Vaultwarden

The XDA piece on moving passwords, 2FA, and passkeys to Vaultwarden lands on a self-hosting trend that keeps gaining ground: a tiny Rust server, compatible with every Bitwarden client, running on a Raspberry Pi or an old NUC in a closet. Vaultwarden is the right answer for a lot of households. It isn’t the right answer for everyone. The official Bitwarden server is heavier but ships with the features that team admins actually need. Passbolt and Psono target companies that want auditing and group permissions. KeePassXC sidesteps the server question entirely.

We tested 7 Vaultwarden alternatives on desktop and ranked them against the same yardsticks: setup time on a fresh Debian install, restore-from-backup procedure, client compatibility, group sharing, and the daily-use friction that decides whether the household actually adopts it.

Quick comparison

AppBest forFree planStarting priceStandout feature
Bitwarden Self-HostedOfficial, full-featured stackYes, fully on-premFree, paid org from $3/user/moSame code as the cloud product
KeePassXCLocal-first, file-based vaultYes, fullyFreeNo server to run at all
PassboltTeam password sharingCommunity Edition, fully freePro from EUR 49/mo per 10 usersGPG-based end-to-end encryption
PsonoEnterprise self-hostingCommunity Edition, fully freeEnterprise from EUR 3/user/moLDAP, SAML, granular roles
PadlocLightweight modern UIYes, on-prem onlyFreeBuilt-in security report and breach checks
PassUnix-style minimalismYes, fullyFreeA GPG-encrypted directory of password files
TeampassBrowser-based team vaultYes, fullyFreePer-folder permissions and role tree

Why people leave Vaultwarden

Three reasons keep coming up across r/selfhosted and the Vaultwarden GitHub issues:

None of these are dealbreakers for a household. All of them matter for a 50-person company.

The 7 Vaultwarden alternatives

1. Bitwarden Self-Hosted, best for the official stack

Bitwarden ships the same software it runs on its cloud as a self-host package. The full deployment runs eleven containers (API, identity, web vault, attachments, admin, MSSQL, and friends) and uses a bit more memory than Vaultwarden, but every feature lands here first: passkey sync, SSO with key connector, directory sync, SCIM, the policy engine, and the new admin dashboard. Storage runs against Microsoft SQL Server by default, with a PostgreSQL-compatible build emerging in 2025. Bitwarden vs Vaultwarden in 2026: same clients, very different backend footprint.

Where it falls short: Memory and disk pressure on small VMs. A two-vCPU, 2 GB instance that runs Vaultwarden comfortably will struggle with the full Bitwarden stack and a database.

Pricing:

Migrating from Vaultwarden: Export each vault to encrypted JSON from the web UI, import into Bitwarden. Folder structure and attachments transfer cleanly. Org migration requires re-inviting members and re-sharing collections by hand. Allow an evening for a household, a weekend for a 20-person team.

Download: Bitwarden Self-Hosting

Bottom line: Pick this when the household has grown into a team and you need features Vaultwarden hasn’t merged yet.

2. KeePassXC, best for the no-server option

KeePassXC is the cross-platform fork of KeePass that runs on every desktop with no server at all. The vault is a single .kdbx file that you sync with whatever you already use, Syncthing, Nextcloud, iCloud, OneDrive, or a USB stick. It supports passkeys (added in 2.7.x), browser integration through KeePassXC-Browser, TOTP, attachments, and SSH agent integration. KeePassXC vs Vaultwarden in 2026: opposite philosophies. Vaultwarden runs a server so multiple devices stay in sync automatically. KeePassXC delegates sync to whatever you already trust.

Where it falls short: Conflict resolution is your problem. If two devices write to the same vault file while offline, KeePassXC will not magically merge them. Mobile is also weaker: KeePass2Android and Strongbox are good, but they aren’t first-party.

Pricing:

Migrating from Vaultwarden: Export Vaultwarden to encrypted JSON, then convert with KeePassXC’s import wizard. Folders become groups, custom fields transfer, attachments come along. Passkeys do not migrate cleanly and have to be re-registered with each site.

Download: keepassxc.org

Bottom line: Pick this when you want to stop running a server and trust your sync provider with the encrypted file.

3. Passbolt, best for team sharing

Passbolt was built for teams from day one. The threat model is GPG-based end-to-end encryption: each user has a key, shared passwords are re-encrypted per recipient, and the server never sees a plaintext credential. The Community Edition is fully free, runs on Debian or Docker, and ships with a browser extension and a usable web UI. Passbolt vs Vaultwarden in 2026: Passbolt’s permission model is finer-grained, but the UI is the price you pay.

Where it falls short: The web UI is more friction than Bitwarden clones. Onboarding a non-technical teammate involves explaining GPG keys, exporting recovery kits, and importing into a browser extension. Mobile apps exist (iOS and Android) but lag the desktop experience.

Pricing:

Migrating from Vaultwarden: Export Vaultwarden to CSV, then import through Passbolt’s CSV importer. Folders become tags. Shared organisation entries do not automatically map to Passbolt’s permission model; expect to redo the sharing matrix.

Download: passbolt.com/community-downloads

Bottom line: Pick this when a small company needs proper sharing and is willing to learn one GPG concept.

4. Psono, best for enterprise self-hosting

Psono is the German-built enterprise option for self-hosters who want LDAP, SAML, granular roles, and a written security review without paying Bitwarden’s enterprise tier. The Community Edition is open-source and free for unlimited users; the Enterprise build adds SSO, audit logging, and prioritised support. Psono vs Vaultwarden in 2026: aimed at the same self-hosting crowd but with the IT department in mind.

Where it falls short: The Community Edition omits features that mid-sized teams expect (audit log retention, SAML, hardware security module support). Browser extensions are competent but not as polished as Bitwarden’s.

Pricing:

Migrating from Vaultwarden: Export Vaultwarden, convert through Psono’s CSV importer. Sharing reorganises itself around Psono’s group model, which is closer to Active Directory than to Bitwarden Collections. Plan for a weekend if the team is over 25 people.

Download: psono.com

Bottom line: Pick this when a company needs LDAP/SAML and the Bitwarden Enterprise sticker shock is too much.

5. Padloc, best for a modern lightweight UI

Padloc is the answer for self-hosters who liked Vaultwarden’s minimal footprint but wanted a more polished interface. It runs on a single Node.js process, talks WebSockets for live sync, and ships a web vault, browser extension, and mobile apps. The free tier covers everything an individual or small family needs. Padloc vs Vaultwarden in 2026: similar resource budget, more modern UI, smaller ecosystem.

Where it falls short: The community around Padloc is smaller than Vaultwarden’s, so third-party tools (CLI, sync helpers, status pages) are thinner. Enterprise features are minimal.

Pricing:

Migrating from Vaultwarden: Padloc imports Bitwarden’s CSV export directly. Folders and basic items come over. Custom field types and attachments need a manual pass.

Download: padloc.app

Bottom line: Pick this when the UI matters more than the feature checklist and you don’t need org-level controls.

6. Pass (the standard unix password manager), best for terminal-first users

Pass stores each password in a GPG-encrypted file inside a Git repository. That is the whole product. There is no GUI, no web vault, no server: a developer’s shell, a GPG key, and a remote Git repo are the entire stack. Plug-ins extend it with TOTP, browser auto-fill (browserpass), and Android/iOS clients. Pass vs Vaultwarden in 2026: maximally minimalist, maximally portable, no GUI handholding.

Where it falls short: Not a fit for anyone who isn’t comfortable in a terminal. Sharing requires teaching each recipient how to import a GPG key. Family members are not going to use it.

Pricing:

Migrating from Vaultwarden: A community script reads Bitwarden’s encrypted JSON export and writes one .gpg file per entry. Folder structure becomes directory hierarchy. Attachments do not transfer.

Download: passwordstore.org

Bottom line: Pick this when you live in the terminal and your password manager doesn’t need a UI.

7. Teampass, best for browser-based team folders

Teampass is the long-running PHP/MySQL self-hosted password manager for organisations that want a browser-only interface with per-folder permissions. It predates Bitwarden’s clones by several years and remains a sensible pick for teams that have a LAMP stack and don’t want to add another runtime. Teampass vs Vaultwarden in 2026: a different aesthetic, but the permission tree is harder to outgrow.

Where it falls short: The UI is dated and lacks the niceties (passkey support, mobile apps as polished as Bitwarden’s) that newer alternatives offer. The codebase is PHP, which some teams view as a security trade-off.

Pricing:

Migrating from Vaultwarden: Export Vaultwarden to CSV, then run Teampass’s import. The folder hierarchy maps almost directly. Per-collection sharing has to be re-modelled as Teampass roles.

Download: teampass.net

Bottom line: Pick this when a small organisation already runs LAMP and wants a browser-only password manager.

How to choose

FAQ

Is Bitwarden’s official server better than Vaultwarden?

Bitwarden’s official server is more complete and more conservative. It ships every feature first, supports every enterprise integration, and runs the same code Bitwarden hosts in production. Vaultwarden is lighter, runs on a quarter of the hardware, and is fine for a household. The right choice depends on whether you need the enterprise feature surface or just a personal vault.

Can I run a self-hosted password manager on a Raspberry Pi?

Yes for Vaultwarden, KeePassXC (file only, no server), Padloc, and Pass. Bitwarden Self-Hosted will run on a Raspberry Pi 4 with 4 GB of RAM but you’ll feel the database under load. Psono and Passbolt sit somewhere in between.

What is the most secure self-hosted password manager?

All seven projects use audited encryption at rest. The threat model that varies is the server: KeePassXC and Pass never have a plaintext server-side, while Vaultwarden, Bitwarden, Padloc, Psono, and Passbolt rely on master-password-derived keys never leaving the client. Passbolt’s per-recipient GPG re-encryption is the most paranoid model when shared credentials are the threat.

Will my Bitwarden clients work with these alternatives?

Bitwarden’s official clients work with Bitwarden Self-Hosted, Vaultwarden, and (via API mode) Padloc. They do not work with KeePassXC, Pass, Passbolt, Psono, or Teampass, each of those ships its own clients.

How do I migrate from Vaultwarden without losing 2FA codes?

Export Vaultwarden to encrypted JSON, then import into the target. TOTP secrets travel as part of the entry, so existing 2FA codes keep working in the new vault. Passkeys are tied to the origin and have to be re-registered with each site, regardless of which vault you move to.

What is the cheapest Vaultwarden alternative?

Every alternative on this list has a free, fully-featured tier for self-hosting. KeePassXC and Pass have the lowest running cost because they don’t need a server at all.