storage-p

Best self-hosted password managers in 2026 (open source)

Self-hosting a password manager keeps your credentials off other companies’ servers and under your own control. These are the strongest options in 2026, what each is best at, and where storage-p fits.

What to look for

A good self-hosted manager gives you real control without new risks: end-to-end (zero-knowledge) encryption so the server never sees plaintext, an easy deployment (ideally one Docker container), open or transparent internals, and a sane backup and recovery story. The trade-off is that patching and uptime are now your job.

Vaultwarden

A lightweight Bitwarden-compatible server written in Rust, using well under 50 MB of RAM and running from a single Docker container. It works with all official Bitwarden clients, which makes it the default pick for individuals and families who want Bitwarden’s apps without the heavy official server.

Bitwarden (official self-hosted)

The official server is the enterprise standard — annual third-party audits, SSO, directory sync and organization policies — but it is heavier (2 GB+ RAM, a real database) to run and maintain. Choose it when you need compliance features and vendor support.

Passbolt

Open-source and built for teams around an OpenPGP public-private-key model, with granular per-resource sharing. Developed in the EU (Luxembourg), Community Edition is free and self-hostable. Best when secure sharing across a team is the priority.

Psono

A self-hosted manager aimed at companies, with SAML/LDAP, audit logs and compliance policies. Free for small teams; larger deployments are priced per user.

KeePassXC (no-server option)

Not a server at all: a single encrypted KDBX file you sync yourself (Syncthing, Nextcloud). Zero server attack surface and hardware-key support, at the cost of manual multi-device sync.

Where storage-p fits

storage-p is a self-hosted, zero-knowledge vault: your key is derived in the browser with Argon2id and the server only ever stores XChaCha20-Poly1305 ciphertext, with the database additionally encrypted at rest via SQLCipher. Beyond passwords it holds SSH/TLS keys, API keys and TOTP, generates Ed25519 keys client-side, and issues scoped API tokens whose reads can require your in-app or Telegram confirmation. It deploys as a container behind Caddy.

How to choose

Want Bitwarden’s apps with minimal resources — Vaultwarden. Need enterprise compliance — official Bitwarden. Team sharing first — Passbolt or Psono. No server at all — KeePassXC. Want browser-side zero-knowledge plus SSH/TLS/API/TOTP in one owned vault — storage-p.