey security posture, 1Password remains a leading cloud choice. Decision makers should run a short pilot on production‑like data, validate autofill workflows, and produce a TCO calculation that includes migration and ongoing ops before committing.