Passbolt vs Vaultwarden vs Bitwarden: Self-Hosted Teams 2026

Q: Why You'd Choose Official Over Vaultwarden?

The official server has three things Vaultwarden doesn't: Formal security audits — annual third-party penetration testing by firms like Cure53, with published reports SOC 2 Type II compliance — required for many enterprise procurement processes Official Bitwarden support — SLA-backed support for Enterprise customers, with a dedicated account team For organizations where a vendor must provide compliance documentation, Vaultwarden is simply not an option — and Passbolt's audit history, while bette

TL;DR

Vaultwarden wins for individuals and small teams that want zero overhead — it runs on 50MB RAM, deploys in 5 minutes, and unlocks all Bitwarden premium features for free. Passbolt is built for team collaboration first — end-to-end encrypted password sharing with granular access controls, regular security audits, and a free Community edition. Bitwarden's official self-hosted server is the enterprise choice — SSO, advanced policies, and a formally audited codebase, but it demands 2GB+ RAM and requires an enterprise license for org features. Pick by team size and compliance requirements, not by raw feature count.

Key Takeaways

Vaultwarden: 35,000+ GitHub stars, ~50MB RAM idle, Rust-based, all Bitwarden clients work out of the box
Passbolt: PGP end-to-end encryption, free Community edition, $49/mo Business (self-hosted), team-first password sharing
Bitwarden official: 2GB RAM minimum (4GB recommended), requires enterprise license for self-hosted org sharing, $6/user/month
Vaultwarden is not officially supported by Bitwarden — it's a community reimplementation; evaluate your risk tolerance
Passbolt requires a browser extension — no mobile-native vault, no TOTP storage by default
For small teams under 20 people, Vaultwarden + Bitwarden clients is the fastest path to a working shared vault

The Self-Hosted Password Manager Problem

Every team eventually confronts the same question: do you trust a third-party SaaS with your credentials, or do you self-host?

The SaaS argument is compelling — LastPass, 1Password, and Bitwarden Cloud offer polished apps, mobile sync, and zero infrastructure overhead. But the self-hosting case has grown stronger in 2025–2026: LastPass had its 2022 breach still reverberating in enterprise risk assessments; 1Password and Dashlane raised prices significantly; and regulatory requirements (GDPR, SOC 2, HIPAA) increasingly mandate data sovereignty.

The three dominant open-source self-hosted options — Vaultwarden, Passbolt, and Bitwarden's official server — approach the problem from different angles. Understanding which angle fits your team is the entire decision.

Vaultwarden: Bitwarden Clients, Fraction of the Resources

Vaultwarden (formerly bitwarden_rs) is an unofficial Bitwarden-compatible server written in Rust by the open-source community. It exposes the same API that all official Bitwarden clients expect — browser extensions, desktop apps, mobile apps — but runs in a tiny fraction of the official server's resource footprint.

What Makes It Special

The Bitwarden official server is a .NET monolith that requires a full Docker Compose stack: MSSQL database, NGINX, multiple microservices. At idle, expect 1–2GB RAM minimum. Vaultwarden ships as a single Rust binary in a single Docker container. At idle: ~50MB RAM. On a Raspberry Pi 5: ~150ms sync times.

This isn't a trimmed-down version — Vaultwarden implements virtually all Bitwarden server features: organizations, collections, user management, two-step login, emergency access, sends, and even TOTP/authenticator vault storage. The 35,000+ GitHub stars reflect genuine community trust.

Docker Setup (5 Minutes)

services:
  vaultwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - ./vw-data:/data
    environment:
      DOMAIN: "https://passwords.yourdomain.com"
      ADMIN_TOKEN: "your-secure-admin-token"
    ports:
      - "80:80"

Put this behind a reverse proxy (Nginx, Caddy, Traefik) with HTTPS, and you have a fully functional Bitwarden-compatible vault.

The Caveats

Vaultwarden has two honest limitations:

No official security audit. Bitwarden's official server is audited annually by third-party security firms. Vaultwarden is community-maintained and hasn't undergone formal penetration testing. For teams with strict compliance requirements (SOC 2, HIPAA), this is a disqualifying factor.
API compatibility is unofficial. When Bitwarden ships client updates, Vaultwarden may lag. Major client version mismatches occasionally break sync until Vaultwarden catches up.

Vaultwarden is best for: Solo developers, homelab enthusiasts, small teams under 10 people, and any team prioritizing minimal infrastructure over formal compliance documentation.

Passbolt: End-to-End Encryption Built for Teams

Passbolt's design philosophy differs fundamentally from Bitwarden's. Where Bitwarden encrypts your vault and syncs it, Passbolt's model is built around sharing encrypted secrets between specific people — using OpenPGP keys where each user's private key never leaves their device.

The PGP Model and What It Means

When a team member in Passbolt shares a password with you, the system re-encrypts that credential with your public key. This means:

The server never holds decryptable credentials
Even a compromised Passbolt server doesn't expose plaintext passwords
Sharing is granular: you can share a single credential with one person, a group, or revoke access individually

This is a meaningfully stronger security model than Bitwarden's vault encryption for team credential sharing — and it's why Passbolt is popular in security-conscious organizations, infosec teams, and agencies managing client credentials.

Pricing Model (Self-Hosted)

Plan	Monthly Cost	Users	Key Features
Community	Free	Unlimited	Core password sharing, browser extension, CLI, Docker
Business	$49/month	Unlimited	LDAP/AD sync, SSO (SAML), 2FA enforcement, audit logs, MFA per group
Enterprise	Custom	Unlimited	Custom SLA, dedicated support, advanced compliance features

The Community edition is genuinely useful — not a crippled trial. It includes the full password sharing model, browser extensions for Chrome/Firefox/Edge, a CLI, and Docker deployment. The $49/month Business edition adds enterprise authentication (SSO, LDAP) and governance (audit logs, MFA enforcement).

Setup Requirements

Passbolt recommends 2 CPU cores, 2GB RAM, and 20GB storage for production. The official Docker Compose setup includes:

Passbolt application container
MariaDB database
NGINX web server

Initial setup takes 15–30 minutes, including SSL configuration. An email server is required — Passbolt sends invitation and notification emails.

Honest Limitations

Browser extension required. Passbolt's security model is built around the browser extension handling PGP key management. There's no native mobile app with direct vault access — mobile users must use a browser extension workaround. For teams where mobile access is critical, this is a real friction point.

No TOTP storage. The Community edition doesn't store TOTP codes alongside credentials (the Business edition adds this). Teams that keep authenticator codes in their password manager will need an alternative.

PGP onboarding friction. Each new user must generate and register a PGP key during setup. This is a one-time process but adds onboarding complexity for non-technical team members.

Passbolt is best for: Security teams, infosec agencies, regulated industries (legal, healthcare, finance), and organizations that need granular per-user credential sharing with cryptographic guarantees.

Bitwarden Official Server: The Enterprise-Grade Option

The Bitwarden official self-hosted server is the same codebase that powers Bitwarden Cloud — with all of its advantages and infrastructure requirements.

Why You'd Choose Official Over Vaultwarden

The official server has three things Vaultwarden doesn't:

Formal security audits — annual third-party penetration testing by firms like Cure53, with published reports
SOC 2 Type II compliance — required for many enterprise procurement processes
Official Bitwarden support — SLA-backed support for Enterprise customers, with a dedicated account team

For organizations where a vendor must provide compliance documentation, Vaultwarden is simply not an option — and Passbolt's audit history, while better than Vaultwarden's, doesn't match Bitwarden's formal compliance program.

Resource Requirements

Component	Minimum	Recommended
CPU	1.4GHz x64	2GHz dual-core
RAM (Linux)	2GB	4GB+
RAM (Windows Server)	6GB	8GB+
Storage	12GB	25GB+
Docker	Engine 26.0+	Engine 27.x

The resource footprint is significant compared to Vaultwarden — you're running a .NET stack with MSSQL (or other supported databases). This is why most hobbyists and small teams choose Vaultwarden instead.

Licensing for Self-Hosted Organizations

Here's the critical detail often missed: Bitwarden's self-hosted server is free to install, but self-hosting an organization (enabling password sharing between users) requires an enterprise license.

Free (self-hosted): Personal vault, no sharing
Teams ($4/user/month): Shared org vaults, basic policies
Enterprise ($6/user/month): SSO, advanced policies, SCIM provisioning, self-hosting included

For a 10-person team, self-hosted Bitwarden Enterprise costs $600/year minimum — versus $0 for Vaultwarden or $0 for Passbolt Community.

Bitwarden official is best for: Enterprises with formal compliance requirements (SOC 2, ISO 27001), organizations that have procurement approval processes requiring official vendor support, and teams already on Bitwarden Cloud considering migration.

Side-by-Side Comparison

Dimension	Vaultwarden	Passbolt Community	Bitwarden Official
License	AGPL-3.0	AGPL-3.0	AGPL-3.0
Self-host cost	Free	Free	Free (personal) / $6/user/mo (org)
RAM at idle	~50MB	~512MB	~2GB
Setup time	~5 minutes	~30 minutes	~45–60 minutes
Security audit	None (community)	Annual (3rd party)	Annual (Cure53 + others)
SOC 2 compliance	No	Partial	Yes
Mobile apps	All Bitwarden clients	Browser extension only	All Bitwarden clients
TOTP storage	Yes	Business plan only	Yes
LDAP/AD sync	Manual	Business plan	Enterprise plan
SSO/SAML	Limited	Business plan	Enterprise plan
Team sharing	Full (org model)	Granular PGP sharing	Full (org model)
GitHub stars	35,000+	~4,000 (API repo)	Official (Bitwarden Inc.)

The Decision Framework

Choose Vaultwarden if:

You want the full Bitwarden client experience with minimal infrastructure
You're a solo developer, homelab user, or small team under ~15 people
Low RAM usage matters (Raspberry Pi, shared VPS, tiny VM)
You don't need formal compliance documentation

Choose Passbolt if:

Granular, per-credential team sharing is a core requirement
Your threat model requires that the server never sees plaintext credentials
You work in a security-sensitive industry (infosec agency, legal, healthcare)
Mobile access is secondary to desktop/browser access for your team

Choose Bitwarden Official if:

Your organization has formal compliance requirements (SOC 2, ISO 27001)
Procurement requires an official vendor with SLA-backed support
You're already on Bitwarden Cloud and want to move data in-house
Team size and budget justify $6/user/month for enterprise features

Migration Paths

Moving between these platforms is feasible but imperfect:

Bitwarden Cloud → Vaultwarden: Export from Bitwarden Cloud, import into Vaultwarden. All clients point to your new server URL. Clean migration in under an hour.

Bitwarden/Vaultwarden → Passbolt: Export to JSON/CSV from Bitwarden, import into Passbolt via CLI or browser extension. Org structures need manual recreation.

Passbolt → Vaultwarden/Bitwarden: Export from Passbolt CLI or admin panel, import into Bitwarden-compatible format. Most credential metadata transfers cleanly.

Methodology

Sources consulted: 8
Data from: Passbolt.com pricing page, GitHub repositories, Vaultwarden GitHub discussions, Bitwarden official docs, Capterra 2026 comparisons
Date: March 2026

Already decided on Vaultwarden? See our self-hosting guide for Vaultwarden and advanced security hardening tips.

Passbolt vs Vaultwarden vs Bitwarden 2026