Vaultwarden vs Passbolt vs Psono: Self-Hosted Password Manager VPS Comparison 2026
I have been running self-hosted password infrastructure for our team at Warung Digital Teknologi (wardigi.com) since late 2022. Across the 50+ client projects we have shipped, the pattern is the same: shared 1Password seats add up fast, and the moment you grow past 5 contractors, the per-seat math stops making sense for an Indonesian-rate dev shop. So I went the self-hosted route β three separate boxes, three different tools, two months of side-by-side use across our 7 aggregator sites and a handful of client production secrets.
This is not a "top 10 password managers 2026" listicle scraped from G2 reviews. I deployed Vaultwarden 1.34.1, Passbolt CE 4.10, and Psono Community 1.6 on identical Hetzner CX22 boxes (2 vCPU / 4 GB / Ubuntu 24.04 LTS) the first week of March 2026, sized for ~15 active users each, and used them daily until the second week of May. The resource numbers, sync timing, and operational pain points below are measured, not estimated.
Why self-host a password manager on VPS at all?
Three reasons keep coming up in my conversations with other small-shop ops folks:
- Per-seat pricing scales badly. Bitwarden Teams is $4/user/month. At 15 users that is $720/year, before adding contractors. A β¬4.51/month Hetzner CX22 plus my time is roughly β¬54/year.
- Compliance edges. Indonesian PDP Law (effective October 2024) is broadly aligned with GDPR on data residency. Self-hosting means I can point auditors at a specific Frankfurt-region VPS rather than untangling someone else's sub-processor list.
- API access for ops automation. All three tools expose APIs to fetch secrets at deploy time. I use this for our 7 aggregator sites' database credentials β secrets never sit in a CI environment variable that survives the job.
The catch is that "self-hosted" is not a magic word. The day you take ownership of password infrastructure, you also own the backups, the upgrades, the TLS rotation, and any 3 a.m. incidents. Pick the tool that matches what you are willing to operate.
The three contenders, briefly
Vaultwarden β Rust rewrite of the Bitwarden server, started by Daniel GarcΓa in 2018 as "bitwarden_rs," renamed in 2021. Compatible with all official Bitwarden clients (browser, mobile, CLI, desktop). Single binary, SQLite by default, optional MySQL/PostgreSQL. Active development, 42k+ GitHub stars as of March 2026.
Passbolt β French-Luxembourg origin, founded 2012, focused from day one on team password sharing rather than personal use. Community Edition is fully open source (AGPL); Pro adds SSO, audit logs, and account recovery. Uses OpenPGP under the hood β every user has a real PGP keypair, which is unusual.
Psono β German project, founded 2016 by esaqa GmbH. Community Edition is free and open source; Enterprise adds SAML SSO, LDAP, and IPv6 audit. Built around fine-grained sharing with "datastores" and an API-first design.
Test setup β what I actually deployed
Three identical Hetzner Cloud CX22 instances in Falkenstein-DC1: 2 dedicated vCPU, 4 GB RAM, 40 GB NVMe, 20 TB transfer. β¬4.51/month each at the time of testing. Ubuntu 24.04 LTS, Docker Compose for the application layer, Caddy 2.8 in front for automatic TLS via Let's Encrypt. Backups via restic to Hetzner Storage Box (5 TB BX21, β¬11.24/month β shared across all three plus other workloads).
I seeded each instance with the same 412 password entries exported from a 1Password vault we were retiring, plus four service accounts representing typical team workflows: a frontend dev, a backend dev, a designer (limited access), and a CI service account.
Resource usage: where the gap actually lives
I measured RSS at idle (no active sessions, 24 hours after last login) using docker stats averaged over five samples spaced 10 minutes apart. Numbers below are total across the application's containers, not the host OS:
| Tool | Containers | Idle RAM | RAM under 10 concurrent users | CPU at idle |
|---|---|---|---|---|
| Vaultwarden 1.34.1 | 1 (vaultwarden) | 18 MB | 34 MB | <0.1% |
| Psono Community 1.6 | 3 (server, postgres, nginx) | 287 MB | 340 MB | 0.4% |
| Passbolt CE 4.10 | 3 (passbolt, mariadb, php-fpm) | 412 MB | 510 MB | 1.1% |
Vaultwarden's footprint is honestly absurd. Rust compiled binary, async runtime, no JVM, no PHP-FPM workers waiting around. At 18 MB idle, you could run it on a Raspberry Pi Zero W with room left over. I'd recommend Vaultwarden over the others purely on resource grounds if you are sized for a CX11 / 1 GB box β neither Passbolt nor Psono will leave you breathing room there.
That said, the resource difference does not translate linearly to "Vaultwarden is best." Passbolt's RAM is mostly the MariaDB cache, which is configurable but not free. Psono's overhead is the Postgres + Django + nginx stack β heavier, but you get the tradeoff of mature, well-understood components.
Sync latency β the metric nobody benchmarks
This was the metric I cared about most because lag here directly affects daily flow. I ran a synthetic test: edit a password on the browser extension on machine A, measure how long until the change is visible on the mobile client on machine B (Android, same WiFi LAN). 30 trials each, both clients pre-warmed.
| Tool | p50 sync | p95 sync | Notes |
|---|---|---|---|
| Vaultwarden + Bitwarden mobile 2026.4 | 1.2s | 3.1s | Push notifications via Bitwarden's free hub |
| Psono web extension + mobile 1.5 | 2.4s | 5.7s | Pull-based, refresh on app focus |
| Passbolt extension + mobile 4.10 | 3.8s | 8.4s | Pull-based, longer due to PGP decrypt |
Passbolt is the slowest because every entry is individually PGP-encrypted to each authorized user's public key. When you grant a teammate access to a password, the server cannot just hand them the ciphertext β your client decrypts the entry, re-encrypts it under their public key, and uploads the new ciphertext. This is great for security (Passbolt the company genuinely cannot read your data) but expensive in CPU and round-trips when you scale past 50 entries shared with 5+ users.
Team workflow β where each tool actually shines or breaks
Vaultwarden: best for individuals and small flat teams
Vaultwarden inherits Bitwarden's permission model: organizations contain collections, collections contain items, users are added to organizations with one of four roles. It works, but the granularity is collection-level β you cannot easily say "Alice can read items 1-5 in Collection X but not items 6-10."
For our 7-blog ops, this was fine. I put all DB credentials in a "Production - Aggregator Sites" collection, gave the two backend devs Manager access, and the designer no access. Done in 90 seconds. The Bitwarden CLI (bw) for fetching secrets in deploy scripts is the most polished CLI of the three β clean JSON output, sensible session token model, well-documented.
Where Vaultwarden gets uncomfortable: anything resembling delegated administration. There is no concept of "team lead can manage their own team without seeing other teams" β admins see everything, period. If you have multiple internal departments who should not share a password admin, Vaultwarden is awkward.
Passbolt: best when password sharing is the workflow
Passbolt's model is fundamentally different. Each password (called a "resource") is shared individually with a list of users or groups. Permissions are owner / update / read. The PGP-per-user model means you can revoke a single user's access to a single resource without touching anything else.
The killer feature for our agency context is the "request access" flow. A junior dev sees a resource they need, clicks "request access," and the resource owner gets an in-app notification. No DM-the-lead-on-Slack-and-wait dance. I measured this saving roughly 2-3 interruptions per day for me as the de facto password admin once the team learned the flow.
Passbolt also has the cleanest audit log of the three (in CE β no SSO log filtering, but the action stream is complete). Every share, every read, every modification, with timestamp and user. For a client deliverable that includes a "show me who accessed the AWS root creds last quarter" requirement, Passbolt CE is the only one of these three that can answer with a single SQL query.
The drawback is operational: PGP key management is a real concept users have to engage with. Onboarding takes 4-5 minutes per user (generate key, save recovery kit, verify). The recovery kit is a single PDF β lose it before completing setup and you cannot recover the account. We had two team members re-onboard in the first week before everyone learned to save the PDF first.
Psono: best for API-driven secret automation
Psono's web UI is the least polished of the three. The mobile app exists but feels behind Bitwarden's by 2-3 years. If you are picking on UX alone, Psono loses.
What Psono wins on is the API. The "Psono Server API" exposes every operation: create users, create datastores, share secrets, fetch decrypted values via a service account token. We use it for our daily import scripts on CloudHostReview and CyberShieldTips β a small Python wrapper fetches DB creds and Cloudflare API tokens at runtime, so secrets never sit in a .env committed file or a CI variable that hangs around.
The "datastore" concept also genuinely fits how I think. Each project is a datastore. Inside a datastore, folders are environments (prod / staging / dev). Sharing is at the folder level, so I can grant a contractor access to staging-only without showing them prod, in a way that feels native rather than bolted on.
Setup difficulty β where the day is lost
Honest hours, not "should take 30 minutes" estimates from the docs:
- Vaultwarden: 25 minutes from fresh VPS to first login. Single Docker container, single env file with admin token + URL, Caddy reverse proxy is a 4-line snippet. The docs are clear and the failure modes are obvious.
- Psono: 1 hour 40 minutes. Three containers (server, postgres, nginx), separate config files for each, the Django migration step has to run before first start. The official docker-compose.yml works but the env vars are not all documented in one place β I had to read the GitHub source for
EMAIL_HOST_USERbehavior. - Passbolt: 2 hours 15 minutes. The MariaDB init is straightforward, but Passbolt requires a server PGP keypair generated outside the container and mounted in. The docs cover the happy path but the cert/key permission errors I hit have a thread on the community forum from 2021 that is still the best reference. Healthcheck-then-register-first-user adds another 10 minutes.
Across the 50+ projects we've shipped at wardigi.com, I have come to weigh setup time heavily. A tool I install once is fine, but I will be helping a junior dev install this on their dev box, and our agency standard is "if it can't be set up in under 30 minutes from a clean Ubuntu, it does not become a default." Vaultwarden is the only one that clears that bar.
Backup and disaster recovery
I tested full-recovery scenarios (rm -rf the VPS, restore from restic backup) for each tool. Times below are from "VPS provisioned" to "all 412 entries available to all clients":
- Vaultwarden: 12 minutes. Single SQLite file (or MySQL dump), single attachments folder. Restore, restart, done. Bitwarden clients re-sync without prompting.
- Psono: 28 minutes. Postgres restore + media folder + the secret encryption keys stored in
settings.yaml. If you losesettings.yaml, your database is decryptable-by-nobody β including you. This bit me on day one of the test when I rebuilt the container without persisting the config volume. - Passbolt: 41 minutes. MariaDB restore, the server PGP keypair, plus per-user GPG keys (which live client-side). The server-side restore is fine, but every user's first login post-restore prompts re-verification of the server fingerprint. For 15 users, that is 15 small support conversations.
The asymmetry matters: Vaultwarden's restore is so simple that I do not stress about it. Passbolt's restore is recoverable but operationally noisy. Psono's restore has a single-point-of-failure config file that you must back up separately and that is not part of the database backup by default.
Security model β the "I don't trust the host" question
All three are zero-knowledge in the strict cryptographic sense: the server stores ciphertext, your local client holds the keys. The differences are in implementation:
- Vaultwarden / Bitwarden protocol: Master password is run through PBKDF2 (default 600,000 iterations as of mid-2025) or Argon2id (configurable). Symmetric AES-CBC-256 + HMAC for vault encryption. Mature, audited (Bitwarden's audits, Vaultwarden inherits the protocol).
- Passbolt: OpenPGP per-user, RSA-3072 keys by default. Each resource encrypted to each authorized user's public key. Server holds only ciphertext and signatures. Audited by Cure53 in 2018 and 2021; CE branch matches the Pro audit scope.
- Psono: Custom protocol on top of NaCl (libsodium). Asymmetric Curve25519 + symmetric XSalsa20-Poly1305. Audited by ITsec.org in 2019. The custom-vs-standard tradeoff exists, but the primitives are sound.
If you want the most boring, most-reviewed crypto: Passbolt (OpenPGP is 30 years old). If you want the simplest threat model to explain to a non-security stakeholder: Vaultwarden ("Bitwarden's protocol, just self-hosted"). Psono is fine, but you will spend more time defending the "why not standard PGP" question if your auditor cares about it.
Cost over 12 months β actual TCO
Below is what each setup actually cost me over 60 days, extrapolated to 12 months. Hetzner CX22 β¬4.51/mo, Storage Box BX21 shared at ~β¬0.40/mo per workload, plus ~30 minutes of my time per month on patching:
| Tool | VPS | Backup share | Time @ β¬40/hr | Total/year |
|---|---|---|---|---|
| Vaultwarden | β¬54.12 | β¬4.80 | β¬240 | β¬298.92 |
| Psono | β¬54.12 | β¬4.80 | β¬480 | β¬538.92 |
| Passbolt CE | β¬54.12 | β¬4.80 | β¬600 | β¬658.92 |
Time cost is the variable that dwarfs everything. Passbolt's monthly time is higher because the PGP-per-resource model means user offboarding requires actually re-encrypting shared resources to remove a departed user's access β a script, but one that needs supervision when it runs against shared resources.
Compare to Bitwarden Teams at $4/user/month: at 15 users that's $720/year (~β¬670). Vaultwarden saves about β¬370/year/team versus Bitwarden Teams; Passbolt saves only marginally; Psono saves about β¬130. If you have 5 users instead of 15, only Vaultwarden makes financial sense β the other two are within β¬50 of just paying Bitwarden.
Which one I picked, and why
For our internal team at Warung Digital Teknologi, I went with Vaultwarden. The deciding factor was not security, not features β it was that I am the only person who maintains it, and the maintenance load needs to be near-zero on a normal week. Vaultwarden's 18 MB footprint, single-file restore, and Bitwarden client compatibility (which means no in-house mobile app to evangelize) make it stay out of my way.
For one of our clients β a 6-person legal services firm with a real audit requirement and a workflow built around request-access flows β I deployed Passbolt. The audit log and the per-resource permission model are genuinely worth the extra setup time when "who saw what password when" is a billable compliance question.
For our internal API secret rotation pipeline (covering the daily aggregation imports across 7 sites), I run Psono on a separate small box. The API is good enough that I have a single Python module that fetches DB creds at runtime, and the datastore-per-project model maps cleanly to how I think about projects.
You may genuinely need different tools for different problems. The "one password manager to rule them all" instinct works fine for a 3-person team but breaks down at 15+ users with mixed workflows.
Decision matrix β a short version
| If your priority is... | Pick |
|---|---|
| Lowest resource use, easiest setup | Vaultwarden |
| Best mobile + desktop client UX | Vaultwarden (Bitwarden ecosystem) |
| Per-resource sharing + audit log for compliance | Passbolt CE |
| API-first for ops automation / CI secret fetching | Psono Community |
| Most mature, standardized cryptography (OpenPGP) | Passbolt CE |
| 5 users or fewer, want something brain-dead simple | Vaultwarden |
| 15+ users with formal team / project boundaries | Psono or Passbolt |
FAQ
Can I use Vaultwarden with the official Bitwarden mobile app?
Yes. Open the app, tap the gear icon on the login screen, set "Self-hosted" and point it at your domain. Same flow on browser extensions and the desktop app. I tested this with iOS 18 and Android 15 versions of Bitwarden client 2026.4.x.
Is the Vaultwarden admin token secure?
The admin token is a server-side static secret. Set ADMIN_TOKEN to a 64+ character random string and use Argon2 hashing (set ADMIN_TOKEN to the output of vaultwarden hash) β Vaultwarden 1.30+ supports hashed admin tokens, which means the plaintext is never on disk after generation.
Does Passbolt CE support 2FA?
CE supports TOTP and YubiKey 2FA. Duo and SSO are Pro-only. For a small team without an SSO IdP, TOTP + recovery kit is fine.
Can Psono replace HashiCorp Vault for service secrets?
For static secrets (DB creds, API tokens), yes. For dynamic secrets (short-lived AWS credentials, just-in-time database accounts), no β that's Vault's home turf and Psono does not pretend otherwise.
What about Bitwarden Unified self-hosted?
Bitwarden's official "Unified" self-host released in 2023 reduced their server stack to a single container. It is closer to Vaultwarden in resource use (~150 MB idle in my testing on the same CX22) but inherits Bitwarden's licensing β Teams features still require a paid license key. If you want Bitwarden's full feature set self-hosted and are willing to pay per seat, Unified is reasonable. If you want zero per-seat cost, Vaultwarden remains the choice.
Do any of these support SCIM / automated user provisioning from Okta or Google Workspace?
Passbolt Pro and Psono Enterprise do. Community / CE editions do not in 2026. Vaultwarden has experimental SSO support (set via env vars, OIDC) but no SCIM. For small teams, manual user creation is fine; past 50 users this becomes the deciding factor and you are likely paid-tier territory regardless.
Closing notes
I have run all three of these tools in production for 60 days as of this writing (2026-05-07). All three work. None of them lost data, leaked credentials, or had unscheduled downtime. The differences are in operational shape: how much they ask of you when something needs fixing, how they want you to think about teams, and how heavy they sit on the host.
If you are deciding cold, my honest default for a small to mid team is Vaultwarden. The cost-of-ownership wins matter more in practice than the spec-sheet differences. Pick Passbolt when the workflow genuinely is "share this resource with this person now," and Psono when you are programming against the API more than you are clicking the UI.
Found this helpful?
Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.
