Self-hosted password manager for teams (2026)
Teams that keep credentials on their own infrastructure avoid a third party holding every company secret. These self-hosted managers handle shared vaults, access control and Docker deployment; here is how they differ.
What teams need
Beyond a personal vault, teams need secure sharing with per-resource access, an audit trail, SSO/directory integration where possible, and a deployment (usually Docker) their ops team can run and back up. Recovery and offboarding matter as much as encryption.
Passbolt
Purpose-built for teams: OpenPGP key-based sharing, granular per-resource permissions, self-hostable Community Edition, EU-developed. The strongest pick when sharing is central.
Vaultwarden
Lightweight Bitwarden-compatible server with organizations and collections for sharing logins and files — ideal for small teams wanting Bitwarden’s apps cheaply.
Bitwarden (self-hosted)
The official server adds SSO, directory sync and organization policies for larger orgs with compliance needs, at a higher resource cost.
Psono
Company-focused with SAML/LDAP, audit logs and policy controls; free for small teams, priced per user at scale.
Where storage-p fits
storage-p adds a distinct model for teams handling infrastructure secrets: end-to-end sealed-box sharing between users, per-project organization, and scoped API tokens whose every read can require in-app or Telegram confirmation — so an integration or CI system gets exactly the access you approve, not an all-or-nothing export. It stores SSH/TLS keys and certificates alongside passwords, all zero-knowledge and self-hosted.
How to choose
Sharing-first team — Passbolt. Cheap and light — Vaultwarden. Enterprise compliance — official Bitwarden. Company with SSO/audit needs — Psono. Infrastructure secrets with confirmable, scoped machine access — storage-p.