6 Self-Hosted Alternatives to LastPass After the Breach

In December 2022, LastPass announced what would become one of the most damaging breaches in password manager history. Attackers didn't just steal user data — they walked away with encrypted password vaults for millions of users. Even now in 2026, security researchers continue to link cryptocurrency thefts and account compromises to those stolen vaults being cracked offline.

The breach was a wake-up call: when you trust a cloud service with your passwords, you're trusting their security, their employees, and their infrastructure. For those who want absolute control over their most sensitive data, self-hosting is the answer.

In this guide, we'll explore six self-hosted password managers that let you keep your credentials on your own hardware, under your own control, protected by your own security measures.

Why Self-Host Your Password Manager?

Before diving into the alternatives, let's be clear about what self-hosting gives you:

• No third-party trust required — Your vault never leaves your network
• Breach-proof (mostly) — Attackers would need to target you specifically
• No subscription fees — Most solutions are free and open-source
• Full control — You decide backups, encryption, access policies
• No vendor lock-in — Your data, your format, your export

The trade-off? You're responsible for keeping your server secure and backed up. But for anyone who already self-hosts other services, adding a password manager is straightforward.

Quick Comparison

1. Vaultwarden — The Gold Standard

Vaultwarden (formerly Bitwarden_RS) is what most self-hosters choose — and for good reason. It's a lightweight, Rust-based implementation of the Bitwarden server API that works with all official Bitwarden clients.

Why It's #1

• Uses official Bitwarden apps — Mobile, desktop, browser extensions, CLI
• All premium features free — TOTP, attachments, emergency access, Send
• Incredibly lightweight — Runs on 50MB RAM (vs 2GB+ for official server)
• Active development — Regular updates, excellent community
• Easy migration — Import from LastPass, 1Password, KeePass, and more

Docker Deployment

# docker-compose.yml for Vaultwarden
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=https://vault.yourdomain.com
      - SIGNUPS_ALLOWED=false  # Disable after creating your account
      - ADMIN_TOKEN=your-secure-admin-token
      - SMTP_HOST=smtp.gmail.com
      - [email protected]
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - [email protected]
      - SMTP_PASSWORD=your-app-password
    volumes:
      - ./vw-data:/data
    ports:
      - "8080:80"

Security Features

Best for: Everyone. If you're unsure which to pick, start here. Compatible with all Bitwarden apps means zero learning curve if you're coming from LastPass.

2. Passbolt — Built for Teams

Passbolt is designed from the ground up for teams and organizations. It uses OpenPGP for encryption and provides granular sharing, groups, and audit logs that enterprises need.

Key Features

• OpenPGP encryption — Industry-standard cryptography
• Granular sharing — Share individual passwords with specific users or groups
• Browser extension — Autofill and save passwords
• Mobile apps — iOS and Android (Pro version)
• Audit logs — Track who accessed what, when
• LDAP/AD integration — Enterprise directory sync

Docker Deployment

# docker-compose.yml for Passbolt CE
services:
  passbolt:
    image: passbolt/passbolt:latest-ce
    container_name: passbolt
    restart: unless-stopped
    depends_on:
      - db
    environment:
      - APP_FULL_BASE_URL=https://pass.yourdomain.com
      - DATASOURCES_DEFAULT_HOST=db
      - DATASOURCES_DEFAULT_USERNAME=passbolt
      - DATASOURCES_DEFAULT_PASSWORD=secure-db-password
      - DATASOURCES_DEFAULT_DATABASE=passbolt
      - [email protected]
      - EMAIL_TRANSPORT_DEFAULT_HOST=smtp.gmail.com
      - EMAIL_TRANSPORT_DEFAULT_PORT=587
      - EMAIL_TRANSPORT_DEFAULT_USERNAME=your-email
      - EMAIL_TRANSPORT_DEFAULT_PASSWORD=your-app-password
      - EMAIL_TRANSPORT_DEFAULT_TLS=true
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    ports:
      - "443:443"
      - "80:80"

  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      - MYSQL_ROOT_PASSWORD=root-password
      - MYSQL_DATABASE=passbolt
      - MYSQL_USER=passbolt
      - MYSQL_PASSWORD=secure-db-password
    volumes:
      - database_volume:/var/lib/mysql

volumes:
  gpg_volume:
  jwt_volume:
  database_volume:

Community vs Pro

Best for: Teams, developers, and organizations that need fine-grained access control and audit trails. The web-first approach works well for shared IT credentials.

3. KeePassXC + Syncthing — The Offline Approach

If you don't want to run a server at all, KeePassXC with Syncthing offers a different model: your vault is a local encrypted file, synced between devices using peer-to-peer encryption.

How It Works

1. KeePassXC stores passwords in an encrypted .kdbx file
2. Syncthing syncs that file across your devices (P2P, no server)
3. KeePassXC on desktop, KeePassDX/Strongbox on mobile open the file

Setup

# Install KeePassXC (macOS)
brew install keepassxc

# Install Syncthing
brew install syncthing
syncthing  # Opens web UI at localhost:8384

# Create your vault in KeePassXC
# Store it in a Syncthing-shared folder
# Add devices to Syncthing and share the folder

Pros & Cons

✅ Advantages:

• No server to maintain or secure
• Works completely offline
• Extremely portable (just a file)
• KeePassXC is rock-solid and audited
• Browser extension (KeePassXC-Browser) for autofill

❌ Disadvantages:

• Sync conflicts if editing on multiple devices simultaneously
• No web access (file-based only)
• Team sharing is clunky
• Emergency access harder to implement

Best for: Single users or small families who want maximum simplicity and don't need web access or team features.

4. Psono — Enterprise-Grade Security

Psono is a full-featured password manager designed for enterprise deployments. It offers secret management beyond passwords, including files, environment variables, and API keys.

Key Features

• Secret types — Passwords, files, GPG keys, environment variables, SSH keys
• Link sharing — Share secrets via encrypted links
• Duo/TOTP/YubiKey — Multiple 2FA options
• History & audit — Track changes and access
• Emergency access — Recovery mechanisms
• API — Automate secret management

Docker Deployment

# docker-compose.yml for Psono
services:
  psono-server:
    image: psono/psono-server:latest
    restart: unless-stopped
    environment:
      - SECRET_KEY=your-long-random-secret-key
      - ACTIVATION_LINK_SECRET=another-secret
      - DB_SECRET=database-encryption-secret
      - DATABASE_URL=postgres://psono:password@db:5432/psono
    depends_on:
      - db
    ports:
      - "10100:10100"

  psono-client:
    image: psono/psono-client:latest
    restart: unless-stopped
    ports:
      - "10101:10101"

  db:
    image: postgres:15
    restart: unless-stopped
    environment:
      - POSTGRES_DB=psono
      - POSTGRES_USER=psono
      - POSTGRES_PASSWORD=password
    volumes:
      - db_data:/var/lib/postgresql/data

volumes:
  db_data:

Best for: Enterprises and DevOps teams that need to manage more than just passwords. The secret management features make it excellent for storing API keys, certificates, and other sensitive data.

5. Teampass — Collaborative Password Management

Teampass is a PHP-based password manager focused on team collaboration. It's been around for years and offers a mature, if somewhat traditional, approach to shared password management.

Key Features

• Folder-based organization — Nested folders for logical grouping
• Role-based access — Define who sees what
• Personal passwords — Each user has a private space
• API access — Integrate with other tools
• Off-line mode — Export subset of passwords for offline access
• One-time view — Share passwords that expire after viewing

Docker Deployment

# docker-compose.yml for Teampass
services:
  teampass:
    image: teampass/teampass:latest
    restart: unless-stopped
    environment:
      - MYSQL_HOST=db
      - MYSQL_USER=teampass
      - MYSQL_PASSWORD=teampass-password
      - MYSQL_DATABASE=teampass
    depends_on:
      - db
    volumes:
      - teampass_data:/var/www/html/includes/config
      - teampass_sk:/var/www/html/includes/teampass-seckey
    ports:
      - "80:80"

  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      - MYSQL_ROOT_PASSWORD=root-password
      - MYSQL_DATABASE=teampass
      - MYSQL_USER=teampass
      - MYSQL_PASSWORD=teampass-password
    volumes:
      - db_data:/var/lib/mysql

volumes:
  teampass_data:
  teampass_sk:
  db_data:

Best for: Teams that want straightforward shared password management with folder-based organization. Works well for IT departments managing shared credentials.

6. AliasVault — Privacy-First with Built-in Email Aliases

AliasVault takes a unique approach: it combines password management with email alias generation. Every account you create can have its own unique email address, preventing tracking and making breaches less damaging.

Key Features

• Email alias integration — Generate unique emails for each site
• End-to-end encryption — Zero-knowledge architecture
• Self-hosted — Keep everything on your infrastructure
• Browser extensions — Autofill and capture
• Identity generation — Random usernames, emails per service

Why Email Aliases Matter

When a site gets breached, attackers get your email and password hash. With AliasVault:

• Each site has a unique email — no cross-site tracking
• Breached email can't be used elsewhere
• Spam? Disable that specific alias
• Know who sold your data by which alias gets spam

Best for: Privacy-focused individuals who want to minimize their digital footprint and isolate their online identities.

Migration from LastPass

All these solutions support importing from LastPass. Here's the general process:

Step 1: Export from LastPass

1. Log into LastPass web vault
2. Go to Advanced Options → Export
3. Download the CSV file
4. Important: This file is unencrypted. Delete it after import.

Step 2: Import to Your New Manager

Vaultwarden/Bitwarden:

1. Open Bitwarden client or web vault
2. Tools → Import Data
3. Select "LastPass (csv)" format
4. Upload your file

KeePassXC:

1. Database → Import → LastPass CSV
2. Select your file
3. Review and save

Passbolt:

1. Use the import feature in the web interface
2. Select LastPass format
3. Passwords are encrypted with your key

Step 3: Clean Up

1. Securely delete the CSV — Use shred on Linux or Secure Empty Trash on macOS
2. Test your new vault — Verify passwords imported correctly
3. Update critical passwords — If they were in LastPass during the breach, assume they're compromised
4. Delete LastPass account — Remove the liability

Security Hardening Checklist

Whichever solution you choose, follow these security practices:

Our Recommendation

For most users migrating from LastPass, Vaultwarden is the clear winner:

• Uses familiar Bitwarden apps — minimal learning curve
• All premium features free — TOTP, attachments, Send, emergency access
• Lightweight and easy to deploy — runs on a Raspberry Pi
• Excellent mobile and desktop apps
• Active community with quick security patches

For teams, Passbolt or Psono offer better collaborative features. For maximum simplicity without a server, KeePassXC + Syncthing is hard to beat.

Frequently Asked Questions

Is self-hosting a password manager safe?

Yes, when done correctly. Your vault is encrypted client-side before reaching the server. Even if someone gains server access, they'd need your master password to decrypt anything. The main risks are losing access (solved by backups) and server misconfiguration (solved by following security best practices).

What if my server goes down?

Bitwarden/Vaultwarden clients cache your vault locally. You can access passwords offline. For other solutions, regular backups ensure you can restore quickly.

Can my family use self-hosted password managers?

Absolutely. Vaultwarden supports organizations with unlimited users. Share passwords with family members while keeping personal vaults private.

Is Vaultwarden as secure as official Bitwarden?

The encryption is identical — your vault is encrypted with your master password before it ever leaves your device. Vaultwarden is a reimplementation of the server, not the crypto.

Should I expose my password manager to the internet?

For full mobile access, yes, behind HTTPS with proper security. Alternatively, use a VPN (WireGuard/Tailscale) to access only from your own devices.

Conclusion

The LastPass breach proved that trusting a third party with your passwords carries real risk. Self-hosting puts you back in control. Your vault, your server, your security posture.

Vaultwarden makes it almost effortless — deploy in minutes, use the same polished Bitwarden apps you'd use anywhere, and sleep better knowing your passwords aren't sitting in someone else's database waiting for the next breach.

Take control of your credentials. Your future self will thank you.

Ready to get started? Check out our complete list of self-hosted LastPass alternatives or browse our password manager category to find the perfect solution for your needs.