7 Best Self-Hosted Password Managers in 2026 (Open Source)
Vaultwarden, Bitwarden self-hosted, Passbolt, Psono, KeePassXC, Padloc, and Password Pusher compared. Mobile, sharing, MFA, audit logs, and the right pick by use case.
Published: 2026-05-05
A self-hosted password manager keeps your secrets on hardware you control rather than a vendor cloud. Done well, it gives you the same daily-driver experience as 1Password or LastPass with stronger guarantees about who can see your data. Done poorly, it leaves you with a single-point-of-failure server that locks you out at the worst possible moment.
The 2026 self-hosted PM scene is healthier than ever. Vaultwarden has 35,000+ GitHub stars and is the default pick for individuals. The official Bitwarden server is the enterprise standard with audited code and full FIDO2 passkey support. Passbolt has overtaken Vaultwarden for team-focused setups. KeePassXC paired with a sync tool (Syncthing, Nextcloud) is the no-server option that has not gone away. Quick comparison first, then the writeups.
Quick comparison
| App | License | Stack | Min RAM | Mobile | Sharing | MFA | Audit log |
|---|---|---|---|---|---|---|---|
| Vaultwarden | AGPL | Rust (single container) | 50 MB | Bitwarden apps | Org/Collections | TOTP, FIDO2 (limited) | Premium-tier |
| Bitwarden self-hosted | BSL / GPL | .NET + SQL Server | 2 GB | Bitwarden apps | Full Org features | TOTP, FIDO2, passkeys | Yes |
| Passbolt | AGPL | PHP + MySQL | 1 GB | iOS, Android | Granular per-resource | TOTP, YubiKey | Yes |
| Psono | Apache 2.0 | Python + PostgreSQL | 1 GB | iOS, Android | Group + share | TOTP, YubiKey, Duo | Enterprise edition |
| KeePassXC + sync | GPL | Single .kdbx file | n/a (file-based) | iOS (Strongbox), Android (Keepass2Android) | None native | Hardware key, key file | n/a |
| Padloc | AGPL | TypeScript | 500 MB | iOS, Android | Org sharing | TOTP, WebAuthn | Limited |
| Password Pusher | OSL-3 | Ruby on Rails | 512 MB | Mobile web | One-time URL only | n/a (no vault) | Yes |
1. Vaultwarden
The runaway favourite for self-hosted password managers. Vaultwarden is a Rust reimplementation of the Bitwarden server API, fully compatible with every official Bitwarden client (browser extension, mobile app, desktop, CLI). It runs in under 50 MB RAM and starts in seconds.
Strengths: trivial install (one Docker container), full client compatibility, unlocks several Bitwarden premium features at no cost (TOTP storage, attachments, custom fields), active maintenance.
Weaknesses: no formal third-party security audits (the official Bitwarden server is audited; Vaultwarden is not). FIDO2 passkey support lags slightly behind official Bitwarden as new spec changes ship.
Best for: individuals, families, and small teams who want a Bitwarden experience without paying per seat.
The Vaultwarden page has the install steps. For the head-to-head against the official server, see the Vaultwarden vs Bitwarden comparison.
2. Bitwarden (official self-hosted)
Bitwarden's own server, available for self-hosting under a Bitwarden Source License with permissive use terms. The same codebase that powers the bitwarden.com cloud product. Audited annually by third parties (Cure53, others), supports SSO, advanced organization policies, directory sync, and full FIDO2 passkey storage.
Strengths: audited code, enterprise-grade SSO and policies, latest features land here first, official commercial support available.
Weaknesses: heavier (2 GB+ RAM, requires SQL Server or Postgres), org features need an enterprise license at scale, more moving parts than Vaultwarden.
Best for: organizations with compliance requirements (SOC 2, HIPAA, ISO 27001) where audit-trail and audited-code claims matter.
See Bitwarden self-hosted on Talos Tools.
3. Passbolt
The team-first self-hosted password manager. Built around shared resources rather than personal vaults: every credential has explicit owners and viewers, with granular per-resource access. Inline comments, version history, and audit logs are first-class.
Strengths: the best built-in collaboration model on the list (per-resource ACLs, comments), regular third-party audits, healthy enterprise features in the paid edition, mature mobile apps.
Weaknesses: personal-vault use feels heavier than Vaultwarden, no native browser-extension passkey support yet, PHP stack means classic LAMP-style ops.
Best for: teams (5 to 200 people) where shared credentials are the primary use case rather than individual password management.
Passbolt in the Talos catalog.
4. Psono
Open-source password manager with strong customization options. Self-hostable, scriptable via API, supports SAML SSO, Duo, YubiKey, and Active Directory in the enterprise edition. Heavily extensible if you have a developer on hand.
Strengths: deepest customization on the list, mature SSO, strong enterprise auth options, files-and-secrets management beyond just passwords.
Weaknesses: smaller community than Vaultwarden or Bitwarden, mobile apps less polished, requires Python and PostgreSQL ops knowledge.
Best for: security-conscious teams who want to script and customize the deployment, and need richer secret types than just passwords.
5. KeePassXC + Syncthing or Nextcloud
The no-server option. KeePassXC is a desktop app that opens an encrypted .kdbx file. You sync that file across devices using Syncthing, Nextcloud, or Dropbox. No backend to compromise. Works offline. Forever-free.
Strengths: zero server attack surface, the file format is bulletproof and 20+ years old, hardware-key support (YubiKey, Nitrokey), works without internet.
Weaknesses: conflict resolution if two devices edit at once is manual, mobile experience depends on third-party clients (Strongbox on iOS, Keepass2Android on Android), no team-sharing model worth using.
Best for: privacy-maximalists, single-user setups, or anyone uncomfortable running a server. Pair with Nextcloud for sync.
6. Padloc
A modern, minimal password manager built in TypeScript with end-to-end encryption. Clean web app, native-feel mobile apps, and a focused feature set rather than the kitchen-sink approach of Bitwarden.
Strengths: very clean UI, end-to-end encryption with sensible defaults, organization tier for small teams, modern WebAuthn support.
Weaknesses: smaller community, fewer integrations, slower feature shipping than Vaultwarden or Bitwarden.
Best for: individuals or small teams who value UI polish and a small attack surface over raw feature count.
7. Password Pusher
Not a vault. A one-time secret sharing tool. Drop a password or string in, get a one-time URL with optional expiry and view limits. The link self-destructs after use or after the timer.
Strengths: trivial to deploy, perfect for handing credentials to contractors or new hires once, integrates with Slack, audit log of pushes.
Weaknesses: not a password manager (no vault, no sync, no autofill). Use it alongside one of the others, not instead of one.
Best for: any team that currently shares credentials over Slack, email, or DMs. Replacing those channels with Password Pusher is a one-day security upgrade.
Password Pusher on Talos Tools.
How to pick by use case
Just me, family, or a small team (under 10): Vaultwarden. Free, lightweight, full Bitwarden client compatibility.
Mid-size org (10 to 200) with compliance needs: Bitwarden official self-hosted. Audited code, full SSO, audit logs.
Team-first workflows where sharing is the main use: Passbolt. Per-resource ACLs and comments are unmatched.
Customization-first deployment: Psono.
Privacy-maximalist single user: KeePassXC + Syncthing/Nextcloud. No server.
Polish-focused individual user: Padloc.
Replacing Slack DMs for one-off credential handoffs: Password Pusher (alongside any of the others).
Backup strategy: the part everyone skips
A self-hosted password manager that has no backup is a single point of failure for your entire digital life. Set this up before you migrate your first credential.
Encrypted backup of the database, daily. Vaultwarden uses SQLite by default; back up the entire data directory. Bitwarden, Passbolt, and Psono use full RDBMS dumps. Encrypt the backup with age or GPG before it leaves the box.
Off-site copy, weekly. Push to S3, Backblaze B2, or your own remote box. The on-box backup does not survive a full server loss.
Restore drill, quarterly. Restore to a fresh server. Confirm a test account can log in. Do this on the calendar, not when you actually need it.
Emergency-access printout. A sealed envelope with the master password and 2FA recovery codes, in a safe deposit box or fireproof drawer. The cost of doing this is zero. The cost of not doing it is your entire life's credentials.
For passwords inside the vault, generate them with our password generator rather than reusing variants of the same root.
FAQ
Vaultwarden or official Bitwarden?
Vaultwarden for individuals and small teams. Official Bitwarden when audit trail, formal third-party security audits, or enterprise SSO matter for compliance reasons. Both use the same client apps, so you can switch between them.
Self-hosted MFA: which methods work?
All seven support TOTP. Vaultwarden, Bitwarden, Passbolt, and Psono support YubiKey or FIDO2 hardware keys. Bitwarden has the best passkey support today. KeePassXC supports key files plus hardware keys for the database itself.
Is sharing with family safe?
Yes, on Vaultwarden, Bitwarden, Passbolt, and Padloc. Each supports organizations or families with shared collections and per-user access. KeePassXC is single-vault, so family sharing works only if everyone trusts the same .kdbx file.
Mobile app on Vaultwarden?
Yes. Vaultwarden uses the official Bitwarden mobile apps (iOS and Android). Point them at your server URL during onboarding. Same goes for browser extensions and the desktop app.
Backup strategy?
Daily encrypted database backups, off-site copies weekly, quarterly restore drills, and a sealed printout of master credentials in physical storage. Skip any of those and you have a fragile system, not a secure one.
What about KeePass alternatives like KeeWeb?
KeeWeb is a web-based KeePass viewer. It works, but development has slowed. KeePassXC is the better-maintained desktop choice. For browser-based KeePass, the official KeePassXC browser extension is more actively maintained than KeeWeb.
Where to go from here
For more self-hosted picks, the self-hosted apps directory covers cloud storage, calendars, analytics, and adjacent privacy tools. Adjacent listicles on the Talos Tools blog include the best self-hosted cloud storage roundup and the self-hosted email server guide.
If you are coming at this from a learning path, the cybersecurity roadmap covers credential management, MFA, and threat modeling, and the DevOps roadmap covers backup, secrets management, and infrastructure hardening.
Last updated: April 2026.
Last updated: 2026-05-10