1Password Secrets Sharing

Best Self Hosted Alternatives to 1Password Secrets Sharing

A curated collection of the 6 best self hosted alternatives to 1Password Secrets Sharing.

A feature of 1Password that lets individuals and teams securely share passwords, API keys and other secrets with end-to-end encryption, role-based access controls and auditing to manage and control credential access.

Alternatives List

#1
Vaultwarden

Vaultwarden

Lightweight, self-hosted Bitwarden-compatible password manager server with web vault, clients support, orgs, sharing, attachments, and optional admin interface.

Vaultwarden screenshot

Vaultwarden is an alternative server implementation of the Bitwarden API, designed to be lightweight and easy to run while remaining compatible with official Bitwarden clients and browser extensions. It provides a self-hostable password vault with support for individuals and organizations, secure sharing workflows, and common Bitwarden features.

Key Features

  • Bitwarden API compatibility for official desktop/mobile apps and browser extensions
  • Web Vault UI (served by the server) for managing vault items in a browser
  • Organizations and collections for team/password sharing
  • Bitwarden Send compatibility (text/file sharing), depending on client features
  • Support for attachments and icons, with configurable storage locations
  • Multiple database backends (SQLite by default; optional MySQL/MariaDB or PostgreSQL)
  • SMTP integration for account verification, invitations, and notifications
  • Optional admin panel (can be enabled/disabled) for server/user management
  • 2FA support via Bitwarden clients (e.g., TOTP, WebAuthn/FIDO2 depending on client)

Use Cases

  • Replace a hosted password manager with a private, Bitwarden-client-compatible server
  • Run an internal password vault for a small team with organization-based sharing
  • Provide a low-resource password manager for home labs, VPSes, and edge devices

Limitations and Considerations

  • Not an official Bitwarden server; some enterprise/hosted-only features may be unavailable or differ
  • Admin interface is powerful and should be carefully restricted and hardened when enabled

Vaultwarden focuses on being resource-efficient while keeping strong compatibility with the Bitwarden ecosystem. It is commonly deployed via Docker and fits well when you want Bitwarden client support without running the full official server stack.

53.1kstars
2.5kforks
View Details
#2
Bitwarden

Bitwarden

Self-hostable password manager with end-to-end encryption, vault sharing, TOTP, passkeys, and cross-platform apps plus browser extensions.

Bitwarden screenshot

Bitwarden is a password manager that stores and syncs credentials and other sensitive data across devices using end-to-end encryption. It supports personal and organizational vaults, secure sharing, and access from web, desktop, mobile, CLI, and browser extensions.

Key Features

  • End-to-end encrypted vault for logins, secure notes, cards, and identities
  • Organization vaults with collections, group/user access controls, and sharing
  • Password generator and security reports (e.g., weak/reused passwords)
  • Two-factor authentication options and support for TOTP authenticator storage
  • Passkeys support (platform-dependent by client) and modern authentication flows
  • Cross-platform clients: web vault, desktop apps, mobile apps, browser extensions, and CLI
  • Import/export tools to migrate from other password managers
  • APIs and integrations for enterprise features (e.g., directory/SSO options on paid tiers)

Use Cases

  • Replace hosted password managers while keeping full control of vault data
  • Team credential sharing with role-based access to shared collections
  • Centralize secrets like server credentials and recovery codes with strong encryption

Limitations and Considerations

  • Some advanced enterprise capabilities (e.g., SSO/directory integrations) depend on specific Bitwarden plans and deployment configuration.

Bitwarden is widely adopted and well-documented, offering a mature ecosystem of official clients and an audited security model. The official server project is suitable for organizations needing a full-featured, self-managed password vault with secure sharing and broad client support.

17.8kstars
1.5kforks
View Details
#3
Passbolt

Passbolt

Self-hosted, GPG-based password manager for teams with shared vaults, RBAC, auditing, and browser extensions for secure credential sharing.

Passbolt screenshot

Passbolt is a team-focused password manager designed to securely store and share credentials across an organization. It provides shared vaults with fine-grained permissions, a web interface plus browser extensions, and strong cryptography built around OpenPGP.

Key Features

  • End-to-end encryption using OpenPGP (GPG) keys, with encryption/decryption performed client-side via the browser extension
  • Shared password folders/vaults for teams with granular access controls (e.g., read, write, owner)
  • User and group management for organizing access at scale
  • Audit logs and activity tracking for governance and incident investigation
  • Password and passphrase generation and secure sharing workflows
  • Integrations and automation via a REST API
  • Supports common enterprise deployment patterns (reverse proxy, TLS, backups) and multiple install options (packages/containers)

Use Cases

  • Share infrastructure and service credentials (SSH, databases, cloud consoles) across DevOps/SRE teams
  • Manage access for agencies/consultancies working with multiple clients and rotating staff
  • Centralize operational credentials with auditable access for security and compliance needs

Limitations and Considerations

  • Best experience requires the Passbolt browser extension (core cryptographic operations rely on it)
  • Mobile app capabilities may be more limited than desktop/browser workflows depending on the edition and platform

Passbolt is well-suited for organizations that need controlled credential sharing rather than a purely personal vault. Its OpenPGP-based model, combined with group permissions and auditing, makes it a strong fit for operational teams and security-conscious environments.

5.6kstars
361forks
View Details
#4
Password Pusher

Password Pusher

Self-hosted app to share passwords or files via expiring links with view limits, auditing, and optional encryption—designed to avoid sending secrets over email or chat.

Password Pusher screenshot

Password Pusher is a web application for securely sharing sensitive information (passwords, API keys, notes, and files) via short-lived links. Secrets automatically expire after a configurable number of views and/or a set duration, reducing the risk of accidental long-term exposure.

Key Features

  • Create “pushes” (text or file) that expire by time and/or number of views
  • Optional passphrase protection and client-side encryption modes (where supported) to reduce server-side exposure of plaintext
  • One-time / limited-view secret retrieval with clear expiration metadata
  • Support for file pushes (not only text), enabling sharing of certificates, configs, and other sensitive artifacts
  • Administrative configuration for default/maximum expiration policies and limits
  • Audit/history style metadata for pushes (e.g., created/expired) to support operational accountability
  • Web UI designed for quick sharing; API/automation support via HTTP endpoints (for scripted secret creation)

Use Cases

  • Share a password or 2FA recovery code with a colleague without sending it in email/chat history
  • Send an API token or SSH private key to a contractor with strict time/view limits
  • Provide short-lived access details during incident response or on-call handoffs

Limitations and Considerations

  • Not a full password manager/vault (no long-term credential storage, rotation, or team vault workflows)
  • Security properties depend on deployment/configuration (e.g., TLS, secret retention policy, and whether encryption/passphrase modes are enforced)

Password Pusher fits teams that need a simple, auditable way to transmit secrets with built-in expiration controls. It complements (rather than replaces) a password manager by focusing on secure, ephemeral delivery.

2.8kstars
424forks
View Details
#5
AliasVault

AliasVault

Self-hosted manager for email aliases and credentials, designed to compartmentalize logins and reduce tracking and account takeover impact.

AliasVault screenshot

AliasVault is a self-hosted service that helps you create and manage email aliases and store the corresponding website credentials, so each account can be isolated behind a unique identity. It’s aimed at reducing spam, tracking, and blast radius from credential leaks by pairing alias management with a vault-style workflow.

Key Features

  • Create and manage per-service identities (email aliases) from a central dashboard
  • Store credentials associated with each alias (username/password and related notes)
  • Search and organize entries for quick retrieval
  • Designed for privacy-focused account compartmentalization
  • Web-based UI for managing aliases and vault items

Use Cases

  • Use unique aliases for every signup to identify and stop sources of spam
  • Keep credentials organized per alias to reduce reuse and cross-site correlation
  • Separate personal, family, and project identities with distinct alias groups

Limitations and Considerations

  • Alias creation/forwarding typically depends on your email domain/DNS and mail setup; correct mail routing is required for full functionality.

AliasVault is best suited for users who want a single, self-hosted place to manage masked identities alongside the logins that belong to them. If you already use email aliasing, it can act as the missing “binder” between aliases and stored credentials while keeping data under your control.

1.8kstars
48forks
View Details
#6
Hemmelig

Hemmelig

Self-hosted secret sharing and paste service with E2EE, expiring links, view limits, and optional passwords—built for safely sharing sensitive text and files.

Hemmelig screenshot

Hemmelig is a self-hosted secret sharing service for securely sending sensitive information (tokens, passwords, notes, and files) using end-to-end encryption in the browser. It creates shareable links that can be configured to expire, be viewed only a limited number of times, and optionally require a password.

Key Features

  • End-to-end encryption (encryption/decryption happens client-side)
  • One-time or limited-view secrets with configurable view count
  • Expiration controls (time-based) to automatically invalidate secrets
  • Optional password protection in addition to E2EE
  • File and text secret support (depending on deployment configuration)
  • Simple web UI for creating and retrieving secrets
  • API support for programmatic secret creation (documented in project materials)

Use Cases

  • Share deployment credentials, API keys, and recovery codes with teammates
  • Send temporary access details to contractors with automatic expiry
  • Provide one-time links for sensitive onboarding information

Limitations and Considerations

  • E2EE means lost client-side password/key cannot be recovered by the server
  • Operational security depends on correct HTTPS/TLS setup and secure hosting

Hemmelig is suited for organizations and individuals who need a straightforward, auditable way to share secrets with strong client-side encryption and automatic lifetimes. It focuses on minimizing exposure by limiting how long and how often a secret can be accessed.

1.1kstars
89forks
View Details

Why choose an open source alternative?

  • Data ownership: Keep your data on your own servers
  • No vendor lock-in: Freedom to switch or modify at any time
  • Cost savings: Reduce or eliminate subscription fees
  • Transparency: Audit the code and know exactly what's running