A managed alternative to self-hosted password managers
Want zero-knowledge encryption without running a server? Compare self-hosted Passbolt, Vaultwarden, and Bitwarden to a managed, flat-priced alternative for small teams.
Plenty of small teams reach for a self-hosted password manager — Passbolt, Vaultwarden, or self-hosted Bitwarden — for good reasons: control, no per-seat fees, and a zero-knowledge guarantee they can audit themselves. Then they discover the catch: someone now owns a server that has to be patched, backed up, kept online, and upgraded. For a team of a few people, that’s a real job nobody signed up for.
If that’s you, here’s the honest case for a managed zero-knowledge alternative — and when you should stick with self-hosting instead.
Quick answer
You don’t need a server to get zero-knowledge encryption — zero-knowledge is about where your key is derived (your device), not who hosts the box. A managed zero-knowledge manager gives you the same “vendor can’t read your data” guarantee with none of the ops. For teams of 12 or fewer, LitePassword is the flat-priced managed option. If you specifically need self-hosting, Passbolt, Vaultwarden, and Bitwarden remain the best open-source choices.
Why teams try self-hosting (and what it actually costs)
The appeal is real:
- Control — your data lives on your infrastructure.
- No per-seat fees — add users without a bigger bill.
- Auditability — open-source code you can read.
The hidden costs show up later:
- Patching — every CVE in the app, the OS, the database, and the reverse proxy is now your responsibility.
- Backups — and tested restores, not just backups you hope work.
- Uptime — if the server is down, nobody can unlock their vault.
- TLS and upgrades — certificate renewals, major-version migrations, breaking changes.
- Bus factor — the one person who set it up becomes a single point of failure.
For a 5-person team, that’s often several hours a month plus a server bill — frequently more than a managed plan costs outright, before you value your time at all.
What you keep with a managed zero-knowledge manager
The encryption guarantee is identical:
- Your master password derives the key on your device (PBKDF2/Argon2).
- The server stores ciphertext only and never sees your master password.
- A recovery key you hold is the only way back in.
What you drop is the server. That’s the entire trade.
Self-hosted vs managed
| Passbolt (self-hosted) | Vaultwarden / Bitwarden (self-hosted) | LitePassword (managed) | |
|---|---|---|---|
| Setup | Server + OpenPGP keys | Docker + reverse proxy | Sign up (~1 min) |
| Ongoing maintenance | You (patch, backup, uptime) | You (patch, backup, uptime) | None — we run it |
| Encryption | Zero-knowledge (OpenPGP) | Zero-knowledge (AES-256) | Zero-knowledge (PBKDF2 + AES-256) |
| Cost | ”Free” + server + your time | ”Free” + server + your time | $5–$10/mo flat |
| Best team size | Any (you scale the box) | Any (you scale the box) | ≤12 users |
When self-hosting is still the right call
Be honest with yourself — self-hosting genuinely wins when:
- You have strict data-residency or compliance requirements that mandate your own infrastructure.
- You have an in-house ops team that already runs the server without friction.
- Your team is well past 12 people and needs the granular control.
If none of those apply, the maintenance is a tax you’re paying for a guarantee you can get without it.
Making the switch
If you’re coming from Passbolt specifically, the Passbolt migration guide walks the export, import, and server decommission in about 20 minutes. Coming from a self-hosted Bitwarden server, the Vaultwarden migration guide does the same for the Docker container. For the broader picture, compare the best zero-knowledge password managers — every option there meets the encryption bar; the question is just who runs the server.