unsubbed.co

Teampass

Self-hosted security & authentication tool that provides password manager dedicated for managing passwords in a collaborative way. One symmetric key is used.

GPL-3.0 Free nilsteampassnet/teampass · 1.8K teampass.net PHP 1 deploy option LDAP REST API

Self-hosted collaborative password management, honestly reviewed. For teams that need granular access controls and don’t want their credentials on someone else’s server.

TL;DR

  • What it is: Open-source (GPL-3.0) collaborative password manager designed for teams — think Bitwarden Teams, but the whole stack runs in your own PHP/MySQL environment [2][3].
  • Who it’s for: Small to mid-size IT teams, DevOps leads, and system admins who need per-folder, per-role access controls and want credentials stored on-premise. Not designed for solo users [2][3].
  • Cost savings: Bitwarden Teams runs $4/user/month ($48/year per seat). 1Password Business is $7.99/user/month. Teampass is $0 in licensing — self-host on a $10/mo VPS with unlimited users [2].
  • Key strength: Granular role-based access. You can assign different read/write permissions per folder, per role, per user — a level of control the simpler password managers don’t offer [2][3].
  • Key weakness: Single-developer project with a PHP/MySQL stack that shows its age in the UI. Not a tool you hand to a non-technical employee and expect them to figure out in 20 minutes. Deployment requires PHP 8.1+, MySQL, and several PHP extensions — more moving parts than Docker-first tools like Bitwarden [README].

What is Teampass

Teampass is a web-based, self-hosted password manager built specifically for team sharing with fine-grained access controls. It’s been maintained by a single developer — Nils Laumaillé — since 2009, which makes it one of the longest-running projects in the self-hosted security space [README]. The current version (TeamPass 3) runs on PHP 8.1+ and MySQL/MariaDB, uses the Defuse PHP Encryption library for AES-256 password encryption, and supports LDAP/Active Directory authentication, REST API, and optional Redis for session storage [README][3].

The core model is: passwords live in Items, Items live in Folders, Folders are organized in a tree, and each Folder has access-level assignments (Read/Write/None) mapped to Roles. Users get assigned Roles. This makes Teampass genuinely different from single-vault tools like KeePass — it’s built around the assumption that different people on your team need different levels of access to different credential sets [3][website].

At 1,779 GitHub stars it’s not a dominant project — for comparison, Bitwarden has over 40,000 stars and Vaultwarden (a Bitwarden-compatible backend rewrite) has over 40,000 too. But Teampass fills a different niche: it’s the tool you reach for when you need to say “the DevOps team gets read/write on the production server credentials folder, the support team gets read-only on the customer credentials folder, and nobody outside finance gets anywhere near the billing folder” [2][3].

Real users back this up. A testimonial on the project’s own site from Jeff Smith (basis.com): “When I first came to my company, it was like WestWorld with regards to password management — anything goes. Since we’ve rolled out TeamPass throughout the org, it not only makes it easy to share passwords, but staff members always know where to go to get the latest password.” [website] David Young from prophecy.net.nz describes using it daily to share customer credentials among staff, with per-customer folders and delegated R/W management for accountable engineers [website].

Why people choose it

The reviews and roundups that cover Teampass consistently position it the same way: it wins on access control granularity and on-premise data sovereignty, and loses on setup complexity and UI polish.

TechRepublic’s 2026 roundup of open-source password managers for Windows picks it as “Best privileges management” in a field that includes Bitwarden, KeePass, Padloc, Passbolt, and Proton Pass [2]. That framing is accurate. Most password managers treat teams as a flat list of users with a shared vault. Teampass treats teams as an org chart — folders map to teams or customers, roles define what those teams can do, and every access event is logged in an audit trail [website].

TorGuard’s 2024 roundup [3] describes Teampass as “designed with team collaboration in mind, providing a secure and organized way to manage passwords and data.” MakeUseOf [4] notes that for team use, the simplest KeePass approach is storing a shared database file — which works until you need one person to have read access and another to have write access to the same item, at which point you need something like Teampass.

Versus Bitwarden. Bitwarden is the cleaner, more modern tool with a better mobile app, browser extension, and hosted option. It’s the right choice for teams who want easy onboarding, a polished UI, and don’t need Teampass-level folder permission granularity. Bitwarden Teams at $4/user/month costs real money as headcount grows. If you have 20 users, that’s $960/year. Teampass on a $10 VPS is $120/year [2].

Versus KeePass. KeePass is powerful for individuals and technical users who manage their own local database file. It doesn’t natively handle multi-user team sharing with role-based access — you’d be managing file permissions at the OS level, not within the application. Teampass is the step up from “shared KeePass database in Dropbox” [3][4].

Versus Passbolt. Passbolt uses OpenPGP end-to-end encryption and is arguably more security-forward than Teampass. It has a cleaner modern interface and a cloud-hosted option. Teampass wins on the depth of its folder/role permission model and its longer track record in production IT environments [2][3].

On data sovereignty. The website quote from Steve Jackman (Coachwise.ltd.uk) puts it plainly: “Being able to use a product that is fully secure and internal ticked all the boxes for us.” [website] For teams in regulated industries, small companies uncomfortable with SaaS credential storage, or IT teams with internal compliance requirements, self-hosted is the only answer — and Teampass has been a stable option for 15+ years [README][website].

Features

Based on the README and website:

Core credential management:

  • Items with custom fields and file attachments [website]
  • Folder tree with configurable access levels per folder (Read/Write/None) [website]
  • Roles with pre-assigned access rights for fast user creation [website]
  • Per-item and per-folder audit trail [website]
  • Personal folders per user, secured with individual salt keys [website]
  • Offline export to encrypted file for use without connection [website]
  • AES-256 encryption via Defuse PHP Encryption library [3][website]

Access control and authentication:

  • LDAP/Active Directory integration [README][features]
  • 2FA support: DUOSecurity, Google Authentication, AGSES [website]
  • Fine-grained user privileges at both folder and item level [website]
  • Role-based access control with inheritance [website]

Infrastructure and integration:

  • REST API [README][features]
  • Docker support (official images on Docker Hub and GHCR) [README]
  • Redis support for session storage in HA deployments [README]
  • WebSocket daemon for real-time sync (requires pcntl + posix PHP extensions) [README]
  • APCu in-memory cache to reduce database load [README]
  • MySQL 5.7+ and MariaDB 10.7+ support [README]
  • Browser extension available [website]
  • 20 languages supported [README]

What’s not there:

  • No cloud-hosted option — on-premise only [README]
  • No mobile app (it’s a web interface; you’d access it via mobile browser)
  • No biometric unlock
  • No secure password send / sharing link feature out of the box
  • The REST API exists but is documented as “basic” — not a feature-rich programmatic interface [README docs]

Pricing: SaaS vs self-hosted math

Teampass:

  • Software license: $0 (GPL-3.0) [README]
  • No per-user fees, no tier limits
  • Commercial support via sponsorship starting at $100+ for priority ticket handling [website]
  • VPS to run it: $8–15/month depending on provider and team size

Bitwarden Teams (closest SaaS equivalent):

  • $4/user/month
  • 10 users: $480/year
  • 25 users: $1,200/year
  • 50 users: $2,400/year

1Password Business:

  • $7.99/user/month
  • 10 users: $959/year
  • 25 users: $2,397/year

Passbolt Business:

  • $49/month flat (up to unlimited users on the business plan)
  • ~$588/year [2]

Concrete math for a 20-person IT team:

Bitwarden Teams at 20 users: $960/year. Teampass self-hosted on a Hetzner CX21 (€5.92/month): ~$85/year. That’s $875/year saved for 20 users, no ceiling — add 10 more users and Bitwarden goes up, Teampass stays flat. Over three years, that’s $2,600+ in savings [2].

The honest caveat: these savings come with a real cost in setup time, maintenance, and the fact that you own the backup responsibility. If a senior developer deploys and maintains it, the economics are obvious. If you’re paying an outside contractor hourly to maintain it, do the math carefully.

Deployment reality check

Teampass is a traditional PHP web application. That means it does not deploy as a single Docker container pulling a single image and being done. The traditional installation — which the README explicitly calls “recommended for production” — requires:

  • A Linux server with a configured web server (Apache or Nginx)
  • PHP 8.1+ with: openssl, mysqli, mbstring, bcmath, iconv, xml, gd, curl, gmp extensions [README]
  • Optional but recommended: apcu, redis, pcntl+posix for full feature set [README]
  • MySQL 5.7+ or MariaDB 10.7+ [README]
  • Optional: Redis for session storage [README]
  • A domain and HTTPS (not optional for a credential manager)

Docker support exists and official images are on Docker Hub (teampass/teampass) and GHCR. There’s a Docker installation guide and a migration guide in the repo. But the README is transparent: Docker is “convenient for testing and isolated environments but may not deliver the same raw performance as a native installation” [README].

What can go sideways:

  • PHP extension mismatches are the most common install failure. The ldap extension is required if you want LDAP auth. The pcntl+posix pair is required for real-time sync via the WebSocket daemon — non-obvious if you don’t read the README carefully [README].
  • Upgrades between major versions require running a migration script. The Docker migration guide exists but version upgrades have historically been a friction point in community feedback [README].
  • This is a one-person project. Nils Laumaillé has maintained it since 2009, which is genuinely impressive, but “bus factor 1” is a real consideration for production security tooling. There’s no corporate backer.

Realistic time estimates:

  • Technical user with Linux/Apache experience: 45–90 minutes for a production deployment with HTTPS.
  • Docker-savvy user: 30–60 minutes following the Docker guide.
  • Non-technical user following a community tutorial: half a day to full day, possibly requiring outside help.

Steve Jackman from Coachwise noted: “After experiencing some minor issues with best practices, config and a lack of knowledge of the program, I contacted the support team for advice and expected no response as we are using it for free.” The team responded helpfully — worth noting that single-developer support can be responsive [website].

Pros and cons

Pros

  • Genuinely free, GPL-3.0. No per-user fees, no commercial tier for core features. Every team member, no additional cost [2][README].
  • Best-in-class folder/role access control among free self-hosted options. Per-folder, per-role, per-user permissions at the granularity that real IT teams need [2][3][website].
  • Long-lived, actively maintained project. Running since 2009. TeamPass 3 with PHP 8.3 support shows the project isn’t in maintenance mode [README].
  • LDAP/AD integration in the free tier. Many commercial tools charge extra for SSO/LDAP. Teampass includes it as a standard feature [README][features].
  • 2FA support (DUOSecurity, Google Auth, AGSES) — meaningful for a credential manager [website].
  • Audit trail per item. Every access to a credential is logged — important for compliance and security incident response [website].
  • REST API included — basic but present [README].
  • 20 languages. Useful for international teams [README].
  • Docker images available for teams that prefer containerized deployments [README].

Cons

  • Single-developer project. Nils Laumaillé has been reliable since 2009, but there’s no company or team behind it. No SLA, no guaranteed response time on critical vulnerabilities [README].
  • PHP/MySQL stack requires real server administration. Not a one-click install. PHP extension management, web server config, database setup — this is a commitment [README][2].
  • UI is functional but dated. None of the reviews call the interface elegant. It works; it doesn’t feel like a 2025 product. Bitwarden’s UI is in a different category [3][4].
  • No hosted option. If you want someone else to manage the infrastructure, Teampass is not your tool. It’s on-premise or nothing [README].
  • No mobile app. Web interface accessible from mobile, but no native app means no biometric unlock, no system-level autofill on mobile [website].
  • Basic REST API. Documented as “API Basic” — not a first-class programmatic interface compared to Bitwarden’s full API surface [README docs].
  • WebSocket real-time sync requires additional PHP extensions (pcntl, posix) that aren’t in every default PHP install [README].
  • Community size is modest. 1,779 GitHub stars is solid for a niche tool but means a smaller pool of community tutorials, troubleshooting threads, and third-party integrations compared to Bitwarden.

Who should use this / who shouldn’t

Use Teampass if:

  • You’re an IT admin or DevOps lead managing credentials for a team of 5–100 people and need per-folder, per-role access controls.
  • Your organization stores all services on-premise and “credentials on a vendor’s server” is a non-starter, full stop.
  • You have a technical person (internal or contractor) who can do the initial setup and handle updates.
  • You’re currently paying Bitwarden Teams or 1Password Business fees and want to eliminate that recurring cost.
  • LDAP/Active Directory integration is required and you don’t want to pay a premium tier for it.

Skip it (use Bitwarden instead) if:

  • You want a clean, modern UI that non-technical team members can use without training.
  • You need a solid mobile app with native autofill.
  • You want the option of managed cloud hosting alongside self-hosted.
  • Your team is small (under 10 people) — Bitwarden’s Teams plan is $40/month for 10 users, which is cheap enough that the self-hosting overhead isn’t worth it.

Skip it (use Vaultwarden + Bitwarden clients) if:

  • You want Bitwarden’s polished client apps (browser extension, mobile, desktop) but self-hosted backend. Vaultwarden is a Bitwarden-compatible server written in Rust — one Docker container, minimal resources, and you use official Bitwarden clients.

Skip it (use Passbolt) if:

  • You need OpenPGP end-to-end encryption and want the encryption model to be auditable in detail.
  • You want a more actively growing community and a company-backed product.
  • You prefer a modern interface.

Skip it (use KeePass) if:

  • You’re a solo user or tiny team with no complex access control needs and you’re comfortable managing a local database file.

Alternatives worth considering

  • Bitwarden — the benchmark for open-source password management. Better UI, mobile apps, browser extensions, hosted option. $4/user/month for Teams. If you can afford it, it’s easier to deploy and maintain [2][4].
  • Vaultwarden — unofficial Bitwarden-compatible server in Rust. Single Docker container, trivial to deploy, uses all official Bitwarden clients. Best option if you want Bitwarden’s UX at near-zero infrastructure cost.
  • Passbolt — GPL-3.0 like Teampass, uses OpenPGP encryption, better UI, company-backed. Business plan at $49/month (flat, unlimited users). Worth comparing seriously if you’re choosing between the two [2][3].
  • KeePass — the oldest open-source option. Desktop app, no native team sharing. Right for individual users, not for team credential management [3][4].
  • 1Password — closed-source SaaS. Best client polish in the category. No self-host option. $7.99/user/month [2].
  • Hashicorp Vault — if you’re managing secrets programmatically (CI/CD pipelines, infrastructure secrets) rather than human-facing credentials. Different use case but frequently compared.

Bottom line

Teampass is the right tool for a specific problem: a technical team that needs on-premise credential management with serious role-based access control and isn’t willing to pay per-seat SaaS fees. It’s been doing this job reliably since 2009, it’s genuinely free under GPL-3.0, and its folder/role/permission model is more granular than most alternatives. The trade-offs are real — dated UI, PHP/MySQL setup complexity, single-developer project risk, no mobile app. If you can run a LAMP stack and your team needs more than a flat shared vault, Teampass earns its deployment. If you want something easier to set up and maintain, Vaultwarden gives you Bitwarden’s clients on your own infrastructure for the cost of a single Docker container.

If the setup is the blocker, that’s what upready.dev deploys for clients. One-time fee, you own the infrastructure, no recurring SaaS bill.

Sources

  1. TechRepublic“6 Best Open Source Password Managers for Windows in 2026”. https://www.techrepublic.com/article/best-password-manager-open-source-windows/
  2. TorGuard Blog“Top 5 Open Source Password Managers in 2024” (August 13, 2024). https://blog.torguard.net/top-5-open-source-password-managers-in-2024/
  3. MakeUseOf“The 5 Best Open-Source Password Managers” (Bertel King, March 5, 2020). https://www.makeuseof.com/tag/best-open-source-password-manager/
  4. SaaSHub“Thycotic Secret Server Alternatives & Competitors”. https://www.saashub.com/thycotic-secret-server-alternatives

Primary sources:

Features

Authentication & Access

  • LDAP / Active Directory

Integrations & APIs

  • REST API

Category

Security & Authentication (159)

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0

Vault

35K

Manage secrets and protect sensitive data. Securely store and control access to tokens, passwords, certificates, and encryption keys.

security

KeyCloak

33K

Open source identity and access management. Add authentication to applications and secure services with minimum effort.

security Apache-2.0