<!-- OSSAlt AI-readable guide source -->
<!-- Canonical: https://ossalt.com/guides/passbolt-vs-vaultwarden-vs-bitwarden-teams-2026 -->
<!-- Raw Markdown: https://ossalt.com/guides/passbolt-vs-vaultwarden-vs-bitwarden-teams-2026/raw.md -->
<!-- Source path: content/guides/passbolt-vs-vaultwarden-vs-bitwarden-teams-2026.mdx -->

---
og_image: "/images/guides/passbolt-vs-vaultwarden-vs-bitwarden-teams-2026.webp"
title: "Passbolt vs Vaultwarden vs Bitwarden 2026"
description: "Passbolt vs Vaultwarden vs Bitwarden for self-hosted team password management in 2026. Compared on RAM usage, setup time, team sharing features, and total cost."
date: "2026-03-19"
author: "OSSAlt Team"
tags: ["self-hosted", "security", "password-manager", "docker"]
---

# Passbolt vs Vaultwarden vs Bitwarden: Self-Hosted Teams 2026

## TL;DR

**Vaultwarden** wins for individuals and small teams that want zero overhead — it runs on 50MB RAM, deploys in 5 minutes, and unlocks all Bitwarden premium features for free. **Passbolt** is built for team collaboration first — end-to-end encrypted password sharing with granular access controls, regular security audits, and a free Community edition. **Bitwarden's official self-hosted server** is the enterprise choice — SSO, advanced policies, and a formally audited codebase, but it demands 2GB+ RAM and requires an enterprise license for org features. Pick by team size and compliance requirements, not by raw feature count.

## Key Takeaways

- **Vaultwarden**: 35,000+ GitHub stars, ~50MB RAM idle, Rust-based, all Bitwarden clients work out of the box
- **Passbolt**: PGP end-to-end encryption, free Community edition, $49/mo Business (self-hosted), team-first password sharing
- **Bitwarden official**: 2GB RAM minimum (4GB recommended), requires enterprise license for self-hosted org sharing, $6/user/month
- **Vaultwarden is not officially supported by Bitwarden** — it's a community reimplementation; evaluate your risk tolerance
- **Passbolt requires a browser extension** — no mobile-native vault, no TOTP storage by default
- **For small teams under 20 people**, Vaultwarden + Bitwarden clients is the fastest path to a working shared vault

---

## The Self-Hosted Password Manager Problem

Every team eventually confronts the same question: do you trust a third-party SaaS with your credentials, or do you self-host?

The SaaS argument is compelling — LastPass, 1Password, and Bitwarden Cloud offer polished apps, mobile sync, and zero infrastructure overhead. But the self-hosting case has grown stronger in 2025–2026: LastPass had its [2022 breach](https://support.lastpass.com/help/incident-2-additional-details-of-the-attack) still reverberating in enterprise risk assessments; 1Password and Dashlane raised prices significantly; and regulatory requirements (GDPR, SOC 2, HIPAA) increasingly mandate data sovereignty.

The three dominant open-source self-hosted options — Vaultwarden, Passbolt, and Bitwarden's official server — approach the problem from different angles. Understanding which angle fits your team is the entire decision.

---

## Vaultwarden: Bitwarden Clients, Fraction of the Resources

Vaultwarden (formerly bitwarden_rs) is an unofficial Bitwarden-compatible server written in Rust by the open-source community. It exposes the same API that all official Bitwarden clients expect — browser extensions, desktop apps, mobile apps — but runs in a tiny fraction of the official server's resource footprint.

### What Makes It Special

The Bitwarden official server is a .NET monolith that requires a full Docker Compose stack: MSSQL database, NGINX, multiple microservices. At idle, expect 1–2GB RAM minimum. Vaultwarden ships as a single Rust binary in a single Docker container. At idle: **~50MB RAM**. On a Raspberry Pi 5: ~150ms sync times.

This isn't a trimmed-down version — Vaultwarden implements virtually all Bitwarden server features: organizations, collections, user management, two-step login, emergency access, sends, and even TOTP/authenticator vault storage. The 35,000+ GitHub stars reflect genuine community trust.

### Docker Setup (5 Minutes)

```yaml
services:
  vaultwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - ./vw-data:/data
    environment:
      DOMAIN: "https://passwords.yourdomain.com"
      ADMIN_TOKEN: "your-secure-admin-token"
    ports:
      - "80:80"
```

Put this behind a reverse proxy (Nginx, Caddy, Traefik) with HTTPS, and you have a fully functional Bitwarden-compatible vault.

### The Caveats

Vaultwarden has two honest limitations:

1. **No official security audit.** Bitwarden's official server is audited annually by third-party security firms. Vaultwarden is community-maintained and hasn't undergone formal penetration testing. For teams with strict compliance requirements (SOC 2, HIPAA), this is a disqualifying factor.

2. **API compatibility is unofficial.** When Bitwarden ships client updates, Vaultwarden may lag. Major client version mismatches occasionally break sync until Vaultwarden catches up.

**Vaultwarden is best for:** Solo developers, homelab enthusiasts, small teams under 10 people, and any team prioritizing minimal infrastructure over formal compliance documentation.

---

## Passbolt: End-to-End Encryption Built for Teams

Passbolt's design philosophy differs fundamentally from Bitwarden's. Where Bitwarden encrypts your vault and syncs it, Passbolt's model is built around **sharing encrypted secrets between specific people** — using OpenPGP keys where each user's private key never leaves their device.

### The PGP Model and What It Means

When a team member in Passbolt shares a password with you, the system re-encrypts that credential with your public key. This means:

- The server never holds decryptable credentials
- Even a compromised Passbolt server doesn't expose plaintext passwords
- Sharing is granular: you can share a single credential with one person, a group, or revoke access individually

This is a meaningfully stronger security model than Bitwarden's vault encryption for team credential sharing — and it's why Passbolt is popular in security-conscious organizations, infosec teams, and agencies managing client credentials.

### Pricing Model (Self-Hosted)

| Plan | Monthly Cost | Users | Key Features |
|------|-------------|-------|--------------|
| **Community** | Free | Unlimited | Core password sharing, browser extension, CLI, Docker |
| **Business** | $49/month | Unlimited | LDAP/AD sync, SSO (SAML), 2FA enforcement, audit logs, MFA per group |
| **Enterprise** | Custom | Unlimited | Custom SLA, dedicated support, advanced compliance features |

The Community edition is genuinely useful — not a crippled trial. It includes the full password sharing model, browser extensions for Chrome/Firefox/Edge, a CLI, and Docker deployment. The $49/month Business edition adds enterprise authentication (SSO, LDAP) and governance (audit logs, MFA enforcement).

### Setup Requirements

Passbolt recommends 2 CPU cores, 2GB RAM, and 20GB storage for production. The official Docker Compose setup includes:

- Passbolt application container
- MariaDB database
- NGINX web server

Initial setup takes 15–30 minutes, including SSL configuration. An email server is required — Passbolt sends invitation and notification emails.

### Honest Limitations

**Browser extension required.** Passbolt's security model is built around the browser extension handling PGP key management. There's no native mobile app with direct vault access — mobile users must use a browser extension workaround. For teams where mobile access is critical, this is a real friction point.

**No TOTP storage.** The Community edition doesn't store TOTP codes alongside credentials (the Business edition adds this). Teams that keep authenticator codes in their password manager will need an alternative.

**PGP onboarding friction.** Each new user must generate and register a PGP key during setup. This is a one-time process but adds onboarding complexity for non-technical team members.

**Passbolt is best for:** Security teams, infosec agencies, regulated industries (legal, healthcare, finance), and organizations that need granular per-user credential sharing with cryptographic guarantees.

---

## Bitwarden Official Server: The Enterprise-Grade Option

The Bitwarden official self-hosted server is the same codebase that powers Bitwarden Cloud — with all of its advantages and infrastructure requirements.

### Why You'd Choose Official Over Vaultwarden

The official server has three things Vaultwarden doesn't:

1. **Formal security audits** — annual third-party penetration testing by firms like Cure53, with published reports
2. **SOC 2 Type II compliance** — required for many enterprise procurement processes
3. **Official Bitwarden support** — SLA-backed support for Enterprise customers, with a dedicated account team

For organizations where a vendor must provide compliance documentation, Vaultwarden is simply not an option — and Passbolt's audit history, while better than Vaultwarden's, doesn't match Bitwarden's formal compliance program.

### Resource Requirements

| Component | Minimum | Recommended |
|-----------|---------|-------------|
| CPU | 1.4GHz x64 | 2GHz dual-core |
| RAM (Linux) | 2GB | 4GB+ |
| RAM (Windows Server) | 6GB | 8GB+ |
| Storage | 12GB | 25GB+ |
| Docker | Engine 26.0+ | Engine 27.x |

The resource footprint is significant compared to Vaultwarden — you're running a .NET stack with MSSQL (or other supported databases). This is why most hobbyists and small teams choose Vaultwarden instead.

### Licensing for Self-Hosted Organizations

Here's the critical detail often missed: **Bitwarden's self-hosted server is free to install**, but self-hosting an **organization** (enabling password sharing between users) requires an enterprise license.

- **Free** (self-hosted): Personal vault, no sharing
- **Teams** ($4/user/month): Shared org vaults, basic policies
- **Enterprise** ($6/user/month): SSO, advanced policies, SCIM provisioning, self-hosting included

For a 10-person team, self-hosted Bitwarden Enterprise costs $600/year minimum — versus $0 for Vaultwarden or $0 for Passbolt Community.

**Bitwarden official is best for:** Enterprises with formal compliance requirements (SOC 2, ISO 27001), organizations that have procurement approval processes requiring official vendor support, and teams already on Bitwarden Cloud considering migration.

---

## Side-by-Side Comparison

| Dimension | Vaultwarden | Passbolt Community | Bitwarden Official |
|-----------|-------------|---------------------|-------------------|
| **License** | AGPL-3.0 | AGPL-3.0 | AGPL-3.0 |
| **Self-host cost** | Free | Free | Free (personal) / $6/user/mo (org) |
| **RAM at idle** | ~50MB | ~512MB | ~2GB |
| **Setup time** | ~5 minutes | ~30 minutes | ~45–60 minutes |
| **Security audit** | None (community) | Annual (3rd party) | Annual (Cure53 + others) |
| **SOC 2 compliance** | No | Partial | Yes |
| **Mobile apps** | All Bitwarden clients | Browser extension only | All Bitwarden clients |
| **TOTP storage** | Yes | Business plan only | Yes |
| **LDAP/AD sync** | Manual | Business plan | Enterprise plan |
| **SSO/SAML** | Limited | Business plan | Enterprise plan |
| **Team sharing** | Full (org model) | Granular PGP sharing | Full (org model) |
| **GitHub stars** | 35,000+ | ~4,000 (API repo) | Official (Bitwarden Inc.) |

---

## The Decision Framework

**Choose Vaultwarden if:**
- You want the full Bitwarden client experience with minimal infrastructure
- You're a solo developer, homelab user, or small team under ~15 people
- Low RAM usage matters (Raspberry Pi, shared VPS, tiny VM)
- You don't need formal compliance documentation

**Choose Passbolt if:**
- Granular, per-credential team sharing is a core requirement
- Your threat model requires that the server never sees plaintext credentials
- You work in a security-sensitive industry (infosec agency, legal, healthcare)
- Mobile access is secondary to desktop/browser access for your team

**Choose Bitwarden Official if:**
- Your organization has formal compliance requirements (SOC 2, ISO 27001)
- Procurement requires an official vendor with SLA-backed support
- You're already on Bitwarden Cloud and want to move data in-house
- Team size and budget justify $6/user/month for enterprise features

---

## Migration Paths

Moving between these platforms is feasible but imperfect:

**Bitwarden Cloud → Vaultwarden**: Export from Bitwarden Cloud, import into Vaultwarden. All clients point to your new server URL. Clean migration in under an hour.

**Bitwarden/Vaultwarden → Passbolt**: Export to JSON/CSV from Bitwarden, import into Passbolt via CLI or browser extension. Org structures need manual recreation.

**Passbolt → Vaultwarden/Bitwarden**: Export from Passbolt CLI or admin panel, import into Bitwarden-compatible format. Most credential metadata transfers cleanly. All three platforms use AES-256 encryption for credential storage, so credentials remain equivalently secured after migration regardless of which direction you move.

---

## Methodology

- Sources consulted: 8
- Data from: Passbolt.com pricing page, GitHub repositories, Vaultwarden GitHub discussions, Bitwarden official docs, Capterra 2026 comparisons
- Date: March 2026

---

*Already decided on Vaultwarden? See our [self-hosting guide for Vaultwarden](/guides/vaultwarden-self-host-bitwarden-2026) and [advanced security hardening tips](/guides/vaultwarden-advanced-setup-security-hardening-2026).*

*Related: [Authentik vs Keycloak vs Authelia SSO 2026](/guides/authentik-vs-keycloak-vs-authelia-2026) · [Best Open Source Alternatives to SaaS Security Tools](/guides/best-open-source-alternatives-to-sentry-2026)*

*See open source alternatives to Bitwarden on [OSSAlt](https://www.ossalt.com/alternatives/bitwarden).*