Disclosure: I’m an engineer, not a salesperson. Some links below are affiliate links (Bitwarden Premium, Enpass), meaning I get a small cut if you sign up. However, these recommendations are based on 9 years of digging through server logs, not marketing brochures. If a tool sucks, I’ll tell you.
In my nine years working in DevOps, I’ve heard one phrase more than any other: “The cloud is just someone else’s computer.”
It’s a cliché because it’s true. When you store your passwords in a cloud-based manager, you aren’t just trusting encryption; you are trusting that vendor’s sysadmins, their AWS configuration, and their internal security protocols.
For years, the convenience of cloud syncing outweighed the risk. Then came the LastPass breaches. Then the Okta support system hacks. Now, I’m seeing a massive shift among my peers—security engineers, CTOs, and paranoid sysadmins—moving back to locally hosted password managers.
We aren’t doing it to be hipsters. We’re doing it because we want to own the keys to the castle.
This guide explains why you might want to join us, and how to do it without losing your mind.
What is a locally hosted password manager?
Most people use cloud vaults (think LastPass, 1Password, or standard Bitwarden). You type a password, it gets encrypted, sent to their server, and synced to your phone.
A locally hosted (or self-hosted) password manager changes the destination. Instead of sending that encrypted blob to a vendor’s server, it stays on hardware you control.
- Option A (The Hard Way): You run a server (like a Raspberry Pi or a Synology NAS) that acts as the cloud. Your devices sync to that box.
- Option B (The Hybrid Way): You use software that keeps the database file on your device, and you only sync the encrypted file via your own storage (like iCloud, Google Drive, or local Wi-Fi).
In both cases, the vendor can’t leak your data because they never have your data.
Why are engineers moving away from the cloud?
The catalyst for many of us was the LastPass incident. It wasn’t just a “hack”; it was a cascade of failures where a DevOps engineer’s home computer was compromised (via an outdated Plex media server), allowing attackers to steal the keys to the corporate cloud storage.
This highlighted a terrifying reality: Supply Chain Risk.
You can have the best 50-character password in the world, but if the vault guarding it sits on a target-rich cloud server, you are statistically more vulnerable.
The Argument for Data Sovereignty
“Data Sovereignty” is a fancy way of saying “I know exactly where my hard drive is.”
- Air-Gapped Security: In extreme cases, you can host a vault on a server that isn’t even connected to the internet (Intranet only). Malware can’t steal what it can’t reach.
- No “Honey Pot” Effect: Cloud providers are massive targets. Hackers spend months probing them because the payoff is millions of accounts. Your personal server? It’s a needle in a haystack.
Key Takeaway: When you self-host, you trade convenience for control. You are betting that you care more about your data’s safety than a corporation does.
Self-hosted Bitwarden vs. Cloud: What’s the actual difference?
Bitwarden is the industry standard for self-hosting. It’s open-source, audited, and brutally effective. But there is a misconception that “Self-Hosted” means “Free Enterprise Features.” It doesn’t.
If you spin up a standard Bitwarden self-hosted instance, you still need a license file to unlock premium features like YubiKey 2FA or emergency access.
How it works (The Technical Bit)
You don’t install Bitwarden like a normal app. You run it inside Docker containers.
If you are comfortable with a terminal, it’s a 10-minute setup. You pull the image, configure your domain, and you’re live.
Bitwarden Self-Hosted Pros & Cons:
| Feature | Bitwarden Cloud | Bitwarden Self-Hosted |
|---|---|---|
| Setup Time | Instant | 1-2 Hours (Requires Linux/Docker knowledge) |
| Data Location | Microsoft Azure (Bitwarden’s cloud) | Your Server (NAS, VPS, Raspberry Pi) |
| Maintenance | None | High (You must patch OS and Docker) |
| Offline Access | Cached | Full Control |
| Cost | Free / Premium ($10/yr) | Free / Premium ($10/yr) + Hardware costs |
My Recommendation: If you have a Synology NAS or a home lab, this is the best route. If you don’t know what “sudo docker compose up” means, do not do this. You will lock yourself out.
Read More: How to Install Bitwarden on Docker (Step-by-Step Guide)
The Hybrid Approach: Enpass and Synology
If the idea of managing a Docker container makes you sweat, Enpass is your best alternative. It is technically an “offline-first” password manager.
Unlike Bitwarden, Enpass doesn’t require a server component. The app lives on your phone/laptop, and it creates an encrypted SQLCipher database file (vault.enpassdb).
“Bring Your Own Storage” (BYOS)
Enpass doesn’t host your data. You tell it where to sync.
- Local Wi-Fi Sync: Your phone talks directly to your laptop over your home Wi-Fi. The data never touches the internet.
- Cloud File Sync: You drop the encrypted vault file into your own Google Drive or Dropbox. Enpass just reads the file.
Why I like Enpass for non-engineers:
- One-time purchase: They still offer a lifetime license (rare in 2026).
- Zero-Knowledge by default: Since they have no servers, they literally cannot be subpoenaed for your data. They don’t have it.
Is on-premise password management right for your business?
I have consulted for small agencies who want to self-host to save money or “increase security.” I usually talk them out of it.
The “Bus Factor” Risk
If you host Bitwarden on a server in your office closet, and the one guy who knows the root password gets hit by a bus (or just quits), your company is dead. You have lost access to everything.
Who should self-host?
- DevOps/Tech Agencies: You already manage servers; one more won’t hurt.
- Regulated Industries: If you legally cannot store client data on third-party clouds.
- Families with a “Tech Lead”: If you are the tech support for your family and you have a reliable NAS.
Who should stick to the cloud?
- Non-Tech SMBs: Please, just use 1Password or Bitwarden Cloud. The risk of you misconfiguring a firewall is higher than the risk of Bitwarden getting hacked.
How hard is it to maintain?
Let’s be honest about the “Day 2” operations. Setting it up is easy; keeping it alive is work.
- Backups are on YOU: If your hard drive fails and you didn’t set up a RAID or an offsite backup, your passwords are gone. Forever.
- Security Patching: You need to update the server OS and the password manager software immediately when vulnerabilities are found.
- Availability: If your home internet cuts out, can you access your passwords on your phone via 4G? Not unless you configured a reverse proxy or VPN (like WireGuard).
Summary: Which tool should you choose?
- Go with Bitwarden (Premium): If you want the robust features of a cloud manager but want to run the backend yourself. Best for tech-savvy users and teams.
- Go with Enpass: If you want local control without running a server. Best for individuals who want to sync via Wi-Fi or their own iCloud/Drive.
FAQ
Can malware steal passwords from a locally hosted manager?
Yes. If your computer is infected with a keylogger or info-stealer malware, it can capture your Master Password as you type it, regardless of whether the vault is hosted locally or in the cloud. Local hosting protects you from server-side breaches, not client-side infections.
What happens if my self-hosted server crashes?
You lose sync capability immediately. If the drive is dead and you have no backups, you lose the data. However, your devices (phones/laptops) usually keep a cached offline copy of the vault, so you can still access existing passwords—you just can’t add new ones or sync until the server is fixed.
Is “Bitwarden Lite” good for businesses?
Not really. Bitwarden Lite (using SQLite) is great for home labs, but it lacks the scalability of the standard deployment. For a business, you want the full containerized setup with a proper database like MariaDB or PostgreSQL.
Do I need a static IP to self-host Bitwarden?
Preferably, yes. If you have a dynamic home IP, you will need to use a Dynamic DNS (DDNS) service so your mobile devices can find your server when you leave the house. You will also need to port forward ports 80/443, which introduces its own security considerations.
