Skip to content
LitePassword
Get started — free
← All migration guides
FROM PASSBOLT

Migrate from Passbolt to LitePassword (export & import guide)

You ran Passbolt for the control and the zero-knowledge model. Keep the encryption guarantee, drop the server you have to patch, back up, and keep online. Move in about 20 minutes.

Create your account first Estimated time: ~20 minutes for a 10-person team

Step-by-step migration from Passbolt

  1. 01

    Export your Passbolt resources

    Sign into your Passbolt web extension → open your workspace → select the resources (or a folder) you want to move → use Export. Choose CSV (or KDBX if you want the encrypted container). Save the file locally — never email it or drop it in Slack. It contains decrypted secrets.

  2. 02

    Create your LitePassword account

    Go to app.litepassword.com/sign-up. Use your work email and pick a strong master password (16+ characters). When the one-time recovery key appears, store it somewhere durable (a sealed envelope, a safe, a separate password manager) — it is the only way to reset your master password, and we never see it.

  3. 03

    Recreate your structure as vaults

    Passbolt organizes resources into folders and shares by OpenPGP keypair. In LitePassword, map each folder (or share group) to a shared vault — "Production credentials", "Client — Acme", "Tooling". Create the empty shared vaults first. Your private vault is auto-created.

  4. 04

    Import secrets by type

    Open the export in a spreadsheet. Group rows by what they are — logins, passwords, secure notes, custom. For each group create a new secret in the matching LitePassword type and paste the values. Manual per-type entry produces a cleaner vault than a bulk dump, and a 10-person Passbolt setup usually moves in well under half an hour.

  5. 05

    Invite your team and assign roles

    Users page → Invite user. Pick a role: Admin for owners, Manager for full members who create and edit vaults, View only for contractors. Each person signs up, sets their own master password, and generates their own recovery key. No GPG key management, no server accounts to provision.

  6. 06

    Grant per-vault access

    For each member, open Manage Vault Access and toggle on only the vaults they need. Access is cryptographically enforced — the vault key is wrapped per recipient, so members literally cannot decrypt vaults they were not granted.

  7. 07

    Securely delete the export

    The export from step 1 is now redundant and dangerous. Securely delete it (Mac: rm -P, Linux: shred -u, Windows: SDelete) and empty the trash.

  8. 08

    Decommission the Passbolt server

    Once everyone unlocks from LitePassword, take a final encrypted backup of the Passbolt database (in case you need to reference anything), then shut down the instance: stop the service, revoke its API keys, and remove the DNS record. No more OS patching, TLS renewals, or 2 a.m. uptime pages.

Why teams leave self-hosted Passbolt

Passbolt is one of the cleanest open-source, zero-knowledge password managers for teams — the OpenPGP-per-user model is genuinely elegant. The cost is operational: you run the server. That means OS patches, database backups, TLS certificate renewals, version upgrades, monitoring, and the bus-factor risk of being the one person who knows how the instance is wired.

For a 1–12 person team, that maintenance is rarely worth it. You adopted Passbolt for the encryption guarantee, not for the privilege of being a part-time sysadmin. LitePassword keeps the guarantee — master password derives the key on-device, server holds ciphertext only — and takes the server off your plate.

What changes (and what doesn’t)

Doesn’t change: zero-knowledge architecture, AES-256 encryption, per-vault access control, the principle that the vendor cannot read your data.

Changes for the better: no server to run, flat pricing instead of self-hosting overhead, a recovery-key model instead of GPG key management, and onboarding that takes a teammate under three minutes instead of provisioning a keypair.

After you migrate

  • Confirm each member has unlocked at least one shared vault — that proves the key-wrapping flow worked for them.
  • Double-check logins kept their username + password fields, and that secure notes carried over intact.
  • Take a final encrypted backup of the Passbolt DB before you destroy the instance, then decommission it cleanly.

Considering whether managed is right for you at all? Read a managed alternative to self-hosted password managers and the side-by-side Passbolt vs LitePassword comparison.

RELATED

Considering other tools instead of Passbolt?

COMPARE

Bitwarden alternative for small teams (no self-host, no SSO upsell)

Bitwarden is great open-source kit. If you don't want to run your own server and your team is under 12 people, LitePassword is the lighter option.
COMPARE

Passbolt alternative without self-hosting (managed, zero-knowledge)

Passbolt is a fantastic open-source self-host. If you don't have someone who wants to babysit a Postgres + Node deploy, LitePassword gives you the same shape, managed.
COMPARE

Proton Pass alternative for team sharing (without the Proton bundle)

Proton Pass is excellent if you already live in the Proton ecosystem. For teams that just want vault sharing, LitePassword is the unbundled version.
MIGRATION FAQ

Common questions about leaving Passbolt

Can I import a Passbolt CSV or KDBX export?

Yes. Export from the Passbolt extension as CSV (or KDBX) and paste each secret into the matching LitePassword type. We recommend per-type manual entry over a single bulk dump because Passbolt and LitePassword model secrets differently — manual entry lands each item in the right type with the right fields.

How long does a Passbolt migration take?

About 20 minutes for a 10-person team with ~80 shared secrets, including invites and per-vault access setup. Larger or more deeply nested Passbolt folder structures take a little longer to map to vaults.

Passbolt uses OpenPGP keypairs. Does LitePassword?

No — and that is the point of switching. Passbolt gives each user an OpenPGP public/private keypair, which is elegant but means key management and a server you run. LitePassword uses a symmetric model: each vault has one AES-256 key, derived from your master password via PBKDF2 and wrapped with each member's master-derived key. Same zero-knowledge guarantee, no key servers to operate.

Is LitePassword zero-knowledge like Passbolt?

Yes. Your master password derives the encryption key on your device; the server stores ciphertext only and can never read your secrets. The difference is operational, not cryptographic — we run the infrastructure so you do not have to.

What happens to my self-hosted Passbolt server?

After everyone is unlocking from LitePassword, take a final encrypted backup, then decommission it: stop the service, revoke API keys, remove DNS. You stop being responsible for patching, backups, and uptime.

When does staying on Passbolt make more sense?

If you have strict data-residency requirements, an in-house ops team that already runs the server comfortably, or a team well past 12 people, self-hosting may still be the right call. LitePassword is built for 1–12 person teams that would rather not run infrastructure.

Stop sharing passwords in Slack messages.

Create your account in under a minute. Pick a master password. We'll generate your recovery key for you.

Start your new vault → See how vaults work