Best overall for most users
Best for enterprise teams
Best for offline purists
Good for technical teams
👍 What we like
- ✓Bitwarden protocol compatibility allows use of all official clients
- ✓Extremely lightweight resource footprint under 100 MB RAM
- ✓Zero-knowledge encryption with Argon2id key derivation
- ✓Supports TOTP, WebAuthn, and YubiKey for 2FA
- ✓Easy Docker deployment suitable for homelab environments
👎 What to watch
- ✕Lacks native SSO SAML/SCIM for enterprise-scale access management
- ✕Organization features not designed for hundreds of users
- ✕Passbolt uses OpenPGP which may have a steeper learning curve
- ✕KeePassXC requires manual file sync management by the user
📑 Contents ▾
- 01 Comparison Table
- 02 Vaultwarden: The Default Choice, and for Good Reason
- 03 Passbolt: The Vault Designed for Teams
- 04 KeePassXC + Synchronization: The Serverless Purist
- 05 Psono: The Outsider Oriented Toward Technical Secrets
- 06 Use Cases: Which One for You?
- 07 The Decisive Factor: Your Master Password and Backup
- 08 Verdict
- 09 FAQ
- · Is self-hosting passwords really safer than a commercial service?
- · Is Vaultwarden as secure as official Bitwarden?
- · Which solution to choose for sharing passwords in a team?
- · Can I migrate from LastPass, 1Password, or Bitwarden Cloud?
- · Do I need a hardware key like a YubiKey?
- · KeePassXC without a server, how does it sync between my PC and phone?
- 16 Related Topics
Handing over your passwords to a US cloud service is convenient, but it also means handing the keys to your entire digital life over to a third party. In 2026, following yet another series of data breaches at major commercial password managers, self-hosting your password vault is no longer a geeky whim: it is a rational decision for sovereignty. But which solution should you choose? The landscape is richer than you might think, ranging from Vaultwarden’s Bitwarden compatibility, Passbolt’s enterprise approach, and KeePassXC’s locally encrypted file synced by you, to outsiders like Psono.
We tested, deployed, and stress-tested these solutions. This guide compares them without mercy on the criteria that truly matter: encryption model, team sharing, client quality, deployment ease, and user profile. By the end, you will know which vault fits your situation, from the individual user to the IT director of an SME.
Comparison Table
| Criterion | Vaultwarden | Passbolt | KeePassXC + sync | Psono |
| :--- | :--- | :--- | :--- | :--- |
| Model | Server (Bitwarden compatible) | Server (team-oriented) | Local encrypted file | Server |
| Architecture | Docker (Rust) | Docker (PHP/Node) | Local app + file sync | Docker |
| Encryption | AES-256, zero-knowledge | OpenPGP per user | AES-256 / ChaCha20 (KDBX4) | Client-side |
| Official Clients | All (Bitwarden apps) | Browser + desktop | Desktop + third-party apps | Browser + mobile |
| Browser Autofill | Excellent | Good | Via extension/integration | Good |
| Team Sharing | Yes (organizations) | Yes (core product) | Limited (shared files) | Yes (granular) |
| Resource Footprint | Very light (< 100 MB) | Medium | Negligible (no server) | Medium |
| Deployment Ease | Very easy | Medium | No server to manage | Medium |
| 2FA / Hardware Keys | TOTP, WebAuthn, YubiKey | YubiKey, TOTP | YubiKey (challenge-response) | TOTP, YubiKey |
| License | AGPL/GPL | AGPL | GPL | Apache 2.0 |
| Ideal For | Individual, family, homelab | SMEs, structured teams | Purist, offline | Technical team |
Vaultwarden: The Default Choice, and for Good Reason
Vaultwarden is a lightweight Rust reimplementation of the Bitwarden server. Its magic: it speaks the same protocol as Bitwarden, so all official Bitwarden clients work with it — browser extensions, iOS/Android apps, desktop clients, CLI. You benefit from Bitwarden’s mature ecosystem and excellent UX, but on your own server, without a subscription or storage limits.
In terms of resources, it is unbeatable: less than 100 MB of RAM, a SQLite database by default, and a Docker deployment in minutes. The encryption is zero-knowledge (your data is encrypted client-side before transmission; the server never sees your passwords in plaintext), with Argon2id key derivation and support for two-factor authentication (TOTP, WebAuthn, YubiKey). Organization features allow for family or small team sharing.
For an individual, a family, or a homelab, Vaultwarden is simply the best ratio of simplicity/features/lightness on the market. Its limitations appear at scale: it is not designed for hundreds of users with enterprise access management (native SSO SAML/SCIM), a domain where commercial Bitwarden or Passbolt take the lead. But for 95% of self-hosters, it is the answer.
We have dedicated a full comparison to the question “should I self-host or take Bitwarden Cloud?”: Vaultwarden vs Bitwarden Cloud. And we detail its installation step-by-step in our Vaultwarden Docker + HTTPS tutorial.
Tip: Vaultwarden runs without breaking a sweat on the smallest VPS. An entry-level NVMe plan from Hetzner or OVHcloud is more than enough, making it one of the cheapest self-hosted services to run.
Passbolt: The Vault Designed for Teams
Passbolt approaches the problem from an enterprise angle. Where Vaultwarden is user-centric, Passbolt is centered on secure team sharing. Its architecture is based on OpenPGP: each user has their own key pair, and sharing a secret involves encrypting it for the public keys of authorized recipients. This is an elegant and auditable cryptographic model, particularly suited for technical teams sharing infrastructure secrets (API keys, server access, shared credentials).
Rights management is granular: groups, roles, resource-specific permissions, audit logs. Passbolt integrates into team workflows and offers governance features that Vaultwarden lacks. The Community edition is free and open-source; Pro editions add SSO, advanced logging, and support.
The trade-offs: deployment is heavier (PHP, MySQL/MariaDB database, GPG key generation, strict HTTPS configuration required), and the consumer UX is less fluid than Bitwarden/Vaultwarden. The browser extension requires decryption by the private key, adding steps. For purely personal use, Passbolt is overkill. For an SME or DevOps team sharing sensitive secrets, it is an excellent choice.
KeePassXC + Synchronization: The Serverless Purist
KeePassXC completely inverts the paradigm: no server at all. Your passwords live in a single encrypted file (KDBX4 format, AES-256 or ChaCha20, with Argon2 derivation). You synchronize this file yourself via your chosen method: Nextcloud, Syncthing, an encrypted Git repository, or any cloud (since the file is encrypted, the transport channel matters little).
The advantage is radical: no server attack surface. No open ports, no service to maintain, no CVEs to patch. The encrypted file is unusable without the master password (and potentially a key file or a YubiKey in challenge-response mode). This is the preferred solution for security purists and those who want a completely offline or sovereign vault.
The downsides stem from the lack of a server: multi-device synchronization is manual and can generate conflicts if you edit the file simultaneously on two devices. Team sharing is rudimentary (a shared file, no fine-grained rights management). Browser autofill goes through an extension (KeePassXC-Browser) that communicates with the desktop app, requiring it to be open. On mobile, you rely on third-party KDBX-compatible apps. It is powerful but less fluid than server solutions.
Tip: To synchronize your KDBX file between devices without relying on a public cloud, peer-to-peer Syncthing or a self-hosted Nextcloud are ideal. See our tutorial hosting Nextcloud on a VPS.
Psono: The Outsider Oriented Toward Technical Secrets
Psono is less well-known but deserves its place. It is an open-source server-based manager oriented toward teams and infrastructure secrets, with client-side encryption, granular sharing, an API for automation (CI/CD integration, secret retrieval via script), and hardware key support. Its interface is sober and technical.
Psono positions itself between Vaultwarden (consumer, Bitwarden compatible) and Passbolt (team, OpenPGP): it targets technical teams that want to manage secrets via API as well as via the interface, with a “secrets management” approach similar to HashiCorp’s Vault, but lighter and more accessible. For a DevOps team mixing human passwords and machine secrets, it is a credible alternative. For an individual, Vaultwarden remains simpler.
Use Cases: Which One for You?
You are an individual or a family. Vaultwarden, without hesitation. The best UX, the best clients, the simplest deployment, the lightest footprint. It is the intelligent default.
You manage secrets for an SME or a structured team. Passbolt. The per-user OpenPGP model, fine-grained rights management, and auditing make it the most serious open-source team vault.
You are a security purist, you want offline and zero server. KeePassXC with home synchronization. No network attack surface, total control, open and durable format.
You are a technical team automating secret retrieval. Psono (or Vaultwarden + its CLI). The API and machine-secret orientation make the difference in CI/CD workflows.
You are hesitating between self-hosting and a managed service. First read our cost/security analysis Vaultwarden vs Bitwarden Cloud: for a single user, the calculation is not always in favor of self-hosting.
The Decisive Factor: Your Master Password and Backup
Regardless of the tool, two elements truly determine your security, far more than the choice of software:
-
The strength of your master password. This is the only secret protecting everything else. A long, unique passphrase (minimum 4-5 random words) is essential. No encryption can save a vault protected by “password123”.
-
Your backup. A lost vault means lost access to everything. Regularly back up your database (Vaultwarden’s SQLite, KDBX file, Passbolt dump) in an encrypted and off-site manner. Our guide automatic backup with Restic and Backblaze covers exactly this need.
Add to this two-factor authentication (ideally a hardware YubiKey, supported by all four solutions) and an HTTPS reverse proxy in front of any exposed service, and your self-hosted vault will be safer than most commercial services.
Verdict
-
Vaultwarden is the best choice for the vast majority: individuals, families, homelabbers. Light, fluid, Bitwarden compatible, simple to deploy. Our default recommendation.
-
Passbolt is the best for teams and SMEs needing granular sharing and auditing, with its solid OpenPGP model. The open-source enterprise choice.
-
KeePassXC is the best for the offline purist who wants no server and absolute control. Security through the absence of attack surface.
-
Psono is the relevant alternative for technical teams focused on automation and machine secret management.
In one sentence: Vaultwarden for (almost) everyone, Passbolt for teams, KeePassXC for purists, Psono for automators.
FAQ
Is self-hosting passwords really safer than a commercial service?
Not automatically. A reputable commercial service has dedicated security teams that you do not have. Self-hosting is safer if, and only if, you apply best practices: HTTPS, two-factor authentication, strong master password, regular updates, encrypted backups. Done well, you eliminate the risk of a third-party breach exposing your data. Done poorly, you create the risk yourself.
Is Vaultwarden as secure as official Bitwarden?
The encryption is identical (same protocol, zero-knowledge client-side). The difference lies in maintenance: Vaultwarden is community-driven, whereas Bitwarden has a dedicated company. In practice, Vaultwarden is very well maintained and patches are quick. Security will depend mostly on your server configuration, not the software itself.
Which solution to choose for sharing passwords in a team?
Passbolt for a structured team needing auditing and granular rights. Vaultwarden (organizations) for simpler sharing in a small team or family. Psono if the team automates secret retrieval via API. KeePassXC is the least suited for multi-user sharing.
Can I migrate from LastPass, 1Password, or Bitwarden Cloud?
Yes. Most of these managers export to CSV or JSON format, importable into Vaultwarden (via Bitwarden clients), KeePassXC, or Passbolt. Remember to permanently delete the unencrypted export file after migration: it is a plaintext copy of all your secrets.
Do I need a hardware key like a YubiKey?
It is not mandatory but highly recommended for the vault protecting all your access. A hardware key (WebAuthn/FIDO2 or challenge-response) resists phishing and TOTP code theft. All four compared solutions support it. It is the best security/price ratio you can add.
KeePassXC without a server, how does it sync between my PC and phone?
You synchronize the encrypted KDBX file via your chosen tool: Syncthing (peer-to-peer, no cloud), a self-hosted Nextcloud, or even a public cloud (since the file is encrypted, the provider sees nothing). Beware of conflicts if you modify the database on two devices at the same time: edit in one place, let sync propagate.
Related Topics
Taking back control of your passwords is one of the first and most important steps in digital sovereignty. Choose the tool suited to your profile, and take care of your master password and backups. To follow data breaches, manager vulnerabilities, and new best practices, subscribe to our Telegram watch bot.