Quick answer up front: your team’s credentials belong in a store you control yourself, not in someone else’s cloud whose location you can’t point to on a map. Vaultwarden gives you exactly that — a self-hosted password manager, compatible with the Bitwarden apps, running on a small machine in-house or at an EU provider. And two fond habits can go overboard while you’re at it.
Why self-host at all
Most teams manage passwords one of two ways: as a mess of Excel sheets and chat history, or in a SaaS vault whose provider sits somewhere. The first is a leak waiting to happen. The second just moves the problem — your most sensitive data, the keys to everything else, sits with a third party. It’s the same pattern you know from Microsoft 365 and the GDPR, just with higher stakes.
The LastPass breach showed that big providers fall too: an attacker got at the encrypted vaults of entire customer bases. There’s nothing wrong with using a password manager, quite the opposite. But there’s a difference between the vault sitting at your place and sitting with someone you don’t know.
Vaultwarden is a lightweight, open-source server implementation of Bitwarden. The clients for browser, phone and desktop stay the same, only the vault runs at your place. For a small team, a very modest machine is enough.
”We have MFA” isn’t the finish line
Multi-factor is mandatory, but not every variant is worth the same. A one-time code by SMS can be intercepted, and the constant push confirmations on the phone are annoying until someone taps “approve” out of irritation — which is exactly what attackers count on. And afterwards the employee gets the blame, even though the system set the trap.
The way out is passkeys, or FIDO2: instead of a code you type, a cryptographic key bound to the real destination. A fake login page gets nothing out of it. Vaultwarden supports passkeys, and for the accounts that would really hurt to lose, they’re the more honest choice.
Rotation is dead
The second habit that can go: the forced password change every 90 days. The BSI and NIST have advised against it for years, and for good reason. People forced to invent new passwords build patterns — Summer2025! becomes Autumn2025!. That’s no hurdle for an attacker, but a daily annoyance for users.
The opposite is better: long, unique passwords, a different one per service, changed only when there’s a reason to. That’s exactly what a password manager takes off your hands. It rolls the passwords, remembers them, and nobody has to think up Autumn2025! anymore.
Keeping control without babysitting the server
Staying honest: self-hosting means running it. The server wants updates, backups and someone who feels responsible. That leaves three honest paths — here they are side by side:
| Bitwarden Cloud | Vaultwarden self-hosted | Vaultwarden managed | |
|---|---|---|---|
| Operations | The provider’s job | Your job: updates, backups, monitoring | The service provider’s job, you watch |
| Data sovereignty | Vault sits with the provider, location is their call | Full control, vault on your own machine | Your own vault in a German datacenter |
| Effort | Minimal | Needs someone who feels permanently responsible | Low, operations are outsourced |
| Cost character | Ongoing per-user subscription | Own hardware plus working hours | Ongoing flat rate for operations |
If you want it simple and don’t have the operations hand, the paid Bitwarden service is sensible. If you want full control and have someone for it, host Vaultwarden yourself. And in between is the path most teams are actually after: have the vault run managed, in a German datacenter.
That’s what cloudsourced is for — Vaultwarden, operated in German datacenters, GDPR-compliant, with updates, backups and monitoring included. You get your own vault on German soil, without having to babysit the server. The control stays with you, the operations don’t.
Want a password vault for the team that’s yours and still runs reliably? Get in touch, or take a look at cloudsourced directly — Vaultwarden from German datacenters, so you look after the passwords and not the server.