Curated collection

Open-source password managers

Password managers with publicly auditable source code, compared on hosting region, ownership, self-hosting options and the security signals procurement teams actually check.

In short

Open-source password managers publish their source code under a recognised licence, enabling independent security audits. The key decision criterion is not the licence alone but whether the code has actually been audited, whether a self-hostable server is available, and where the operating company is based. Bitwarden (US-owned but fully open-source and self-hostable) and Vaultwarden (community Bitwarden server) sit alongside EU-hosted options in this hub.

Last verified May 2026 DISCLOSURE Some links on this site are affiliate links. We may earn a commission at no extra cost to you. Editorial signals and rankings are never influenced by affiliate relationships.

An open source password manager, as listed here, is a vault and credential-management tool whose source code is published under a recognised open-source licence: typically the client applications, and in the stronger cases the server component as well. That makes it possible for independent researchers to inspect how your vault is encrypted, how it syncs between devices and how it is stored at rest.

This page lists the password managers in our directory that meet that open-source test, benchmarked on the criteria buyers actually evaluate: hosting region, ownership signal, CLOUD Act exposure, whether a self-hostable server is offered, and audit history where it is publicly documented. The content here frames the category and how to choose; the matrix below carries the per-product data, and each listing's figures are sourced to public documentation and re-verified quarterly.

It is worth being precise about what "open-source" does and does not mean. It describes the availability of the code, a property that enables scrutiny. It is not, on its own, a statement about a product's security, its maintenance, the company's jurisdiction, or where your data is hosted. Those are separate questions, and this hub keeps them as separate signals rather than collapsing them into one label.

Why it matters

For password managers specifically, the source-code question carries more weight than it does for most software. A password manager sits at the centre of an organisation's security posture: if its encryption model or sync logic has a flaw, the blast radius is every credential it holds. Being able to verify how vault data is protected, rather than take it on trust, is a meaningful advantage, and that verification is only possible when the code is open.

The honest caveat is that open code is a precondition for review, not the review itself. The benefit is realised when someone competent has actually examined the code, when the project ships fixes promptly, and when releases are reproducible or at least independently checked. An open-source project that is poorly maintained can be a weaker choice than a well-audited closed-source one. So the practical value of open-source is auditability and the reduced lock-in that comes with portable, inspectable formats, not an automatic security guarantee.

There is also a procurement angle. Open-source licensing can make it easier to satisfy a security questionnaire, to commission your own review, or (where a server component is published) to self-host and keep the data path under your own control. But self-hosting shifts backup, patching and availability onto your team, so it is a trade, not a free win. The right framing is that open-source widens your options; it does not make the decision for you.

Showing all 5 alternatives in this category updating

		Cert.	Pricing	Signals	Open
KeePassXC GPLv3 fully-offline desktop password manager (KeePassXC Team, Weimar DE, est. 2016) — no cloud, no servers, no telemetry; structurally zero CLOUD Act exposure.	— Germany	—	Free	Public DPA Sub-processors Open source	→
Padloc German AGPLv3 open-source password manager (MaKleSoft, Bavaria), audited 3×, self-hostable — but hosted cloud uses Stripe + defunct Privacy Shield ref.	— Germany	—	Freemium €3 /mo	Public DPA Sub-processors Open source	→
Passbolt Luxembourg-incorporated AGPLv3 open-source team password manager (Passbolt SA), SOC 2 Type II, self-hostable, used by LU/FR government.	BELVAUX · LU Luxembourg	SOC 2	Freemium €5 /mo	Public DPA Sub-processors Open source	→
Psono German Apache-2.0 open-source team password manager (esaqa GmbH), self-hostable on EU infrastructure, Cure53-audited 2026, free up to 10 users.	DE Germany	—	Freemium €0 /mo	Public DPA Sub-processors Open source	→
Vaultwarden AGPLv3 Rust Bitwarden-compatible server by Daniel García (Spain), self-host-only, no company, no telemetry — EU-maintained, no CLOUD Act exposure when run on EU infrastructure.	— Spain	—	Free	Public DPA Sub-processors Open source	→

How to choose

Start from your binding constraint. If independent verifiability is the priority, look beyond the licence to whether the code has a documented audit history and an active maintenance cadence; an open repository that no one reviews delivers little of the benefit. If you want to remove reliance on a third-party operator, filter to products that publish a self-hostable server, and be honest with yourself about whether your team can own backups, updates and uptime; if not, a well-run hosted open-source service is the more realistic choice.

If jurisdiction or hosting region is in your requirements, treat that as a separate filter from open-source: combine the open-source filter with the hosting-region and ownership signals rather than assuming one implies the other. If CLOUD Act exposure is part of your assessment, remember the licence does not change it; the operating company's ownership and the hosting arrangement do, so check those fields on each listing and confirm them against your own transfer impact assessment.

If you are a solo user or a small team, the practical criteria are usually browser and mobile support, a clean import path from whatever you use today, and recovery options that will not lock you out. Open-source is a reassurance here rather than the deciding factor. Sort the matrix above by compliance score, hosting region, ownership or self-hosting availability to build a shortlist, then open each profile to confirm the details against your own needs. Every listing carries its own independently checked data, so use this page to narrow the field and the profiles to make the final call.

FAQ

Frequently asked questions

What makes a password manager open-source?

On this page, an open-source password manager is one whose client and ideally server code is published under a recognised open-source licence, so anyone can inspect how vaults are encrypted, synced and stored. Open-source here describes the code's availability, not a guarantee about the company behind it. Each listing keeps the licence, hosting region and ownership as separate signals so you can judge the product on the criteria that matter to you.

Is an open-source password manager more secure than a closed-source one?

Not automatically. Open code makes independent review possible, which is a real advantage, but security still depends on whether the code has actually been audited, how quickly fixes ship, and how the service is operated. A closed-source product with a strong audit record can be a sound choice, and an unmaintained open-source project can be a poor one. Treat open-source as one input (auditability) rather than a verdict on its own.

Can I self-host an open-source password manager?

Often, but not always. It depends on the specific product. Some open-source password managers publish a server component you can run on your own infrastructure; others are open-source on the client side but offered only as a hosted service. Self-hosting can reduce reliance on a third-party operator, but it moves backup, patching and uptime responsibility onto your team. Check each listing to see whether a self-hostable server is offered.

Does open-source mean the password manager is European?

No. Open-source describes the licensing of the code; it says nothing about where the company is incorporated or where vaults are hosted. An open-source password manager can be US-owned and US-hosted, or EU-owned and EU-hosted. This hub keeps the open-source filter and the hosting-region and ownership signals separate, so you can combine them according to your own requirements.

Is an open-source password manager outside the scope of the US CLOUD Act?

Not on the basis of its licence. The CLOUD Act can reach data held by a company subject to US jurisdiction regardless of where servers sit, so what matters is the operating company's ownership and hosting, not whether the code is open. A self-hosted deployment on infrastructure you control has a different exposure profile again. Each listing records ownership, hosting region and CLOUD Act exposure so the flag is evidence-based.

How is this hub different from the password managers category page?

The password managers category lists every password manager in the directory. This hub is the same data narrowed to products with publicly auditable source code, with the editorial context and FAQ a buyer weighing open-source specifically would want. Use the filters below to narrow further by hosting region, self-hosting option or ownership.

Methodology

How we verified every listing here.

For each product we read the public DPA, sub-processors document, hosting region declaration, certifications, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.

Read methodology →