Self-Hosted Password Manager Alternatives 2026
TL;DR
The best self-hosted password manager alternatives in 2026 are Vaultwarden (a lightweight Bitwarden-compatible server, 41K+ stars), Passbolt (AGPL-3.0, built for teams with PGP encryption), and KeePassXC (GPL-2.0, fully offline, no server needed). 1Password costs $3–8/user/month; LastPass was compromised in 2022. Self-hosted password managers give you zero-knowledge encryption on infrastructure you control, at the cost of your own server and backup discipline.
Key Takeaways
- Vaultwarden (AGPL-3.0, 41K+ stars) — unofficial Bitwarden-compatible server written in Rust, uses ~8 MB RAM vs official Bitwarden's 2+ GB. All official Bitwarden clients work with it
- Passbolt (AGPL-3.0, 4K+ stars) — team-first password manager with OpenPGP-based sharing, LDAP/SSO integration, and granular permissions. Purpose-built for shared secret management
- KeePassXC (GPL-2.0, 22K+ stars) — fully local, zero network dependency, excellent browser extensions. Sync via any file sync tool (Nextcloud, Syncthing, etc.)
- Bitwarden official server (AGPL-3.0, 16K+ stars) — the enterprise-grade self-hosted option, requires .NET 8 and MSSQL or PostgreSQL, 2+ GB RAM
- LastPass breaches in 2022 exposed encrypted vaults — if your team is considering a move away from cloud-only password managers, now is the time
Why Self-Host Your Password Manager?
Password managers are the highest-value target for credential theft. When a cloud password manager is breached, attackers get encrypted vaults — but with master passwords and the provider's infrastructure compromised, decryption is feasible.
The case for self-hosting:
- Data sovereignty: encrypted vaults on your infrastructure, not a third-party cloud
- Zero third-party trust: you verify the encryption implementation yourself
- No SaaS breach risk: a compromise of Bitwarden's cloud doesn't affect your self-hosted server
- Audit trail: full control over access logs, session management, and admin notifications
- Cost: 1Password Business costs $8/user/month ($960/year for 10 users); Vaultwarden self-hosted is ~$6/month for the VPS
The responsibilities:
- Backups are entirely your responsibility — lose the database, lose your passwords
- Server availability affects access — plan for this with your team
- Security patching is on you — apply updates when released
Vaultwarden vs Passbolt vs KeePassXC vs Bitwarden
| Feature | Vaultwarden | Passbolt | KeePassXC | Bitwarden |
|---|---|---|---|---|
| License | AGPL-3.0 | AGPL-3.0 | GPL-2.0 | AGPL-3.0 |
| GitHub Stars | 41K+ | 4K+ | 22K+ | 16K+ |
| Server Required | Yes | Yes | No | Yes |
| RAM Usage | ~8 MB | ~256 MB | N/A (local) | 2+ GB |
| Browser Extensions | ✅ (Bitwarden's) | ✅ | ✅ | ✅ |
| Mobile Apps | ✅ (Bitwarden's) | ✅ | ✅ | ✅ |
| Desktop App | ✅ (Bitwarden's) | ✅ | ✅ | ✅ |
| Encryption | AES-256 (PBKDF2/Argon2) | OpenPGP | AES-256 (ChaCha20) | AES-256 |
| E2E Encrypted Sharing | ✅ | ✅ (PGP keys) | Via file sync | ✅ |
| LDAP/SSO | Enterprise only | ✅ Built-in | N/A | Enterprise only |
| Granular Sharing | ✅ | ✅ Fine-grained | Limited | ✅ |
| Emergency Access | ✅ | ❌ | ❌ | ✅ |
| 2FA Support | ✅ | ✅ | ✅ | ✅ |
| TOTP Built-in | ✅ | ❌ | ✅ | ✅ |
Option 1: Vaultwarden — Best for Most Teams
Vaultwarden is a complete reimplementation of the Bitwarden server API in Rust. It exposes the same API as the official Bitwarden server, so all official Bitwarden clients (browser extensions, desktop apps, mobile apps) connect to it without modification.
Why Vaultwarden Wins for Teams
The official Bitwarden self-hosted server requires .NET 8, MSSQL, and ~2 GB RAM. Vaultwarden is a single Rust binary that uses SQLite (or PostgreSQL/MySQL) and runs in ~8 MB of RAM. For teams under 100 users, Vaultwarden delivers the same client experience at a tiny fraction of the resource cost.
Docker Compose Setup
# docker-compose.yml
version: "3.8"
services:
vaultwarden:
image: vaultwarden/server:latest
restart: unless-stopped
ports:
- "80:80"
environment:
DOMAIN: https://vault.yourdomain.com
ADMIN_TOKEN: "${ADMIN_TOKEN}"
SIGNUPS_ALLOWED: "false"
INVITATIONS_ALLOWED: "true"
SMTP_HOST: "${SMTP_HOST}"
SMTP_FROM: "vault@yourdomain.com"
SMTP_PORT: 587
SMTP_USERNAME: "${SMTP_USERNAME}"
SMTP_PASSWORD: "${SMTP_PASSWORD}"
SMTP_SECURITY: starttls
volumes:
- vaultwarden_data:/data
volumes:
vaultwarden_data:
# .env - Generate admin token with:
# openssl rand -base64 48
ADMIN_TOKEN=changeme-random-48-char-token
SMTP_HOST=smtp.yourdomain.com
SMTP_USERNAME=vault@yourdomain.com
SMTP_PASSWORD=your-smtp-password
docker compose up -d
Critical settings after first boot:
- Visit
https://vault.yourdomain.com/adminwith yourADMIN_TOKEN - Disable new signups:
SIGNUPS_ALLOWED=false(users must be invited by admin) - Enable invitations so admins can add users
- Configure email notifications for security events
Nginx with SSL
server {
listen 443 ssl;
server_name vault.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem;
client_max_body_size 525M;
location / {
proxy_pass http://localhost:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://localhost:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://localhost:80;
}
}
The /notifications/hub location handles WebSocket real-time sync between clients.
Backups
# Daily backup script
#!/bin/bash
DATE=$(date +%Y%m%d)
BACKUP_DIR="/backups/vaultwarden"
mkdir -p "$BACKUP_DIR"
# Stop container briefly for consistent backup (optional: use SQLite backup API instead)
docker compose stop vaultwarden
tar -czf "$BACKUP_DIR/vaultwarden-$DATE.tar.gz" /path/to/vaultwarden_data/
docker compose start vaultwarden
# Keep 30 days of backups
find "$BACKUP_DIR" -name "*.tar.gz" -mtime +30 -delete
Run this with a daily cron job. Test restores quarterly.
Option 2: Passbolt — Best for Team Credential Sharing
Passbolt (AGPL-3.0) is built specifically for team environments where multiple people need access to shared credentials — API keys, server passwords, service accounts. It uses OpenPGP key pairs: each user has a PGP key, and passwords are encrypted per-recipient, meaning even Passbolt's server admin can't read the passwords.
Passbolt's LDAP/SSO integration is built into the Community Edition (free, self-hosted) — unlike Vaultwarden where SSO requires the premium Bitwarden server. If your team authenticates via Active Directory, Google Workspace, or Okta, Passbolt integrates without a per-seat license.
For the full Vaultwarden self-hosting guide with hardware recommendations, see how to self-host Vaultwarden as a password manager.
For a comparison of all major password managers including 1Password and LastPass, see Best Open Source Password Managers in 2026.
When to Use Which
Choose Vaultwarden if:
- You want the Bitwarden UX (browser extensions, mobile apps, desktop apps) on your own server
- Your team is under 100 users and doesn't need enterprise LDAP out of the box
- You want the lightest possible resource footprint (8 MB RAM)
Choose Passbolt if:
- Team credential sharing with fine-grained permissions is your primary use case
- You need LDAP/SSO integration for free (Community Edition)
- OpenPGP-based encryption is a requirement for your security policy
Choose KeePassXC if:
- You're an individual or small team that doesn't want to run a server
- You want fully offline password management with sync via Nextcloud/Syncthing
- You need a desktop-native app with excellent browser extension integration
Cost Comparison
| Scenario | 1Password Business | Vaultwarden (Self-Hosted) |
|---|---|---|
| 10 users | $960/year | ~$72/year (VPS) |
| 25 users | $2,400/year | ~$72/year (same VPS) |
| SSO integration | $8/user/month | Free (Passbolt Community) |
| Data ownership | ❌ | ✅ |
| Offline access | ✅ (cached) | ✅ (Bitwarden clients cache) |