Remy Bertot – CTO & Co-Founder of PASSBOLT

Interview with Rémy Bertot

Rémy Bertot is CTO and co-founder of Passbolt, a free and open source password manager software.
We go with him for a dive into the world of Passbolt: discover the birth of the software, its community and its business model. Rémy also tells us about the safety management, the regular audits, as well as the challenges ahead for the product.

Walid Nouh: Hello and welcome to Free Projects!. My name is Walid Nouh, I fell into the cauldron of free software more than 20 years ago. Whether you’re an experienced bookseller or a novice, come and discover with me the portraits of the women and men who make free software: communities, economic models, contributions, we tell you everything.

Today, for this second episode, we’re going to talk about a piece of software that I’m particularly fond of, it’s a free and open source password manager called Passbolt, a software I’ve been using since 2018. By the way, I discovered that it was much older than I thought by reading the pages on the site; It’s a software that I recommend to everyone every time I go to a company. I thought of inviting Rémy Bertot who is the CTO [Chief Technical Office] and one of the co-founders of Passbolt after seeing a conference at FOSDEM this year, the big trade fair for free software developers held every year in Brussels. He kindly agreed.
Today we’re going to talk with him about Passbolt, the community, the business model, and what it means to develop free software in the field of security.
Hello Rémy, welcome to Free Projects!. I hope you’re doing well.

Rémy Bertot: Yes. I’m fine. Thank you for the invitation, Walid, it makes me very happy.

Rémy Bertot (source: LinkedIn)

Walid Nouh: To start with, the first thing I’m going to ask you: can you introduce yourself to tell us a little bit about your background and when did you become interested in free software?

Rémy Bertot: As you said, my name is Rémy Bertot. I am originally French and now I have been living in Luxembourg for a few years.
I am a software engineer by training. I started my studies in Bordeaux and finished them in Ireland. My background is a fairly classic path of developer training, software engineering with a specialization in human/machine interaction, so usability, usability testing, that kind of thing. What has always interested me is the graphical interface part, but also how to make software more accessible in general. That’s why I chose this.
Like my co-founders, I’ve been a computer geek ever since I was lucky enough to have a computer. My exposure to free software comes from there, right from the start, out of curiosity, installing Linux on the parents’ PC, that sort of thing.
Later, we started working together with Kevin and Cédric. Passbolt is not our first adventure, we had done things before, including a web development agency right after our studies, with Kevin. We had 2,000 euros in our pocket and we set up a web agency in India based on free software. We’ve developed quite a bit with free software. We haven’t developed free software, we’ve developed a lot on free software or with libraries. For example, we worked on software that did video rendering, we were exposed to FFmpeg. We’ve made websites that are a bit dynamic; At the time, it was just the beginning of jQuery, we made little jQuery plugins, we started to make small contributions on PHP formats that were just emerging at the time, typically translating doc, that kind of thing.
It happened quite naturally actually. Cédric and Kevin and I were always inspired by the values of free software and what it represents, the fact that knowledge should be free and available to all.

Walid Nouh: At the beginning you were, let’s say, users of free software, you had not yet crossed over to the other side of the fence, but from the beginning you had the entrepreneurial spirit.

Rémy Bertot: Yes. Making something with our hands was really something that appealed to us, and in the end, after doing some service, we thought, “OK, why not make some product.” We didn’t start with Passbolt, we had made other software before, an e-learning software called Click On French; it was a platform to learn French which is a big demand in India. We had been working on other free software that was not released, that was under a free license but that was never distributed. Later, we also worked on non-free software, for example we worked with Adobe or the European Parliament on proprietary software.
One thing led to another and we said “OK, we’re going to make other software for us, for the web agency, precisely to solve the problems we had in the web agency, which were password management”. At the time there wasn’t much on the market, there was KeePass which is still used by millions of people, rightly so, it’s a project that is well done. The KeePass community is quite fragmented, there is not a single player that controls KeePass, it is really several communities, there are several versions. In fact, there wasn’t the web version, there wasn’t the version where you can share, have an audit to know what people are doing with passwords.
Typically, in a web agency, you’re going to need to store SSH [Secure Shell] keys, FTP [File Transfer Protocol] passwords, that kind of thing was still done back then, logins on WordPress sites, whatever. We needed a solution that was shared, that was free. We started developing, in fact Kevin made a first version of this software in 2012.

Walid Nouh: On the website it wrote “2011, first prototype”, I was really surprised, I thought it was more recent actually.

Rémy Bertot: This first version of the software was used internally, was not open source, it was just available to our customers.
At the time, I left to work elsewhere. I was a bit tired of doing site service, so I went to work in Amsterdam for Greenpeace International. I worked on a project that has now become OpenSocial, I don’t know if you know, it’s a social network that was in Drupal, it’s not the most obvious technology to build a social network; it’s a software that started from Greenpeace and became OpenSocial. At the same time, Kevin was developing Passbolt. We were both working on free software.

OpenSocial (source: W3C)


Kevin said, “I want to release Passbolt as free software.” I made the biggest mistake which was to tell Kevin “OK I want to, but we’ve been doing it from the beginning” rather than fixing the existing software which had big problems in terms of security. I said, “OK, we’re redoing it from the start.” That’s why, in fact, there was really a version from 2012 to 2016 that wasn’t public. We launched v1, which was already a v2, in public in 2016. This was around the same time as Bitwarden which is another open-source password manager software that is developed in the United States.

Walid Nouh: The first traces I found on GitHub were in 2016. The question I asked myself: what pushed you in the choice to do it in PHP and what pushed you in the choice to do it with an AGPL license?

Rémy Bertot: At first, PHP was because we wanted the software to be self-hosted. Our experience in web agencies, even in NGOs, was that any administrator or IT department has seen PHP come through, so typical LAMP stacks are quite resilient, people are really used to installing this type of software and maintaining it. So the idea was really to start with a simple and resilient stack , so that there wouldn’t be many things that changed, with a view to reducing the support behind it. So we chose the simplest technology possible. The metaphor I often use: if you throw Passbolt against a wall, it’s going to stick, it’s pretty much indestructible. We have bodies that have been running for years, they don’t have a problem. It’s not so easy to get that kind of result if you take technologies that are a little bit more cuting age that are, in quotes, “a little more innovative and less polished.” That’s why we started with PHP in the first place.

For the AGPL license, the idea was that we didn’t want to do what I call begware. We didn’t want to be there, to operate on donations, etc., we’ve already seen it with our own projects. Typically, for example, we also contributed to Mailvelope, a software that allows data encryption, with Kevin and Cédric we also worked a lot on this software. It has a slightly different model, it works on a donation basis. I wasn’t interested in an economic model because it’s not predictable. Most of the donations come, in fact, from foundations, let’s not kid ourselves, most individuals don’t give to open source, they are either large companies or large foundations; Big companies are quite rare, you really have to have crazy adoption to be able to have a model like that and usually you are dependent on these big companies, one or, if you’re lucky, two big companies that, from one day to the next, can let you down. It’s the same for foundations. We saw this with Mailvelope, which was funded by the Open Technology Fund. The day Trump came to power, that’s the kind of thing he cut off right away, and for four years, Mailvelope didn’t have any more donations from that side, they had to look for new donors. For me it wasn’t really a business model that interested me, I wanted something that was sustainable from the start, that people understand that there is value, so you have to finance the thing to make it work.

The AGPL license allows you to do this, i.e. the software is under a free license. We have a service that is available, people can modify, etc. If someone wants to compete with us, they have to compete by the same rules. If, for example, I had licensed the software to MIT, someone would be able to take the code from Passbolt, make a cloud version and not owe anyone anything. Whereas in AGPL, this person will be forced to redistribute the source code to his customers. So we’re pretty much on the same footing.

At the license level, we have a small subtlety: we do not allow the use of the Passbolt trade-mark . Basically, you have access to the software, you can change it, but you don’t have the right to use the Passbolt name. If you want to change it and redistribute it, you’ll have to change it and distribute it under a different name, you can’t use Passbolt’s visibility to build your ecosystem.
I think it’s just in the sense that you can come in and compete with Passbolt, fork with another name and create your own business model by creating a better version of Passbolt and it won’t be exclusive, we can both benefit from that relationship. We’ve seen this in the past, typically relationships between Red Hat and the CentOS community or other Linux distributions, between Ubuntu and other versions of Ubuntu. It’s a model that works quite well, but everyone needs to have a level playing field. Typically, we didn’t want AWS or Google to take the API and do their version. The AGPL also allows you to protect yourself a little bit on this side.

Walid Nouh: Here we are in 2016. Basically, you publish the first version, the first sources on GitHub. Just because you publish your sources on GitHub doesn’t mean you have a community, that your software is known. Before, you work on a web agency and you publish your first version, now I guess it’s still a bit of a challenge. I don’t know what your background was in security to develop a software like Passbolt which, on top of that, has certain peculiarities, quite advanced features in terms of security. How did you do it? You have surrounded yourself with people who are very competent in security, were you already in the team yourself? How did it actually go?

Rémy Bertot: To give a bit of background, when I was 16 years old, I was decompiling shareware to find out how license keys worked, Kevin it’s experiments with phone hacking. We didn’t come out of nowhere, either. After all, we weren’t born security experts. We still based ourselves quite a bit on work that has already been done by a lot of people. As I mentioned before, Mailvelope is a project that existed before Passbolt, so we took a lot of concepts. Thomas Oberndörfer, one of the founders of this project, revived OpenPGP.js which is the implementation of OpenPGP in JavaScript that is now maintained by the Proton Mail team, but which, at the time, was maintained by them. We obviously relied on his work and on the security audits he had to make sure we didn’t make the same mistakes as him again. We also looked closely at the other audits of password managers, what were the flaws that other password managers had and what they had been pawned over.

OpenPGP.js (source: GitHub)

Now we are fortunate to be surrounded and to be constantly, quote-unquote, “under surveillance.” We have audits almost every quarter, all the time, and we always find things, it’s never over. It’s more of an effort to search, of pure knowledge. There’s a part of research and initial knowledge, but then there’s a part of practice and rigor actually.

Walid Nouh: I’m coming back, because it’s a topic that I find quite interesting: how do you go about making yourself known and making your first community? Is it precisely because you were already used to working on Mailvelope and other projects that, in the end, it started like this? How did you manage to make yourself known compared to other projects that could have been there before or that arrived at the same time?

Rémy Bertot: The launch strategy was pretty straightforward. What’s that? We’re going to talk about Passbolt on the open source forums we know. We went to LinuxFr, we went to Hacker News, we talked about Passbolt and then, one thing leading to another, the thing took hold on its own, by word of mouth. We didn’t make any particular effort, at least initially. We were quite surprised, actually, that the mayonnaise set on its own. Somehow, there was a real need: what we were doing was for the people, for how they would have liked to have done it.

Walid Nouh: So you’ve managed to build a community. I was looking at the statistics on GitHub earlier, there are still a lot of people contributing. Not all of these people work at Passbolt, people came on their own. How did this relationship with this community of people who gravitate around the Passbolt project go?

Rémy Bertot: On GitHub, the project’s statistics are a bit skewed because, in fact, there was no composing for CakePHP, in fact we forked the repo, so we took all the contributors between v1 and v2 of CakePHP who are listed as Passbolt contributors, which I like. In any case, indirectly, they contributed to the project, but that distorts the statistics a bit.

CackPHP (source: wikipedia)


Basically, we don’t have hundreds or thousands of contributors, we have a dozen or so people who contribute at different levels.
We have a lot of contributors in terms of translation, we have a fairly active community of translators.
After that, we have a community that takes us back on small typos or that wants, for example, additional settings, small changes, small adjustments to settings.
We have contributors who offer slightly bigger features, but they generally don’t offer them on the core of the product, which is the API or the Browser extension or even mobile apps now, they typically offer them on SDKs [Software Development Kit ] or on Bookstores, on projects they created to solve their problems with Passbolt. Typically, we have Samuel Lorch who created the Passbolt CLI [Command Line Interface], which is written in GO. He really had this need to rotate passwords in Passbolt in his company, he didn’t want to do it with a graphical interface. He left, he developed this SDK and then, on top of that, this CLI.
So we have contributions in that direction. We have, for example, a former employee of Passbolt, Christophe Vassort, who has worked quite a bit on everything related to Ansible collections, for example creating packages for a Raspberry PI, that kind of thing.
In fact, the contributions are usually around the product, to integrate the product, to connect to the product, they are not on the core of the product which is a bit, in quotes, “difficult to access” because there are quite a few sections: you have the API, you have the StyleGuide and then you have the browser extension, so you really have to combine these three elements together to make Passbolt work. The architecture of Passbolt is a bit peculiar since the entire application is practically served by the browser extension. When you land on a website that runs a Passbolt instance, the application, the browser extension, will inject an iframe and the whole application will be in that iframe. In fact, when you develop the server, you’re developing on the API that’s going to be used by that app or by the mobile apps. If you want to develop a new feature, you really need to understand the clients and the server, which is not necessarily easy for developers. It’s a bit complicated to do end-to-end encryption, there aren’t many contributors on completely transversal features.

After that, we look for specialists. Typically we work with CakeDC, which is one of the developers of the framework that we use for the API that works, for example, on the LDAP [Lightweight Directory Access Protocol] part or that kind of thing. For example, we have clients asking if we could add Kerberos authentication for the LDAP plugin. We’re going to work with people who know LDAP, who know OpenPHP well.
These are contributors who come from the open source community, who are paid to work, which I think is ideal.

Walid Nouh: As a Passbolt user, what do I have at my disposal to make feature requests, feature requests, or to interact with you? How does it work? How did you structure this dialogue between the people who would like to give feedback and the development team?

Rémy Bertot: We have a forum called the Community forum, which is on community.passbolt.com, which is based on Discourse, which is also open source software.
We have a help site that is also available on GitHub. Our help site, with all the resources, is also available in Creative Commons and people can change anything they want. They can either contribute documentation on the website, or they can offer translations with the platform we use, Crowdin, which is not open source, but is free for open source projects, to talk about features or their problems on the forum.
Our development process starts by answering four questions: what is the problem you’re trying to solve?, Why is it important?, Who is affected?, and only then will we start talking about solutions. Otherwise, in my experience, talking about the solution first before talking about the problem is you have a hammer and everything looks like a nail. The goal of the game is really to deconstruct the problem, who is impacted and why it is important. Once we have that, we try to build the solution really with the community. For example, we’re going to ask: what do you think if we take this approach to solve this problem? Typically, with the in-house team, we will develop wireframes, diagrams of what use, sequence diagrams. We’re going to get back to the community and we’re going to ask the community to comment.
For example, if you’re subscribed to our newsletter, we’ll send you an email when there are big specs that go off and, if we’re hesitating between two possible approaches, we’ll ask the community: what do you think, we should do one instead, rather the other?, and usually people tell us “both”. Generally, we decide according to who answered what and who is our audience and who is not too much. Then, in fact, we make a Release in alpha: the first version is behind in feature flag, which means you can release it, but you really have to get your hands dirty to get the hang of it. flag at one. Here you have the opportunity to give feedback: do you like the feature?, do you find any bugs, etc.
After that, we go into what we call beta mode, it’s displayed on the screen that it’s in beta, and we do a code review, normally with our partners at Cure53 who do a security review. They take everything. They take the specs, they take the product and then the Q&A. We fund this audit whenever there is a major feature. Of course, all of this costs money, so we need to have a viable business model.

Walid Nouh: We’ll come back to this shortly, it’s one of the subjects I’ve been confronted with as well, social security audits, and it’s not easy. It reminds me of things when I was working on an open source project. We were asking people to test the alpha and beta versions and actually, basically, we didn’t have too many tests. We’d get to the production and that’s when people would start testing. We were always racking our brains to figure out how to get people to test our versions to help us debug the thing. Of course, we had people who helped us, but never enough.

Rémy Bertot: It’s that no one wants to be the guinea pig. We have the advantage of already having customers. We have customers or people who are in the process of becoming customers, who are waiting for a feature to become customers. They are the first to know and we really support them. We do the installation with them, we do a demo of the thing so that they can really test this feature. So we’re kind of provoking this testing phase. We also have a lot of in-house testing, we have a lot of unit testing, we have end-to-end Selenium testing. So when we ask people to test it, we usually know it works, but we always find tricks, of course. We don’t expect there to be a certain configuration, we always have a few surprises.

Walid Nouh: If, now, we move a little bit to Passbolt as a company and as a business model, you are based in Luxembourg and how many people are you?

Rémy Bertot: We are about 30 people, 14 of whom are in Luxembourg. We don’t have all the staff in Luxembourg. We have quite a few people, half of them, on remote. We’re a remote company actually, so we have people in Spain, we have a person in the United States, in Germany, in India of course, because at the beginning, with Cédric and Kevin, we were in India, so we have contacts there. We also have people who come from Belgium to work. So we’re pretty cosmopolitan at heart.

Walid Nouh: You released the first release of Passbolt, in 2016, and you hadn’t yet set up the Passbolt company.

Rémy Bertot: In fact, we participated in an incubation project, we participated in a competition called Fit4Start in Luxembourg because, basically, Kevin and Cédric are from the Grand Est region, so they were familiar with Luxembourg’s acceleration programs. We were lucky enough to be selected to pitch and we had the chance to participate in the program.
One of the obligations included in this program is to build your business in Luxembourg in exchange for which you have access to subsidies, you can settle here. We have access to the ecosystem here. We had access to the Technoport , which is a building that serves as an incubator, we had offices, to begin with, with everything we need, security, Internet, all for free. It was really a huge advantage for us and that’s what allowed us to get over the stage of “OK we have software Open Source, but we don’t have a business” to “OK, now we’re going to develop a business based on this software”, precisely to be able to maintain it.

Walid Nouh: Precisely, because that’s where it gets interesting: when you set up the company, what was your vision of the business you wanted to do? Was it very different from what it is now or not?

Rémy Bertot: No. I wouldn’t say it was any different. In fact, we tried to have the same business model as Mailvelope, i.e. to operate on the basis of donations and it didn’t work at all. That’s why we said to ourselves, “We really need to have an economic model that holds up, have a company and try to make it grow.” This went through building a paid version which is called Passbolt Pro which was released in 2018. During this period, between the end of 2016 and 2018, there was development to add features and, in 2020, the launch of Passbolt Cloud which is also another part of the paid offer. Passbolt Pro includes support and also additional features. After all, these additional features are still licensed under the AGPL license.

Walid Nouh: That’s what I wanted to get at, to this question: is this pro version itself in AGPL?

Rémy Bertot: Yes. In fact, you have to take out a subscription, the software asks you for a subscription key, but you have the right to modify the software so that it does not ask you for the subscription key. In that case, if you do that, we don’t offer you support.
Typically, when you’re a business, you don’t want to do that; If you’re an average person, you can do this. If you’re a big company, it’s a bit complicated to maintain your own version, considering the insignificant cost of Passbolt compared to the effort of having a resource working to compile applications, packages, etc.
What we are proposing is precisely the compilation of all this, i.e. the finished application and not just the sources. It works pretty well. We were like, “OK, people are going to pay for support,” but no one wants to pay for support. People want the software to work at the core of the system, even though we know they’re going to need support. That’s kind of the weird part of the equation: we know that if you offer an LDAP module, there’s going to be a lot of support on LDAP.
That’s why we prefer to go to the paid version because we know that people are going to need support and we want people to have a good experience, we don’t want them all to come to the forum and say “my LDAP doesn’t work”. We want people to have a good experience with the software. That’s why we’ve developed some features in this paid version, these are the features that create the most support.

Walid Nouh: That was one of the questions I was asking myself because it’s something that’s very specific from one project to another: what do you include in the Community version, what don’t you include? What are you basing it on? There are some who will say that everything you need on a daily basis is put in the Community version and all the advanced features are put in the pro version. What I understand is that in fact, for you, we’re going to put in the pro version everything that will generate support.

Rémy Bertot: It’s schematic, but it’s not just that. There’s also a part where we know, basically, that the biggest companies are going to need these features; We know that these are people who have budgets to deploy this type of software. So there’s also audience targeting.
Typically, you can use the Community Edition with 10/30 people without any problems. If you reach 500 people, you start to have some problems that you don’t have when you have 30 people, and that’s where we put the slider. If you have 500 users using Passbolt, you need to checkout. Otherwise you take the cost of forking the application, you take the cost of building the packages yourself, whatever.

Walid Nouh: Another subject that is not obvious, which I thought about a lot more when I was working on free software, for which we looked at how other software was doing: when you backport features. I think in particular not too long ago you backported the notion of Folders directly into the Community, there were also mobile clients.

Rémy Bertot: Mobile clients were always available to everyone.

Walid Nouh: Right from the start? All right.

Rémy Bertot: Folders was released in January or February, and we also had 2FA which was also on the Community Edition. The reason why people resented us for putting all the 2FA on the paid version is that Passbolt originally used a public/private key system, so there’s no need to redo everything. From a security point of view, what we offer in terms of login is a Challenge login with a signature, proof that you have the private key, so it’s much stronger than a password and an MFA [ Multifactor Authentication ]. Typically, it’s the same principle as passkeys or things that will replace passwords. We told ourselves that MFA is really for people who are in a company where they need to check the MFA box, so not Free Software technicians who know what they are doing. It was badly perceived, it was perceived as petty, that’s why we brought it down. It was easier to say “MFA is available to everyone” than to say “from a security point it doesn’t change much because Passbolt authentication is already super strong”.
At the beginning, we are also obliged to respond to the community in relation to the image we have, not necessarily in relation to our rationale, but also to respond to people’s moods.

Walid Nouh: I know that in the days when there was a lot of looking at software in which either, for example, it was a company that financed a feature, that feature actually spent some time in the pro version and then it went back down to the Community version; others said “we add a feature, we estimate the time it takes us to make it profitable, once it’s profitable we go back down to the Community version”. In fact, there can be a lot of different models that can be explained by the structure of the project, by the people who manage it, by the business model and everything. In fact, it’s something that is never really discussed and that I find quite interesting to understand precisely because it really touches on both the economic model: what do we need to make money and, at the same time, how do we give free software that is usable enough for people to use it and that, Potentially tomorrow, they need to have the pro version?

Rémy Bertot: We don’t have a finite equation. As you say, it comes from several factors. There is also, for example, competition, which is a factor that you did not mention. Typically, if we want to make the community version more attractive than our competitors, we need to give away more free stuff. It’s something that worked very well with Bitwarden, which gave away a lot of free stuff from the start and took off faster than us, because it was doing a lot more free. His focus was really, at first, on individual users, he understood that if there is adoption at the level of a person, potentially, afterwards, there is adoption in the company. It really has an American focus, it’s very cloud-oriented. When they consume software, Americans want it in SaaS [Software as a Service] mode. Its open-source, self-hosted version is really a call for people to go inside the company and then for the company to buy the pro version.
Our model is a little different. We really want people to self-host. You can’t have the same strategy.

Walid Nouh: It’s interesting because if I take a lot of the software that has been created recently, let’s say in the era of Cloud, not the software a little bit Legacy, part of their model is to attract people to the Cloud which are recurring revenues, which allows us to pay the development team and all that and then to be able to finance the Community version.
Basically, if I understand what you’re saying, the goal for you is to get people to switch to the pro, self-hosted version, rather than the cloud version, or maybe a mix of both.

Rémy Bertot: For me, the goal is that people who have small teams – a small NGO or a small project – can use the Community version and they don’t have to pay anything. That’s really what the game is all about. After that, that slightly more mature companies, institutions or governments go through the paid version.
It’s not interesting for me to do support for an SME where there’s a guy who manages IT, it doesn’t scale, I’m going to need too many resources in terms of support. On the other hand, when I have a large French company that deploys Passbolt on its entire fleet, with a competent IT team that chose Passbolt because it met its security criteria and that has complete control of hosting, then it becomes interesting.
There is also a selection of the type of client you want. It’s not “we try everything and take what makes money.” We still try to be efficient because there are things that are not profitable, especially in self-hosted.

Walid Nouh: This brings me to the next question, we will end up coming back to the issue of social security audits.
You’ve set up the company, you’ve proven that there is indeed a business model. When did you raise funds? What did you use these funds for? I say this because when I was working on an open source project, we had people who had large companies, such as French industrial or other, who would come to us and say “have you done any security audits?” and we would answer “sorry, we don’t have the money to do the security audits”. You, in fact, directly in the business model, the security audit is a thing that is budgeted. When did you raise money and what was it used for?

Rémy Bertot: In fact, at the end of the Fit 4 Start, there’s another Grant which is released by 150,000 euros if I remember correctly, if I am not talking nonsense; 150,000 euros covers the salary of three people for one year, plus the running costs of the company. We started with that and it was used to develop this marketable version. We didn’t lift directly.
Then, once we launched this paid version, that’s when we lifted. We raised with institutional actors. At the moment, Passbolt’s largest shareholder is Digital Tech Fund which is a Luxembourg sovereign wealth fund. You have La Poste, the University of Luxembourg and the Banque du Luxembourg, which have set up an investment fund managed by venture capital called Venture Capital, which is a Luxembourg fund. It is Passbolt’s largest shareholder. So we raised with them and business angels from Luxembourg, France and Belgium. Basically, we went around the table with all these people and, later, other funds also came in from Belgium and Luxembourg. These are old networks of business angels that have grown and made slightly bigger funds.

Now, we are in talks to raise a new round of funds, which people generally call Series A, which would be used to build, to have a little broader shoulders because, on the other hand, we have competitors such as 1Password or even Bitwarden who raise hundreds of millions of euros. So we need, if we want to keep a place on the chessboard, to raise at least with one more zero behind to be able to build more features and have a commercial tool that is a little bit stronger, that kind of thing.
The objective is really to keep this European character and not to take just any investment. We want to work with serious people who understand open source and cybersecurity, which is not necessarily easy. It’s not crowded, but we have good partners.

Walid Nouh: If I go back to audits, you do a lot of audits on all the new features, which is not necessarily the case for all players in the industry. Can you tell us a bit more about your philosophy that guarantees transparency and good quality of the software in the end?

Rémy Bertot: As you said, the security budget already had a place from the start, even when the company was very small. We were fortunate, in fact, to have a large car company in France, I cannot say the name – you have an idea – which financed a safety audit because it wanted to adopt us internally, which therefore financed a first safety audit without us having to pay anything. That was our first security audit and then we turned to the partner we already knew with Mailvelope, Cure53. They’re based in Germany, they’ve done the audits of 1Password, the Ethereum protocol, they audit pretty much everyone, they’re pretty reputable.
We do not do an audit to say that we have done an audit. We have people who do two-hour, six-hour audits! It’s superficial. Usually, Cure53 is asked to focus for a week on one part of the software. Typically, for example, we will do an audit that is focused on mobile, they will have a week with several people on both mobile applications. For example, when we released the Account Recovery system, the key escrow system, the same thing, they spent a week on it. Same thing when we released our first White Paper, they really had a week on the White Paper to say what the residual risks were that were not well described in the White Paper.
That’s one of the big differences we have with the others. There is a mention, in Europe, for password programs which is to describe the residual risks on the White Paper. You have white papers where everyone says “my solution is great”. That’s not what a white paper is about. A white paper is all about describing what you’re not doing well. You have the right to do a part about what you do well, of course, you wrote the system, but there is also a whole part where “these are the risks that we don’t manage, so you, as a user, you have to be careful”. Typically, if I’m afraid that this risk will happen or, if that risk happens, there is a death of a man, then it’s not acceptable. You have to read this list carefully and understand it well, so making this list accessible and understandable not by cybersecurity researchers, but, ideally, by people with technical experience, is something that is really in our philosophy. From the beginning we wanted to be transparent, we didn’t want to lie. It’s also a way of preserving oneself to say “the thing will never be perfect, in fact there is no absolute security. If you want this feature, you’re going to have to give up this part of the security.” It’s that balance that’s important to us and, in the same way, when we make mistakes, that those mistakes are public and that people can take into account “OK, there was such and such a mistake, that’s the impact for me, I have to react in such and such a way, I have to talk to such and such a person.” It has to be transparent. In fact, it’s in the philosophy of Free Software, for me it’s an extension of that philosophy of Free Software.

Walid Nouh: That’s right. It’s something I’ve always appreciated about communication every time I’ve set up Passbolt, etc., which isn’t necessarily the case with some others who will rather sweep it under the rug so that it doesn’t show. It’s something I’ve always enjoyed. We often talk about free software, but we don’t necessarily talk about open standards. For the time being, open standards in social security is something that is very important.
A question I ask myself: are you actors, in one way or another, in normalization or that sort of thing? Are you working on the evolution of protocols? Are you a player in this area at your size or are you, grouped together with other players in the password management sector, working on these subjects?

Rémy Bertot: Completely. First of all, at first, we are not involved in OpenPGP, even if we have quite strong affinities with the community, we have met a lot of people, we have worked on projects in partnership with GnuPG for example when there was an integration project for Mailvelope, to integrate Mailvelope with GnuPG to serve as GnuPG as a back-end. We also met at events the people who work on Sequoia-PGP, an OpenPGP implementation in rust.
The OpenPGP standard is quite complicated and it is, in quotes, quite “old”. There is a whole section for which there are quite heated discussions about what the evolution of the standard should be. You speak as a user, but you don’t have the firepower or experience to give advice to Werner [Koch] or other people. What we’re more interested in is how to use OpenPGP, which blocks we don’t use because we don’t consider them safe. We’re working with Thomas de Mailvelope to find out what are the good parts of OpenPGP because there are parts that are a bit scary in OpenPGP and we need to exclude them, create a security solution.
We follow closely all the new RFCs [Requests for comments], for example Practical Cryptography, which is not officially an OpenPGP standard, but which everyone has already implemented, we follow it carefully.

I don’t know if you’ve seen, we’ve joined the FIDO Alliance which works on standards like Web Open and passkeys. For us, the goal is to make our voice heard regarding the interoperability of passkeys. Passkeys are intended to replace passwords, basically it’s a set of public/private keys that will be created for each website when the thing is available to everyone, and actors like Microsoft, Google, Apple will be in charge of storing these public keys and private keys that are used to make signatures to log in to websites.

People know a little bit about this protocol if they use Yubikey type keys or open source alternatives, Nitrokey it seems to me, in short, FIDO-compatible hardware security keys. Now Microsoft allows, for example, an integration with Microsoft Hello, so with facial recognition, to interact with the Windows keyring , Apple does the same thing. So there’s a convergence, at that level, to create basically three big silos with Apple managing Apple users’ passkeys , Microsoft the same thing. So there’s a place for password managers to play, to enable precisely this interoperability, to allow them to store passkeys, but also to bridge the gap between Microsoft and Apple ecosystems or, I don’t know, Android and Linux, that kind of thing.
That is the part of the dialogue that we are interested in. We also have a dialogue with the password managers, we talk with the Bitwarden actors, with 1Password, with Dashlane as well, which is very active on this. Working groups have been created, at the initiative of Dashlane, which is to its credit. For example, we are going to meet in Dublin to talk about these interoperable standards.

Another project they are currently working on is interoperability between password managers. At the moment it’s a bit of a sausage fair, everyone does their own format and all password managers are forced to implement six/seven import/export formats. Generally, they do six imports and one export.

Walid Nouh: Is it KeePass?

Rémy Bertot: Initially, we thought that KeePass was already a good format because, potentially, it is supported by everyone and it is an export that is secure. It’s not a plaintext csv file, KeePass is still better than a csv. There’s a whole part, I don’t want to spoil the surprise too much, that they’re adding on this, which is not covered by KeePass, you’ll hear about it in a few months.

Walid Nouh: To finish on this security part, this business part, what interested me is to know a little bit what your next challenges are. A small note: I do a lot of no-code and, in the no-code applications that we will be able to find like N8N, Zapier, there is no Passbolt, so we do HTTP codes and everything. I wanted to know what your big challenges are, the big stuff that you see for the future, that are really hyper-important to Passbolt.

Rémy Bertot: It’s funny that you mention Zapier because I spoke to the CTO of Zapier last week. He asked me how come Passbolt is not part of the catalog. Well yes, why? We have to ask ourselves for all these integrations, ideally, a partnership with them, I’m interested in integrating with Zapier, at the same time it has to make sense for us.
For open source projects that are not commercial, it’s normal that we make the effort, typically we won’t ask the KeePass community to do the import/export in Passbolt.
For other proprietary projects there may be a discussion. We’re in discussions with other cloud products that want to build integrations with Passbolt. It’s a challenge, but I’d say it’s not our main focus. Our focus right now is really on creating the best product for users, so the experience inside Passbolt, and driving the adoption of the product within ever-growing organizations. That’s really our focus.
After that, we have challenges in terms of security. Typically, not all metadata is encrypted in Passbolt, it’s not like KeePass where you have a vault, an encrypted file, necessarily there you have a relational database. So there is still data that could be encrypted and that is not. This is a subject that is close to my heart, and one that I really want to work on in the coming months. It’s a complicated subject because it affects performance but also auditability: what is visible to an administrator, how to make sure that encrypted things are visible. We are in discussion. Typically we have the SNT [Interdisciplinary Centre for Security, Reliability and Trust], in Luxembourg, which is a crypto department of the University of Luxembourg, which is quite reputable, which works on homomorphic encryption, which makes it possible to make encryption that has logical properties. If you have two digits encrypted, you can do a multiplication, a subtraction, it’s interesting because the server doesn’t know. For example, if you want to report on password entropy, you’re going to store an integer that’s going to say “I have 160 bits of entropy” and you’re going to have a company policy that says “I don’t want passwords that are below 90 bits of entropy.” With homomorphic encryption, you’re going to be able to do that. You’re going to ask the waiter “calculate the distance between these two digits” without knowing what those two digits are. These are super interesting properties for us, because they allow us to generate reports without dropping any information. These are things that we can’t do right now with OpenPGP. There we discuss. These are algorithms that are new, that are not yet standardized, there are no recommendations, for example, at the ISO level on this type of algorithm. These are things that we look at closely.
So there’s the short term, there’s the medium term, there’s the long term. We try to build on all these challenges.

Walid Nouh: We talked a little bit about the different initiatives, the different actors in Luxembourg. I don’t know the Luxembourg scene in terms of free software. Is it very active? Is it a good enough place to make free software? I don’t realize it at all. As someone who is in it, can you give us a little bit of a vision of what it’s like to make free software in Luxembourg?

Rémy Bertot: Luxembourg is quite small, the advantage is that everyone knows each other, but there are not many players. Still, there are open source projects that have broken through. I don’t know if you’re familiar with MISP , which is a software that allows you to do threat sharing, intelligence to share adversaries such as malware, which is used by many other solutions. Typically, Google relies on it to get information about the malware that is circulating, banks work on it to be able to detect attacks or even create firewall rules. It was developed by an organization called SECURITYMADEIN. LU, which is now called House of Cyberecurity. They have made several open source software.
They also made a risk management software called Kace, which is also open source. There is therefore a real willingness, at least on the part of cyber players in Luxembourg, to create open source solutions. We have a very strong alignment with them. The CIRCL [Computer Incident Response Center Luxembourg]in Luxembourg works on malware analysis and incident response. They’re doing a pretty exceptional job and they have the same values as us, which is to say there’s a very good alignment.

I don’t know of any company that is really a free software publisher in Luxembourg, but there is an ecosystem of service providers, typically Smile does free software in use here.
However, as everywhere, there are many free software users and free software contributors in Luxembourg. But, as far as I know, there aren’t many players, software publishers like us. The economic terrain is conducive to this and, as I said, at least in terms of cybersecurity, the authorities and state actors are really fond of this.

Walid Nouh: We’re coming to the end of the interview. It’s time for an op-ed. The floor is yours, you can pass on a message to the listeners, I’ll let you finish with the floor.

Rémy Bertot: I just wanted to say thank you, Walid, for inviting me. I would also like to say thank you to the Passbolt community, to all those who have contributed to Passbolt, and also to all the employees of the Passbolt company who do, day by day, work that is stressful and also very rewarding. Today I’m on stage, I have the spotlight on me, but there are still a lot of actors at Passbolt who do an exceptional job, including my co-founders, Cédric and Kevin, and also the whole design team, all the developers of Passbolt. I invite you to join them on community.passbolt.com, if you have any questions, we will be happy to discuss with you.

Walid Nouh: Great, that was the last word.
For all those who liked this episode, thank you for listening. Don’t hesitate to talk about it around you, to circulate it on social networks and I’ll see you soon for a next episode, exciting I hope, like the discussion we just had which delights me as a convinced user of Passbolt. It was really a great pleasure, Rémy, to be able to talk with you about the project in a little depth.

Rémy Bertot: Thank you very much. See you again.

Walid Nouh: See you again.

This episode is recorded on April 26, 2023.

Transcription by the APRIL transcription group. Also available on librealire.org (a big thank you to the team!).

License

This podcast is published under the double license Art Libre 1.3 or later – CC BY-SA 2.0 or later.

Learn more about Remy Bertot and Passbolt

Leave a Comment