PassIt

PassIt is a self-hosted password manager built around one architectural principle: the server should never be able to read the passwords it stores. Every credential is encrypted client-side using libsodium — a well-established public key cryptography library — before it leaves the browser. The server receives and stores only ciphertext. Even with direct database access, the operator cannot decrypt what is stored.

The sharing model is built on the same cryptographic foundation. When you share a password with a group or individual, PassIt encrypts the credential with the recipient’s public key. Only someone with the corresponding private key — which never leaves the client — can decrypt and read the shared credential. This means sharing works without any server-side knowledge of what is being shared or to whom.

Browser extensions for Chrome and Firefox handle autofill and vault access in the browser. A progressive web app covers mobile use on Android and iOS without requiring a native app installation.

The notable absence is an administration interface. There is no admin panel for managing users, resetting accounts, auditing access, or performing bulk operations. This is a deliberate design choice — fewer server-side privileges means a smaller attack surface — but it creates a practical operational limitation. Managing users requires direct database access or API calls, which raises the technical bar for teams that need ongoing user management.

For teams that need group credential sharing with E2E encryption and are comfortable with the technical constraints, PassIt provides a clean, auditable implementation. Teams that need an administration interface, active support, and a larger community will find Vaultwarden a better fit.