Release song: https://www.youtube.com/watch?v=bu50DtPF1Ac

Passbolt 5.6.0 introduces standalone notes to store sensitive secrets beyond passwords and shared metadata key rotation to give organisations stronger control over their encrypted data. This release also delivers several long-awaited usability improvements on the main workspaces that make the day-to-day experience smoother.

Standalone notes

It is now possible to create notes as standalone resources, no longer tied to a password or TOTP entry. This offers a dedicated resource type for text-based secrets that don’t fit into existing supported types such as passwords, TOTPs, or custom fields.

Standalone notes benefit from the same permissions, encryption, and audit trail as passwords, ensuring they remain just as secure and shareable. Each note supports up to 50 KB of text, leaving ample room for certificates, SSH keys, or other long-form secrets that Passbolt plans to support natively in the future. Import and export flows have been updated accordingly and any imported resources that contain only a description will now be recognised and created as standalone notes.

Resizable sidebars: more space where it matters

Both the main workspace and the Users & Groups workspace now feature sidebars that can be resized, giving users more control over how they view their data. This improvement makes it easier to read long folder names and navigate deeply nested folder structures.

The ability to resize sidebars adds to the overall customisation of the interface, complementing existing options such as adjusting the width of the main workspace grid columns or choosing which information to display. Once adjusted, the sidebar adapts smoothly to the preferred width, and a quick double-click on the handle resets it to the default size.

Shared metadata key rotation

Administrators can now rotate the shared metadata key directly from the organisation settings without disrupting the availability of the instance. This capability gives organisations greater control over their encrypted metadata and is another milestone in completing the encrypted metadata roadmap.

Rotating the shared key enhances security in several important ways. It supports compliance with internal security policies or industry standards that require periodic key rotation. It also strengthens forward secrecy: when a collaborator leaves the organisation, administrators can generate and distribute a new shared metadata key to ensure that former members cannot access metadata encrypted after their departure.

Miscellaneous Improvements

This release is also packed with minor bug fixes and performance improvements, notably in group management where large updates are now split into smaller requests. This change reduces the load on the API and resolves timeout issues that could occur when many changes were applied to the same group at once. For the full list of changes, check out the changelog.

Many thanks to everyone who shared feedback, reported issues, and helped refine these features.

[5.6.0] - 2025-10-08

Added

• PB-45058 Add datacheck to check for existing metadata key with no metadata private keys
• PB-44187 As an admin I cannot delete a metadata key associated with a deleted resource
• PB-44183 As a user that is sole owner of v4 resources when v4 resources types are disabled, v4 resources should be ignored on an ownership transfer request
• PB-44770 As a user I want to configure the trusted_proxies list as an environment variable
• PB-45471 Add new database migration to add standalone notes resource type
• PB-45472 Update resource types endpoints tests to assert enable/disable is working for new standalone notes resource type
• PB-45473 Update resources endpoints tests to accommodate new standalone notes resource type

Fixed

• PB-45222 Fix EmailDigest not working for v5 resources
• PB-45447 Fix PUT /metadata/keys/.json endpoint returning 500 error with trailing data
• PB-45436 As an administrator I can define the default cache engine with an environment variable
• PB-45454 Fix 500 error due to MySQL deadlock on create resource endpoint
• PB-45456 Allow editing of v4 resources even when v4 resource type creation is disabled
• PB-45258 Fix grammatical errors in the resource update email content
• PB-45057 Reduce memory consumption on the action logs endpoints
• PB-45057 Reduce memory consumption on resources and folders index endpoints

Maintenance

• PB-44813 Bring back DDEV ldap related services for development environment
• PB-44593 Bump i18next version
• PB-45161 Fix regularly failing UsersIndexControllerPaginationTest.php test
• PB-45270 Add custom exception message with client IP in /healthcheck/error.json
• PB-45062 Fix user_setup_complete.php template in LU folder instead of AD

Release song: https://www.youtube.com/watch?v=bu50DtPF1Ac

Passbolt 5.6.0-rc.1 is a feature release candidate introducing standalone notes, shared metadata key rotation and resizable sidebars. This release comes as usual with security reinforcement by updating 3rd party libraries and other bug fixes.

In addition, it also includes bug fixes and maintenance updates:

• export of account kit is compatible with bigger private keys
• group membership update process is updated to reduce request size and avoid some size limitations
• folders name sort includes now natural number counting

Make sure to follow the steps here. As always, your feedback is invaluable, give it a try and report any issues you come across.
Enjoy the testing journey! ❤️

[5.6.0-rc.1] - 2025-10-06

Added

• PB-45058 Add datacheck to check for existing metadata key with no metadata private keys
• PB-44187 As an admin I cannot delete a metadata key associated with a deleted resource
• PB-44183 As a user that is sole owner of v4 resources when v4 resources types are disabled, v4 resources should be ignored on an ownership transfer request
• PB-44770 As a user I want to configure the trusted_proxies list as an environment variable
• PB-45471 Add new database migration to add standalone notes resource type
• PB-45472 Update resource types endpoints tests to assert enable/disable is working for new standalone notes resource type
• PB-45473 Update resources endpoints tests to accommodate new standalone notes resource type

Fixed

• PB-45222 Fix EmailDigest not working for v5 resources
• PB-45447 Fix PUT /metadata/keys/.json endpoint returning 500 error with trailing data
• PB-45436 As an administrator I can define the default cache engine with an environment variable
• PB-45454 Fix 500 error due to MySQL deadlock on create resource endpoint
• PB-45456 Allow editing of v4 resources even when v4 resource type creation is disabled
• PB-45258 Fix grammatical errors in the resource update email content
• PB-45057 Reduce memory consumption on the action logs endpoints
• PB-45057 Reduce memory consumption on resources and folders index endpoints

Maintenance

• PB-44813 Bring back DDEV ldap related services for development environment
• PB-44593 Bump i18next version
• PB-45161 Fix regularly failing UsersIndexControllerPaginationTest.php test
• PB-45270 Add custom exception message with client IP in /healthcheck/error.json
• PB-45062 Fix user_setup_complete.php template in LU folder instead of AD

Release song: https://youtu.be/RyP8hGuyknA

Passbolt 5.5.2 resolves an issue introduced in the previous version that affected the editing of encrypted metadata settings. Due to zero-knowledge mode being required in some conditions, administrators were unable to edit the metadata key settings. This has now been fixed, restoring the ability to customize these settings.

We thank the community for reporting this issue!

[5.5.2] - 2025-09-29

Fixed

• PB-45439 As an administrator I can edit the metadata key settings when not editing zero-knowledge mode

Release song: https://youtu.be/L3Wo8jcNrkQ

Passbolt 5.5.0 is a feature release introducing encrypted metadata in zero-knowledge mode and SCIM provisioning (beta) for automated user management.

Encrypted Metadata Zero-Knowledge Mode

This mode is designed for organizations that prioritize privacy over server-side auditability. In this setup, the server never has access to the shared metadata private key.

• Key distribution: When a new user joins, the server does not distribute the metadata key.
  Administrators are notified by email and can review which users are missing the key in the Users & Groups workspace. Keys must then be shared manually.
• User experience: Until the key is received, the user’s actions are limited. Operations that depend on metadata, such as sharing a resource, moving a private item into a shared folder or creating resources intended to be shared are blocked.
• Guidance in UI: If a restricted action is attempted, the interface provides an explanation and steps to resolve the issue.

More details are available in the dedicated blog post on encrypted metadata and zero-knowledge.

Several bugs reported by the community have also been fixed. As always, thank you to everyone who took the time to file issues and suggest improvements. Checkout the changelog for more information.

[5.5.0] - 2025-09-15

Added

• PB-44639 As an administrator, when updating metadata settings from friendly mode to zero knowledge, I should see the server key dropped in DB
• PB-44756 Updates metadata keys settings endpoint to accept server metadata private key
• PB-44752 Adds a new data check for existing resources v5 encrypted with hard or soft deleted shared metadata key

Fixed

• PB-45060 Fixes custom fields json schema properties type
• PB-45062 Fixes user_setup_complete.php template in LU folder instead of AD
• PB-44760 Fixes health check "record not found in table organization_settings" issue (GITHUB #563)

Maintenance

• PB-44915 Changes DDEV containers names and URLs from passbolt-ce-api to passbolt-api
• PB-44813 Updates ddev config
• PB-44772 Speeds up continuous integration by splitting pipelines in two distinct test suites

Release song: https://youtu.be/L3Wo8jcNrkQ

Passbolt 5.5.0-rc.1 is a feature release candidate introducing encrypted metadata in zero-knowledge mode and SCIM provisioning (beta) for automated user management.

Encrypted Metadata Zero-Knowledge Mode

This mode is designed for organizations that prioritize privacy over server-side auditability. In this setup, the server never has access to the shared metadata private key.

• Key distribution: When a new user joins, the server does not distribute the metadata key.
  Administrators are notified by email and can review which users are missing the key in the Users & Groups workspace. Keys must then be shared manually.
• User experience: Until the key is received, the user’s actions are limited. Operations that depend on metadata, such as sharing a resource, moving a private item into a shared folder or creating resources intended to be shared are blocked.
• Guidance in UI: If a restricted action is attempted, the interface provides an explanation and steps to resolve the issue.

More details are available in the dedicated blog post on encrypted metadata and zero-knowledge.

Several bugs reported by the community have also been fixed. As always, thank you to everyone who took the time to file issues and suggest improvements. Checkout the changelog for more information.

[5.5.0-rc.1] - 2025-09-12

Added

• PB-44639 As an administrator, when updating metadata settings from friendly mode to zero knowledge, I should see the server key dropped in DB
• PB-44756 Updates metadata keys settings endpoint to accept server metadata private key
• PB-44752 Adds a new data check for existing resources v5 encrypted with hard or soft deleted shared metadata key

Fixed

• PB-45060 Fixes custom fields json schema properties type
• PB-45062 Fixes user_setup_complete.php template in LU folder instead of AD
• PB-44760 Fixes health check "record not found in table organization_settings" issue (GITHUB #563)

Maintenance

• PB-44915 Changes DDEV containers names and URLs from passbolt-ce-api to passbolt-api
• PB-44813 Updates ddev config
• PB-44772 Speeds up continuous integration by splitting pipelines in two distinct test suites

Release song: https://www.youtube.com/watch?v=6tpGC4lgpMg

This hot-fix addresses several issues introduced in recent v5.x releases.

Since v5.3, organizations running Passbolt on servers with a locale different from en-UK could encounter issues to update or later to use the application, which have now been resolved.

It also fixes a problem where organizations that had manually disabled encrypted metadata using the kill switch available to system administrators were unable to initiate imports
credentials from the web application. This was a side effect of recent work preparing for the upcoming zero-knowledge capability, which will further strengthen the encrypted
metadata feature introduced earlier.

Finally, since v5.0, resources whose secrets had been modified, irrespective of whether the secret was a password, a TOTP, or a secure note, have had their expiration dates
automatically rotated, which was not the expected behaviour. The expected behaviour is now restored: the expiration date is rotated only when the password is edited.

We thank the community for promptly reporting these issues.

[5.4.1] - 2025-08-13

Fixed

• PB-44220 Enforces the format to datetime string when persisting the last_logged_in field on users login

Release song: https://www.youtube.com/watch?v=kymdKYtkJbQ

Passbolt 5.4.0 ships with encrypted metadata and the accompanying new resource types promoted to stable. These capabilities have been battle-tested for months, and the most remaining edge cases have been smoothed out so they can now be enabled for everyone.

Removing the beta label means that every new instance starts with encrypted metadata activated by default. As a result, features introduced in previous releases, such as icons, multiple URIs and custom fields, are available from day one without any action from end-users.

For existing instances, the activation process has been simplified: administrators can decide with a single click whether their organisation is ready or would prefer to postpone the launch. Once enabled, the instance immediately supports the new resource types and their extended capabilities.

Because the change may disrupt external integrations, existing content is not migrated automatically, migration remains the responsibility of content owners or administrators. It can be performed item-by-item by users in the main workspace or organisation-wide with the resource-metadata administration migration tool.

Revisiting resource capabilities was also an opportunity to increase the maximum size of secret notes to 50 000 characters, leaving ample room for full certificate chains, keys of any flavour or any long text you need to keep encrypted.

This release further improves cryptographic performance by introducing elliptic-curve keys (Curve25519/Ed25519) for new users. These keys provide security comparable to RSA-3072 while significantly reducing processing time and payload size.

Performance has been tuned for large organisations that manage substantial numbers of users or resources. Among other improvements: Users' workspace now opens more quickly, and deleting multiple resources generates fewer I/O operations.

Czech joins the list of supported languages, allowing native speakers to use Passbolt entirely in their own words, vítejte!

Many thanks to everyone who reported issues and tested encrypted metadata over the past months. Your feedback made this release possible and brings these new features to all users today.

[5.4.0] - 2025-08-12

Added

• PB-43713 Translate the application in Czech
• PB-44285 Add endpoint to help clients enable E2EE by default for new instances
• PB-44184 As an administrator I should not be allowed to retrieve resources to migrate from v4 to v5 resource types from v4 resource types that are deleted
• PB-44071 Add a cleanup tasks to soft-delete inactive users with same usernames
• PB-44376 Set ECC key type as a default for new users
• PB-44405 Add new healthcheck to notify administrators when there are no active metadata key if E2EE is enabled
• PB-44406 Add new healthcheck to notify administrators when zero-knowledge disabled and the server does not have access to the shared metadata key
• PB-44407 Add new healthcheck to notify administrators when server cannot validate its own shared metadata private key
• PB-44416 Add metadata settings getting started endpoint
• PB-38155 Add JSON schema definition to resource types migrations
• PB-44474 Switch encrypted metadata plugin to stable
• PB-43631 As an admin running a command as root, I should see the name of the command in the suggestion proposed by the CLI

Fixed

• PB-43187 Retrieve user last logged data from users table instead of the log to improve application performance
• PB-43922 Fix notification emails about a resource update
• PB-43709 Fix enabling E2EE without a key should trigger an error
• PB-44093 Fix a warning message in ActionLogsUsernameQueryStrategy
• PB-44177 Fix as a user I should not be allowed to create v4 resource if the resource type is deleted
• PB-44179 Fix as user I should not view/index v4 resource types if the resource type is deleted
• PB-43936 Fix IsValidEncryptedMetadataPrivateKey should log, then return false and not throw an exception if isMessageForRecipient fails
• PB-44182 Fix as user I should not be allowed to delete a v4 resource if v4 resource type is deleted
• PB-44181 Fix as user I should not be allowed to share a v4 resource if v4 resource type is deleted
• PB-44252 Fix as an admin I should not be able to set the role of a user to guest
• PB-44178 Fix as a user I should not be allowed to update v4 resource if the resource type is deleted
• PB-44180 Fix as user I should not view/index v5 resource types if the resource type is deleted
• PB-44186 Fix as an administrator I should not be able to rotate the metadata key for resources that have a deleted resource types
• PB-44189 Fix command line metadata commands should be loaded in debug mode only
• PB-43936 Fix isMessageForRecipient should work if encryption is done with main key
• PB-41818 Fix as a user setting a date as boolean the API should not return a 500 code response

Maintenance

• PB-43524 Create a TestData plugin in plugins/PassboltCe
• PB-44087 Remove V331 backward compatibility migration
• PB-44267 Bump SeleniumApi plugin version
• PB-43752 Add assertJson assertions to folders endpoints
• PB-41818 Bump cakephp version to 5.2.6

Release song: https://www.youtube.com/watch?v=kymdKYtkJbQ

Passbolt is thrilled to announce that the v5.4.0 API Release Candidate is officially available for testing.

This version ships with encrypted metadata and the accompanying new resource types promoted to stable. These capabilities have been battle-tested for months, and the most remaining edge cases have been smoothed out so they can now be enabled for everyone. In addition, it also improves performance for large organisations that manage substantial numbers of users or resources and support for Czech language.

Head to GitHub and dive in! Make sure to follow the steps here. As always, your feedback is invaluable, give it a try and report any issues you come across.

Enjoy the testing journey! ❤️

[5.4.0-rc.1] - 2025-08-11

Added

• PB-43713 Translate the application in Czech
• PB-44285 Add endpoint to help clients enable E2EE by default for new instances
• PB-44184 As an administrator I should not be allowed to retrieve resources to migrate from v4 to v5 resource types from v4 resource types that are deleted
• PB-44071 Add a cleanup tasks to soft-delete inactive users with same usernames
• PB-44376 Set ECC key type as a default for new users
• PB-44405 Add new healthcheck to notify administrators when there are no active metadata key if E2EE is enabled
• PB-44406 Add new healthcheck to notify administrators when zero-knowledge disabled and the server does not have access to the shared metadata key
• PB-44407 Add new healthcheck to notify administrators when server cannot validate its own shared metadata private key
• PB-44416 Add metadata settings getting started endpoint
• PB-38155 Add JSON schema definition to resource types migrations
• PB-44474 Switch encrypted metadata plugin to stable
• PB-43631 As an admin running a command as root, I should see the name of the command in the suggestion proposed by the CLI

Fixed

• PB-43187 Retrieve user last logged data from users table instead of the log to improve application performance
• PB-43922 Fix notification emails about a resource update
• PB-43709 Fix enabling E2EE without a key should trigger an error
• PB-44093 Fix a warning message in ActionLogsUsernameQueryStrategy
• PB-44177 Fix as a user I should not be allowed to create v4 resource if the resource type is deleted
• PB-44179 Fix as user I should not view/index v4 resource types if the resource type is deleted
• PB-43936 Fix IsValidEncryptedMetadataPrivateKey should log, then return false and not throw an exception if isMessageForRecipient fails
• PB-44182 Fix as user I should not be allowed to delete a v4 resource if v4 resource type is deleted
• PB-44181 Fix as user I should not be allowed to share a v4 resource if v4 resource type is deleted
• PB-44252 Fix as an admin I should not be able to set the role of a user to guest
• PB-44178 Fix as a user I should not be allowed to update v4 resource if the resource type is deleted
• PB-44180 Fix as user I should not view/index v5 resource types if the resource type is deleted
• PB-44186 Fix as an administrator I should not be able to rotate the metadata key for resources that have a deleted resource types
• PB-44189 Fix command line metadata commands should be loaded in debug mode only
• PB-43936 Fix isMessageForRecipient should work if encryption is done with main key
• PB-41818 Fix as a user setting a date as boolean the API should not return a 500 code response

Maintenance

• PB-43524 Create a TestData plugin in plugins/PassboltCe
• PB-44087 Remove V331 backward compatibility migration
• PB-44267 Bump SeleniumApi plugin version
• PB-43752 Add assertJson assertions to folders endpoints
• PB-41818 Bump cakephp version to 5.2.6

Release song: https//www.youtube.com/watch?v=-GxmblM_jss

Passbolt v5.3.2 is a security release designed to strengthen the security posture of your organization. It introduces a
clipboard flushing feature and addresses issues related to encrypted metadata.

The new clipboard flush timer lets you copy secrets just long enough to use them; clipboard data is automatically cleared
when the countdown (30s) expires, significantly reducing the risk of accidental exposure or leaks from forgotten clipboard content.

This update also resolves several encrypted metadata issues, moving the feature closer to general availability.
Organizations can now enable encrypted metadata even if users have imported their own more complex keys
(e.g. keys that were set to expire at some point), streamlining adoption for advanced users. Admin changes are smoother
too: if the original metadata-enabling administrator leaves, newly invited users will still receive the metadata key automatically,
removing the need for manual distribution. Lastly, users who owned shared resources using the new encrypted metadata format can now
be deleted without issue, as ownership transfer is now handled correctly during the deletion process.
A big thank you to all testers who helped refine these features. If you’re new to any of them, we welcome your feedback on the community
forum or through your usual support channels!

[5.3.2] - 2025-07-16

Fixed

• PB-43910 As an administrator installing passbolt on postgres, the default postgres schema should be public
• PB-43956 Fix OpenPGP_PHP behavior discrepancy for keys with multiple self-signed key signatures with different expiry times
• PB-43746 A metadata key should be shareable with new users even if the administrator who created the key is soft-deleted
• PB-37106 As an administrator running healthCheck, I should see the right path to the logs if the directory permissions are not correct

Maintenance

• PB-43966 Selenium specific endpoints should be enabled for local testing with ddev
• PB-43480 Writes stack traces in logs on metadata key validation 500 errors

Release song: https://www.youtube.com/watch?v=h7V36waLN0M

This hot-fix resolves a regression introduced in v5.3.0 that blocked the creation of standalone Custom Fields content types. A validation error in the API prevented these resources from being saved. With v5.3.1, the validation logic has been corrected, so users can now create and test Custom Fields content types as intended.

Thank you to everyone in the community who spotted the issue so quickly and helped us verify the fix!

[5.3.1] - 2025-07-09

Fixed

• PB-43748 Users are unable to save a new standalone custom field resource