← All Articles

Best Self-Hosted Password Managers in 2026 (Vaultwarden vs KeePassXC vs Passbolt vs Bitwarden)

Comparing the top self-hosted password managers: Vaultwarden, KeePassXC, Passbolt, and official Bitwarden. Tested on real homelab hardware.

dockersecurityself-hosting

I’ve run three of these four options in production and evaluated the fourth. Here is the honest version of the comparison: what each one actually is, who it’s for, and what I’d pick if I were starting over today.

The short answer: Vaultwarden for solo homelab users. Passbolt if you’re running a small team. KeePassXC if you want zero server complexity. Official Bitwarden self-hosted only if you have a compliance reason for it.

If you’ve already made your choice and want to skip straight to setup, the Vaultwarden self-hosting guide walks through Docker Compose setup, reverse proxy config, and backup strategy from scratch.

Why compare these four?

Most “best self-hosted password manager” lists include tools that nobody with a homelab actually runs. I’m focusing on the four that show up repeatedly in r/selfhosted and r/homelab conversations because they’re actually deployable on homelab hardware:

I am not including tools like Padloc or Psono. They exist. I don’t know anyone running them, and the homelab community discussion around them is thin.

The comparison table

VaultwardenKeePassXCPassboltBitwarden (official)
Hosting modelDocker (single container)File sync (no server)Docker (multi-container)Docker (multi-service or Unified single container)
RAM at idle~50MBN/A~400MB+~1.5GB+
Mobile appOfficial Bitwarden appsKeePass-compatible appsOfficial appOfficial app
Browser extensionOfficial BitwardenKeePassXC nativeDedicated extensionOfficial Bitwarden
Team sharingSingle-user focusedNo built-in sharingBuilt for teamsOrganization features
TOTP supportYes (built in)Yes (built in)YesYes (premium)
Sync modelServer-syncedFile-syncedServer-syncedServer-synced
LicenseGPLv3GPLv3AGPLv3Proprietary (self-hosted OSS)
Official projectNo (reimplementation)YesYesYes

Vaultwarden

Vaultwarden is what I run, and it’s what I’d recommend to any solo homelab user asking this question. One Docker container, ~50MB idle RAM, full Bitwarden client compatibility across every platform. The browser extension, iOS app, Android app, and desktop client all connect to it with one server URL change in settings.

The appeal is that you get the entire Bitwarden UX (and it’s genuinely good) on your own hardware. Premium features that cost $10/year on Bitwarden cloud (TOTP generation, encrypted file attachments, emergency access) are included for free because you’re running the server.

What it’s for: Solo users or households. It handles organizations and shared vaults, but its sweet spot is one person managing their own passwords with clients on multiple devices.

What it’s not: An officially supported project. Vaultwarden is a reimplementation of the Bitwarden API, not an official Bitwarden product. If Bitwarden changes their API, Vaultwarden has to catch up. In practice, this has been a non-issue for years. But it’s worth knowing.

Resource requirements: 256MB RAM is more than enough for a single-user setup. I run mine on a shared VM alongside a dozen other containers without noticing it.

The one thing you have to take seriously: Backups. Your entire vault is a single SQLite database file. If you lose it, you lose your passwords. Automated daily backups to a second location are not optional. The Vaultwarden setup guide covers a practical backup approach.

KeePassXC

KeePassXC is the odd one out on this list because there’s no server. Your passwords live in a .kdbx database file on disk. You sync it across devices using whatever file sync you already run: Syncthing, Nextcloud, a shared network drive, a private Git repo.

This makes the security model very different. There’s no network service to expose. No container to keep updated. No database to back up separately. Your .kdbx file is the backup. The downside is that sync is file-based, so conflict resolution is on you if you edit the vault from two devices before a sync completes.

What it’s for: Users who want no server complexity, or who are already running a file sync service and want to reuse it. Also a strong choice if you want your vault to be accessible without internet. The file is local.

What it’s not for: Teams. KeePassXC has no built-in credential sharing model. You can share a file, but access control is filesystem permissions, not user accounts. If you need to share passwords between people in a structured way, this isn’t the tool.

Mobile apps: The native KeePassXC app is desktop-only (Linux, macOS, Windows). For mobile you use a compatible app: KeePassium on iOS, Keepass2Android on Android. Both read .kdbx files and sync via whatever backend you configure. This is one more moving part than the Vaultwarden approach, where the official Bitwarden app handles everything.

My take: I used KeePassXC for three years before moving to Vaultwarden. The sync works, but the mobile experience is slightly more fragile. If Syncthing has a conflict on your vault file, you’ll know. Moving to a server-synced model removed that class of problem entirely.

Passbolt

Passbolt is built for teams. It has user accounts, role-based permissions, group-based sharing, and an audit log. If you need to share a set of credentials between five people where different people have different access to different secrets, Passbolt is the tool designed for that problem.

The tradeoff is setup complexity and resource requirements. Passbolt needs a MySQL or MariaDB container alongside the main application, wants at least 2GB RAM, and the initial setup involves generating GPG keys as part of the admin configuration. It’s not complicated in an unreasonable way, but it’s notably more involved than spinning up Vaultwarden.

What it’s for: Small teams. A homelab club, a family with multiple adults who need to share some passwords and not others, a small business running its own infrastructure. Passbolt’s strength is the sharing model: you can give someone access to the “AWS credentials” group without giving them the “home network admin” group.

What it’s not for: Solo users. The setup overhead is hard to justify when you’re the only one logging in.

Browser extension: Passbolt has its own browser extension, separate from Bitwarden. The extension is required. Passbolt’s architecture uses end-to-end encryption where the extension holds your private key. The web interface without the extension is limited.

Resource requirements: Plan for at least 1 vCPU and 2GB RAM for the Passbolt container plus database. More if you’re running on shared hardware with other workloads.

Bitwarden (official self-hosted)

The official Bitwarden self-hosted option is the compliance-grade choice. It’s what you run when someone asks “can you give me a compliance report on your credential management” and you need to point to an official product with a real support contract.

The resource requirements are high for homelab standards. The official install script spins up multiple services including a dedicated MSSQL database, and you’ll want at least 2 vCPUs and 2GB RAM with room to grow. The self-hosted version is licensed separately from the cloud product and the licensing structure has changed a few times.

A newer single-container option, Bitwarden Unified, exists and runs on SQLite without MSSQL. The resource requirements are lighter than the legacy installer, but the licensing model and the need for official clients still make Vaultwarden the better homelab pick for anyone without a compliance requirement.

What it’s for: Organizations with compliance requirements, or teams that specifically need the official Bitwarden brand for audit purposes.

What it’s not for: Solo homelab users or small teams without compliance requirements. Vaultwarden gives you the same client experience at a fraction of the resource cost.

Honest note: Almost no one in the homelab community runs official Bitwarden self-hosted. The ones who do are usually running it for a small company where IT policy requires it. If you’re asking “which should I run for my homelab,” the answer is almost certainly Vaultwarden.

Decision framework

Run Vaultwarden if:

Run KeePassXC if:

Run Passbolt if:

Run official Bitwarden if:

The backup reality check

Whatever you choose, the biggest risk is not a security breach. It’s losing your passwords because you didn’t back up your database, or because your server died and the only copy was on that server.

Vaultwarden and Passbolt both store your entire vault in a single database file. Back it up daily. Test restoring from that backup at least once. Copy backups to a second location. Bitwarden official has more moving parts to back up, which is another argument against it for homelab use.

KeePassXC’s file-sync model handles this differently. Your .kdbx file is the thing, and wherever your sync service puts it is your backup strategy. Make sure your sync service keeps version history.

The Vaultwarden guide covers a practical daily backup approach using cron and a second storage location: Self-Hosting Your Password Manager: A Vaultwarden Deep-Dive.