The 10 best open source password vaults for your company in 2026

The other day, news spread across countless media outlets and social networks about “Bitwarden being hacked“. In reality, there was a lot of headlines but not that much actual risk — attackers modified Bitwarden’s CLI (for about an hour and a half), which compromised users who downloaded Bitwarden CLI during that window (version 2026.4.0). Even so, the news spread like wildfire and, although I don’t personally use Bitwarden (I prefer storing passwords locally with KeePassXC), I did look into alternatives for when you need to share passwords among a team (a department, external staff, etc.). I thought it would be useful to put together a list of the best systems for this, ranging from the simplest and most straightforward to the most complete and complex.

It’s worth noting that all the tools on this list are free software, and they protect passwords with multiple layers of encryption so that the password — or even its hash — is never exposed unless you already know other prerequisite passwords. This is what’s known as a vault (a password vault), where multiple keys are required to access the actual password storage, and even then, not all users can access all passwords — only those they have permission for.

For work reasons (ISO27001 and related compliance), I’ve had to test several of these tools. While many companies use commercial systems where hosting is heavily secured on servers managed by the vendor (ensuring security, updates, and tamper-resistance are guaranteed by the provider you’re paying), many other companies prefer to store passwords locally (without Internet access, or with restricted access to the corporate network via VPN or similar). This comes with a risk: if a bug is discovered and exploited by an attacker — and you’re not on top of your systems to update quickly — the very system storing all your company’s passwords could be compromised. That makes it potentially very dangerous if you don’t act fast.

Below is a list of the most useful password vaults, ordered from simplest to most flexible and complex:

1. KeePassXC

This application couldn’t be simpler: a single encrypted .kdbx file, no server, no database, no maintenance. Group sharing is done by placing the file in a shared folder (Nextcloud, Samba, Syncthing). Ideal as an entry point or offline fallback. 2FA via YubiKey/hardware keys and built-in TOTP.

It integrates with browsers (Firefox, Chrome/Edge/Brave, KeePassXC-Browser) for quick password access by page, and with other apps like KeePassDX (Android), Strongbox/KeePassium (iOS), SSH agent, and universal Auto-Type.

https://keepassxc.org

2. Vaultwarden

An unofficial reimplementation of the Bitwarden server written in Rust, designed for lightweight self-hosting. It uses around 50 MB of RAM, can be deployed in a single Docker container in under 5 minutes, and unlocks for free features that are paid in official Bitwarden: organizations, collections, groups, and advanced sharing. 100% compatible with all official Bitwarden clients. Two-factor authentication via TOTP, WebAuthn/Passkeys, YubiKey, Duo, and email.

It integrates with official Bitwarden clients (web, desktop Windows/Mac/Linux, iOS, Android, CLI), browser extensions for Chrome/Firefox/Edge/Safari/Opera, the bw CLI for CI/CD pipelines, and SSO via proxy.

https://github.com/dani-garcia/vaultwarden

3. Padloc

Open source password manager with the most polished and modern interface in this comparison. Simple self-hosting via Docker Compose. Designed from the ground up for sharing secrets within small groups with end-to-end encryption. An excellent balance for teams that prioritize user experience and design over Bitwarden’s complexity.

It integrates with web, Windows, macOS, Linux, iOS, and Android apps, a browser extension, its own API, WebAuthn/Passkeys, and built-in TOTP.

https://padloc.app

4. Bitwarden (official self-hosted)

The official Bitwarden version for self-hosting: formally audited by Cure53 and others, with the best client experience in the open source ecosystem. More resource-intensive than Vaultwarden (requires 2 GB+ of RAM), but includes enterprise SSO with SAML/OIDC, SCIM provisioning, LDAP/Active Directory integration, and advanced security policies ready to use. The recommended option when the priority is certification, official support, and compliance over simplicity.

It integrates with SSO SAML/OIDC, SCIM, LDAP/AD, all official extensions and apps, the bw CLI, REST API, Directory Connector, and Splunk/Datadog integration for log auditing.

https://bitwarden.com

5. Passbolt Community Edition

Open source password manager designed specifically for teams. Uses end-to-end encryption with OpenPGP: the private key never leaves the user’s device. Allows granular credential sharing per individual password or folder, with inherited permissions. Built in Europe (native GDPR and LOPD compliance). The Community Edition is 100% free and self-hostable. Supports 2FA with TOTP, YubiKey, and Duo.

It integrates with browser extensions for Firefox, Chrome, Edge, and Brave; iOS and Android mobile apps; desktop Windows, Mac, and Linux; LDAP/AD; SSO with SAML/OIDC (Pro edition); REST API, JSON-RPC, go-passbolt CLI, Ansible, and Terraform provider.

https://www.passbolt.com

6. Psono Community Edition

Self-hostable open source password manager aimed at enterprises, with multi-layer encryption (client + TLS + storage) that ensures true end-to-end encryption during credential exchange. Includes multi-factor authentication, password generator, security reports, and native integration with LDAP, SAML, and OIDC SSO. Allows configuring callbacks to specific URLs when a secret changes — ideal for automating actions like service restarts in DevOps pipelines or VoIP environments.

It integrates with browser extensions for Chrome, Firefox, Edge, Brave, Opera, and Vivaldi; Windows, macOS, Linux, iOS, and Android apps; CLI for CI/CD and automation; REST API; LDAP; SAML; OIDC; Duo; YubiKey; and webhooks.

https://psono.com

7. Teampass

Collaborative password manager based on PHP and MySQL — ideal if you already run that stack in production. Offers a hierarchical folder structure with granular roles and permissions (read/write/no access) per folder and per item, custom fields, and encrypted offline export. Very flexible in permission management, at the cost of a somewhat classic UX. Includes full audit trail of user actions.

It integrates with Active Directory via LDAP and OAuth2, an official Chrome and Edge extension, a REST API, 2FA with DUO Security and Google Authenticator, and imports from KeePass and CSV.

https://teampass.net

8. Infisical

Open source secrets management platform in the style of HashiCorp Vault but with a modern, accessible UX. Core under MIT license. Covers application secrets, PKI, secret scanning, and credential leak prevention. Native support for Kubernetes, Terraform, Ansible, GitHub Actions, AWS, and dozens more tools without needing to build custom connectors. Available as cloud, self-hosted, or hybrid. If you want to replace Vault primarily for application secrets management rather than human password management, Infisical is the top candidate.

It integrates with the Kubernetes operator, Terraform, Ansible, GitHub Actions, GitLab CI, CircleCI, Jenkins, AWS/Azure/GCP, Vercel, Netlify, Docker, SDKs for Node, Python, Go, Java, .NET, Rust and Ruby, CLI, and OIDC/SAML SSO.

https://infisical.com

9. OpenBao

Community fork of HashiCorp Vault managed by the Linux Foundation, born after HashiCorp changed its license to BSL. Licensed under MPL 2.0, it guarantees a truly free and independent future. If you know the Vault architecture, all that knowledge applies directly to OpenBao. More complex than a conventional password manager, but significantly simpler than Conjur. The ideal option if you want the Vault architecture without vendor lock-in.

Compatible with most Vault plugins and SDKs: Kubernetes, Terraform, Ansible, AWS/Azure/GCP, Consul, dynamic secrets for MySQL and PostgreSQL, PKI, SSH CA, Transit; bao CLI compatible with vault commands.

https://openbao.org

10. CyberArk Conjur OSS

The most enterprise-grade and complex solution in this comparison. Policy as code, role-based access control, and native workload authentication (Kubernetes, AWS IAM, OIDC) give security teams very granular control over credentials. The OSS version (LGPL) includes the core, API, CLI, and SDKs; high-availability features, web interface, LDAP/SAML, and audit streaming require the enterprise or SaaS edition. Recommended only if your main motivation is strict security and compliance, and you have a dedicated team.

It integrates with Kubernetes (native authenticator), OpenShift, AWS IAM, Azure AD, GCP, Ansible, Jenkins, Terraform, Puppet, Chef, SDKs for Java, Ruby, Go, Python and .NET, Summon, and Secretless Broker.

https://www.conjur.org

Other interesting password vaults

In addition to these 10 — which are the best-known and most functional (it should be noted that certain features and integrations correspond to a paid version — even though the software is free/libre, they are not necessarily free of charge) — there are many other password vaults that are equally interesting and not included in the main list simply because they are less widely known:

Phase

• Description: Modern secrets manager, a young alternative to Infisical and Vault with a very polished UI and a DevOps focus. End-to-end encryption per environment (dev/staging/prod), native integration with K8s, GitHub Actions, Vercel, and Docker. The most “developer-friendly” in the secrets manager segment. Enterprise SAML/OIDC requires a license.
• Website: https://phase.dev

Padloc

• Description: Password manager with the cleanest UI in the batch, designed for small teams and families who reject Bitwarden for aesthetic reasons. Self-hosting with Docker Compose, E2E encryption. Perfect if UX is the priority over enterprise features.
• Website: https://padloc.app

AliasVault

• Description: A different concept: a privacy-first password manager with an integrated email server, end-to-end encryption, and fully self-hostable, which generates alternative identities (name, email, password) for each website. AGPL-3.0, .NET + Blazor WebAssembly, Docker installation in minutes. No LDAP/SSO yet, but actively in development and brings something unique compared to the rest.
• Website: https://www.aliasvault.net

PasswordStore

• Description: The Unix standard. Each password is a .gpg file encrypted with your GPG key, organized in a directory tree and versioned with Git. Sharing = adding someone else’s public GPG key to a folder’s .gpg-id file — those are effectively your “groups”. 2FA with pass-otp. Zero server, zero database, maximum auditability. Steep learning curve but fits technical profiles perfectly. Clients available for everything (browserpass, qtpass, Android, iOS).
• Website: https://www.passwordstore.org

LessPass

• Description: Stateless paradigm: it doesn’t sync an encrypted vault — you remember a master password and LessPass regenerates each password locally using a hash of domain + login + master, without needing sync. There’s no database to compromise because there is no database. Self-hostable as an optional server to sync non-sensitive metadata. Useful as a complement to a “normal” manager, not as a replacement, but philosophically interesting for algorithmically generated credentials.
• Website: https://www.lesspass.com