Psono

Psono is an open-source, self-hosted password manager designed for teams and enterprises. It encrypts data on the client before transmission and provides web, desktop and mobile clients plus an admin portal. The project is maintained by esaqa GmbH and is distributed as Docker images for on-premise deployment. (psono.com)

Key Features

• Client-side end-to-end encryption using NaCl (Curve25519/Salsa20) and scrypt for key derivation, keeping secrets encrypted before they reach the server. (psono.com)
• Fileserver module that chunks, encrypts and stores files across multiple backends (local, S3, GCS, Azure, SFTP, FTP, etc.), with shard/cluster semantics for HA and site-affinity. (doc.psono.com)
• Docker-based deployment with official images and documented installation steps; requires a PostgreSQL database (Postgres 14 recommended). (doc.psono.com)
• MFA support including TOTP (Google Authenticator/Authy), WebAuthn/FIDO2 and YubiKey; enterprise edition adds LDAP/SAML/OIDC and audit/policy controls. (doc.psono.com)

Use Cases

• Team password and secret management with role-based access, sharing and secret history for audits.
• Encrypted file sharing across offices using the fileserver with cloud or local storage backends.
• Integration of secrets into automation via API keys and callbacks for CI/CD or infrastructure automation. (doc.psono.com)

Limitations and Considerations

• Production installs require a domain and trusted TLS certificate; setups with plain IP/http or untrusted certs are not supported. Postgres is required and recommended to be modern (Postgres 14+). Enterprise features (LDAP/SAML/OIDC, audit logging, enforced policies) are gated to the EE edition. (doc.psono.com)

Psono is a full-featured open-source solution for organizations that need server-side control of secrets and client-side encryption. It is optimized for self-hosting with Docker, supports multiple storage backends for encrypted files, and provides enterprise integrations in its paid edition. (psono.com)