Luxembourg-based startup Passbolt has announced the launch of its cloud offer. The company has developed a password manager to securely centralize, organize and share passwords. After receiving thousands of requests from users to set up a cloud offer they finally launched it. We asked Kevin Muller, CEO, more details about that new development.
by: Charles-Louis Machuron
photo: Anna Katina
featured: Kevin Muller
Tell us about Passbolt in a few words.
Passbolt is a password manager designed for teamwork. It allows you to securely centralize, organize and share passwords for a company or group while maintaining secure practices. Passbolt is open-source, interoperable, and has unique end-to-end encryption systems based on OpenPGP (the same standard used by Edward Snowden to make his NSA revelations).
What have been your key developments in recent months?
These last few months have been mainly devoted to developing our Cloud offer. Until then, Passbolt was available exclusively as an “on-premise” version, which for the user meant having technical knowledge and owning your own infrastructure. This on-premise version was somewhat successful, but we also anticipated that a sizable segment of our audience did not have the resources to host themselves. Within a year, we received over a 1000 requests from companies asking us to set up a Cloud offer. It was therefore becoming urgent for us to respond.
“Passbolt Cloud has protection against Denial of Service (DDos) attacks/potentially malicious requests and an intrusion detection system/a disaster protection system.”
The development of the “Passbolt Cloud” has been a challenge for our team because hosting sensitive data such as passwords requires high security and high availability requirements. We had to strengthen our architecture and put everything in place in order to guarantee optimal security. For example, in addition to code audits with external partners, we have implemented a Bug Bounty program with the YesWeHack platform that has allowed us to strengthen security on certain aspects of the application.
Can you tell us more about your new Cloud offer?
The beauty of this cloud offer probably lies in the fact that it is the same code base as the one that is open source and downloadable by our users. We have of course added the necessary components to ensure the multi-tenancy of the application but no base bricks have been modified. Our cloud users therefore have a transparent and audited application but without the constraints of self-hosting.
On a more technical level, we have focused our efforts on building a completely flexible infrastructure. It is now fully automated based on docker containers and kubernetes orchestration. Of course, the whole setup is hosted in Europe because digital sovereignty is at the center of our concerns.
Who is this new offer for?
This cloud offer is aimed at companies and teams who want to solve their password management problems but either do not have the technical resources to self-host or have simply opted for a “cloud” policy as part of their software fleet. With Passbolt Cloud, you can centralize and organize your passwords across an organization within minutes.
“Unlike many startups, our main challenge is not to acquire new users, but to meet the many needs of existing ones.”
Is the cloud more secure to store this data from a cybersecurity perspective?
It is not easy to say that one is safer than the other. There are many variables to consider. For example, a Passbolt on-premise installation within a company and on a private network would have a smaller theoretical attack surface than say a public server (the cloud). Now, if this same on-premise installation is freely accessible on the Internet, not regularly updated and does not have the necessary human and technical resources in-house to constantly monitor the activity, the risk would be greater. Additionally, Passbolt Cloud has protection against Denial of Service (DDos) attacks/potentially malicious requests and an intrusion detection system/a disaster protection system.
For Passbolt’s Cloud version, the software has asymmetric end-to-end encryption where the user Is in control of his decryption key (his private key). This means that even if an attacker manages to enter servers and steal the database, it would be impossible for him or her to read the contents of the stored passwords. In the event of a successful attack, even if the integrity of the data has been compromised, breaking the confidentiality of the data is difficult.
What are the next steps in Passbolt’s development?
In the coming months we will implement key improvements around security and usability. The aim is to make the project as complete as possible in order to facilitate its wider adoption.
To achieve these objectives, we have consolidated the team with three new recruits. Unlike many startups, our main challenge is not to acquire new users, but to meet the many needs of existing ones.
In our roadmap, our next milestones are developing a system for managing inherited permissions through directories, improving password organization and providing increased granularity for access rights. We also want to offer a quicker and more intuitive start-up experience. We aim to set up a sequestration system for administrators which can be activated by a double door security concept through the management of users’ keys. We will then tackle the mobile and desktop versions of Passbolt along with the integration of additional connectors to third-party applications.