Vaultwarden vs Passbolt: Which Self-Hosted Password Manager for Your Team?
Somebody on your team just pasted the production database password into Slack again. You knew it was time for a proper password manager months ago, you just didn't want to pay per-seat pricing for the privilege of storing your own secrets. Good news: two solid open-source options let you run the whole thing on your own server, and they take very different approaches to the same problem.
I've deployed both. Here's how Vaultwarden and Passbolt actually compare when you put them in front of a real team.
The TL;DR
Vaultwarden is a lightweight Rust reimplementation of the Bitwarden server. You get the entire polished Bitwarden client ecosystem (browser extensions, mobile apps, desktop apps) talking to a tiny server you control.
Passbolt is a team-first password manager built around OpenPGP. Every credential is encrypted with the public key of each person it's shared with, which makes sharing and revocation genuinely granular.
If your team already thinks in terms of personal vaults with some shared folders, Vaultwarden feels natural. If your team exists mostly to share credentials with fine-grained control, Passbolt was designed for exactly that.
Two Very Different Architectures
Vaultwarden uses the Bitwarden model: your master password derives an encryption key on the client, and everything in your vault is encrypted before it ever reaches the server. The server is essentially a synchronization point for encrypted blobs. Organization sharing works through a shared organization key that members hold.
Passbolt goes another way entirely. Each user has a personal OpenPGP key pair. When you share a password with three colleagues, the server stores that secret encrypted three separate times, once per recipient public key. Revoking access means re-encrypting for the remaining members. It's more cryptographic bookkeeping, but it maps directly onto "who can see what," and the audit trail reflects it.
In practice: Vaultwarden's model is simpler and battle-tested by millions of Bitwarden users. Passbolt's model gives you per-resource access control that security teams tend to love.
Client Experience
This is Vaultwarden's strongest card. Because it implements the Bitwarden API, you use the official Bitwarden apps: extensions for every major browser, iOS and Android apps with biometric unlock, desktop clients, even the CLI. Autofill works the way people expect. Onboarding a non-technical teammate takes five minutes.
Vaultwarden also unlocks features that normally sit behind a Bitwarden subscription, like the built-in TOTP authenticator and emergency access, at no license cost since the project is open source under AGPLv3.
Passbolt is browser-extension-first. The extension (Chrome, Firefox, Edge) is mandatory because it holds your private key and does the crypto. Mobile apps for iOS and Android exist and have matured nicely, but the day-to-day experience is more "open the extension, find the credential" than the seamless autofill-everywhere feel Bitwarden clients deliver. For an ops team sharing server credentials, that's fine. For your whole company including the sales team, expect more questions.
Team Features Side by Side
| Feature | Vaultwarden | Passbolt CE |
|---|---|---|
| Sharing model | Organizations and collections | Per-resource, per-user or group |
| Clients | Official Bitwarden apps (all platforms) | Browser extension required, mobile apps |
| Built-in TOTP | Yes | Yes (stored per resource) |
| LDAP / SSO | No native LDAP, SSO via reverse proxy tricks | Paid Pro edition |
| Database | SQLite, MySQL or PostgreSQL | MariaDB / MySQL |
| Typical RAM footprint | Under 256 MB | 2 GB recommended |
| SMTP required | Optional (recommended) | Mandatory |
One honest note on Passbolt: some of the features a larger org wants, like LDAP synchronization, SSO, and advanced audit reporting, live in the paid Pro edition. The Community Edition is genuinely usable for small teams, but check the feature matrix before you commit.
Running Them: Ops and Cost
Vaultwarden is famously light. It's a single Rust binary with SQLite by default, happily serving a 50-person team in under 256 MB of RAM. Backups are "copy the data folder." Upgrades are "pull the new container."
Passbolt is a PHP application with MariaDB behind it and a mandatory SMTP server for account recovery and notifications. It's not hard to run, but it has more moving parts.
Neither has per-user license fees, which is the entire point. Your cost is infrastructure: on Elestio, a 2 CPU / 4 GB RAM instance at $16/month runs either of them comfortably for a whole team, with automated backups, updates, and SSL handled for you. Compare that to per-seat SaaS pricing that scales with every hire, and the math settles itself quickly for teams of ten or more.
So Which One?
Pick Vaultwarden if you want the best client experience for the least operational effort, your team includes non-technical users, or people also want personal vaults alongside shared collections. For most teams, this is the answer.
Pick Passbolt if credential sharing with granular, key-based access control is the core requirement, you have a security or compliance reason to want per-resource encryption, and you're comfortable with the extension-centric workflow (or budget for Pro).
Troubleshooting Common Gotchas
Vaultwarden: mobile apps won't connect. The Bitwarden apps require HTTPS with a valid certificate, not self-signed. Put Vaultwarden behind a proper TLS endpoint before testing mobile. On Elestio this is handled out of the box.
Vaultwarden: new users can't register. Registration is open by default, which you almost certainly want to disable (SIGNUPS_ALLOWED=false) and rely on invitations instead. If invites fail, your SMTP settings are the first place to look.
Passbolt: stuck at account setup email. Passbolt cannot function without working SMTP. Run passbolt healthcheck and fix anything red under the email section before debugging anything else.
Passbolt: user lost their private key. There's no master reset that recovers their secrets. An admin can re-invite the user, but passwords shared only with them must be re-shared by other members. Tell your team to back up their recovery kit on day one.
Wrapping Up
Both projects are mature, actively maintained, and dramatically cheaper than per-seat SaaS once your team grows. Vaultwarden wins on polish and footprint, Passbolt wins on team-centric access control. You can deploy a fully managed Vaultwarden on Elestio in a few clicks and have your team's vault running before lunch, with backups and updates already taken care of.
Thanks for reading ❤️ See you in the next one 👋