Lightweight, Bitwarden compatible, ideal for small setups.
Official, robust, but heavy on RAM and complexity.
Top for teams, but steeper learning curve.
👍 What we like
- ✓Ultra-low memory consumption.
- ✓Full compatibility with Bitwarden clients.
- ✓Simplified and fast Docker installation.
👎 What to watch
- ✕Not official, community support only.
- ✕Advanced features (KDF) sometimes limited.
- ✕Security updates require manual tracking.
📑 Contents ▾
Credential management is one of the fundamental pillars of cybersecurity, for both individuals and businesses. In the self-hosting ecosystem, choosing a password manager is not just about browser compatibility or the presence of a mobile app. It involves complex trade-offs between trust in a cloud provider, total control over data, and the consumption of available hardware resources. In 2026, three solutions dominate the landscape: Bitwarden in its official self-hosted version, Vaultwarden, a lightweight reimplementation, and Passbolt, specialized for teams. Each addresses different philosophies, ranging from raw simplicity to rigorous enterprise compliance. It is entirely possible to self-host these tools on a cheap VPS or a homelab mini-PC, but the implications regarding maintenance and security vary significantly depending on the tool chosen.
Context and Specific Needs
Before diving into technical details, it is crucial to define the scope. Self-hosting a password manager means you are responsible for availability, backups, and, most importantly, the security of the database. A breach here is catastrophic. For an individual or small developer, the priority is often ease of use and low memory footprint. For a team or SMB, access management, auditing, and role separation become paramount. Bitwarden offers a complete but heavy solution, Vaultwarden provides an agile alternative at the cost of community maintenance, while Passbolt positions itself as a robust collaborative tool, albeit less suited for simple personal needs.
Bitwarden Self-Hosted: The Official Reference
Bitwarden is arguably the most well-known name in this field. Their self-hosted version, based on their .NET and PostgreSQL infrastructure, is designed to be a direct alternative to their cloud service. The architecture is solid, using Docker containers to simplify deployment, but it remains relatively resource-intensive.
Bitwarden’s strength lies in its compliance and transparency. The code is open source, regularly audited, and the implementation strictly follows the end-to-end encryption standards defined by the company. This means that by self-hosting, you benefit from the same security as on the cloud, without adding cryptographic complexity. However, this robustness comes at a cost. The technical stack requires several services (API, Identity, WebVault, etc.) running in parallel. On a server with 2 GB of RAM, the system can become fragile under load, and the initial installation, although facilitated by official scripts, requires an understanding of TLS certificates and network configurations. The community is huge, which facilitates troubleshooting, but updates must be applied rigorously to avoid vulnerabilities.
Vaultwarden: The Lightweight Community Alternative
Vaultwarden is not an official version of Bitwarden. It is a Rust reimplementation of the Bitwarden server API. The primary goal is to drastically reduce resource usage while remaining compatible with official Bitwarden clients (browser, mobile, desktop).
This compatibility is its major asset: you can use the same applications as if you were on the Bitwarden cloud, but with a server that consumes only a few dozen megabytes of RAM. This is ideal for homelabbers with limited hardware, such as a Raspberry Pi or an old mini-PC. Vaultwarden uses SQLite by default, which further simplifies management, although PostgreSQL is supported for larger deployments.
However, this approach carries inherent risks. Vaultwarden is not maintained by Bitwarden Inc. There may be delays in implementing new features or security patches. Additionally, some advanced features, such as file sharing or complex security reports, may be limited or absent. Security relies entirely on the administrator’s rigor: if Vaultwarden is lightweight, it does not compensate for a poor firewall or reverse proxy configuration. It is also worth noting that using Vaultwarden may potentially lead to support issues if you contact Bitwarden regarding a problem related to an official client.
Passbolt: Collaborative Security for Teams
Passbolt adopts a radically different approach. Instead of relying on the Bitwarden standard, it uses OpenPGP for end-to-end encryption. This means that encryption keys are generated locally on users’ devices and are never stored on the server in plaintext. The server only sees encrypted data.
This architecture offers high security, particularly for teams that need to share passwords without the server administrator being able to read them. Passbolt is designed for collaboration: group management, precise roles, access history, and integration with LDAP/Active Directory. It is a tool thought out for sysadmins and DevOps teams who need traceability.
The main barrier to its adoption for personal use is the complexity of managing PGP keys. For an average user, generating, backing up, and restoring GPG keys can be a technical nightmare. Furthermore, the interface is less fluid than Bitwarden or Vaultwarden, and the mobile experience is less polished. The community version is free and open source, but it lacks some enterprise management features present in the paid version. Installation is heavier, often requiring a full web server (Apache/Nginx) and a MySQL/MariaDB database, which increases the hardware footprint compared to Vaultwarden.
Comparison Table
| Criterion | Bitwarden Self-Hosted | Vaultwarden | Passbolt |
|---|---|---|---|
| Language / Stack | .NET Core, PostgreSQL | Rust, SQLite/PostgreSQL | PHP, MySQL/MariaDB |
| RAM Usage | High (2-4 GB recommended) | Very Low (< 500 MB) | Medium (1-2 GB) |
| Client Compatibility | Official Bitwarden Clients | Official Bitwarden Clients | Passbolt App Only |
| Encryption Model | Bitwarden Standard (scrypt) | Bitwarden Standard (scrypt) | OpenPGP (GPG) |
| Team Management | Good (groups, folders) | Limited (basic sharing) | Excellent (roles, audit) |
| Installation Difficulty | Medium (multi-container) | Easy (lightweight monolith) | Complex (PGP key management) |
| Maintenance | Official, regular | Community, reactive | Community, stable |
| License | AGPLv3 | AGPLv3 | AGPLv3 |
Use Cases: Who Should Choose What?
The choice depends entirely on your profile. If you are an individual or a small developer with a modest homelab, Vaultwarden is likely the best compromise. It allows you to use the Bitwarden ecosystem, which is very mature and practical, without needing a powerful dedicated server. You can install it on a small VPS or mini-PC without worrying about performance. The only trade-off is trusting the Vaultwarden community for security and updates.
If you work in a team, manage sensitive access in a company or association, Passbolt is the most relevant option. Fine-grained permission management and the use of OpenPGP offer a level of security and traceability that other solutions do not achieve natively. However, accept the learning curve associated with PGP. Bitwarden Self-Hosted sits in between: it is ideal if you want the guarantee of official support and total compatibility, and you have the hardware resources to support it. It is often chosen by small businesses that want to avoid cloud licensing fees while keeping a standardized solution.
Verdict
There is no perfect solution, only tools adapted to specific constraints. Vaultwarden wins on efficiency and accessibility for individuals, offering an experience almost identical to Bitwarden for a fraction of the resources. Bitwarden Self-Hosted remains the reference for those who prioritize long-term stability and official support, at the cost of higher consumption. Passbolt, on the other hand, is a powerful niche tool for teams, where secure collaboration takes precedence over consumer-grade ease of use.
For homelabbers, the current trend shows growing interest in Vaultwarden due to its lightweight nature, allowing the consolidation of multiple services on the same hardware. However, for professionals, the robustness of Bitwarden or the cryptographic security of Passbolt often justifies the resource investment. Whatever your choice, remember that the security of a self-hosted password manager depends 80% on the rigor of your network configuration, backups, and regular software updates. Consult our guides on [materiel-recommended/] to choose the right hardware, and feel free to explore other [comparisons/] if you are looking to further secure your infrastructure.