unsubbed.co

Padloc

Released under AGPL-3.0, Padloc provides password manager on self-hosted infrastructure.

AGPL-3.0 Free padloc/padloc · 2.9K padloc.app JavaScript Plugins Mobile App

Open-source password management, honestly reviewed. No marketing fluff, just what you get when you self-host it.

TL;DR

  • What it is: Open-source (AGPL-3.0) password manager with end-to-end encryption — think 1Password, but the source code is on GitHub and you can run it on your own server [1][2].
  • Who it’s for: Individuals and small teams who want verifiable E2E encryption, have been burned by LastPass-style breaches, and want to stop paying per-user SaaS fees for something they can host themselves [2].
  • Cost savings: 1Password personal runs ~$35.88/yr; Padloc Premium is $34.90/yr with a free self-hosted option. Bitwarden Premium is $10/yr — Padloc’s SaaS pricing isn’t cheaper than the category leader [2].
  • Key strength: Multiple native clients out of the box — PWA, Electron desktop, Tauri, Cordova (iOS/Android), and a browser extension — plus three independent security audits including one by Radically Open Security [1][2].
  • Key weakness: 2,922 GitHub stars vs. Bitwarden’s 37K+. Smaller community, less ecosystem maturity, and self-hosting documentation was described as “coming soon” in the README at time of review [1].

What is Padloc

Padloc is an end-to-end encrypted password manager built for individuals and teams. The pitch is simple: store passwords, credit cards, notes, documents, license keys, and TOTP codes in a single encrypted vault — with the guarantee that neither Padloc nor anyone operating the server can read your data [2].

What makes it worth looking at beyond the dozens of similar pitches is the combination of things it actually ships. The project is split into distinct packages: a core library, a web UI, a backend server, a Progressive Web App, desktop clients via both Electron and Tauri, mobile apps via Cordova, and a browser extension [1]. That’s a full-platform client matrix that most self-hosted password managers don’t ship natively — you don’t need to rely on the PWA as a mobile fallback.

The security story has substance. The codebase has been independently audited by three separate groups of security experts, with the most recent audit conducted by Radically Open Security [2]. There’s also a published security whitepaper for anyone who wants to understand the cryptographic design rather than just take the “E2E encrypted” label on faith [1].

The license is AGPL-3.0 [1]. That matters: if you run a modified version of Padloc as a network service, you must share your source changes under the same license. It’s more restrictive than a pure MIT license, but it’s a real open-source license — there are no proprietary server components or feature locks behind a commercial license tier.

As of this review, the project sits at 2,922 GitHub stars [1]. That’s meaningful but not dominant in the password manager category.

Why People Choose It

No independent third-party reviews of Padloc were available for this analysis, so this section synthesizes from the primary sources — the GitHub repository and official website.

The case for Padloc over commercial alternatives comes down to three things.

Verified encryption, not promised encryption. The LastPass breach of 2022, where attackers exfiltrated encrypted vaults, destroyed trust in “we encrypt your data” marketing. With Padloc, the encryption implementation is public, audited by external security researchers, and documented in a whitepaper [2]. You’re not trusting a marketing claim — you can read the code.

Self-hosting to eliminate vendor risk. If you run your own Padloc instance, you control the data entirely. There’s no vendor who can be breached, acquired, or shut down and take your vault offline [1][2]. For founders storing client credentials, API keys, and financial access — the threat model for company password managers is different from personal use.

Beyond passwords. Padloc positions itself as a broader secure data store: passwords, credit cards, notes, banking data, documents, TOTP codes, and encrypted file storage [2]. For a founder who’s currently juggling multiple tools for different types of sensitive data, consolidation into one E2E encrypted vault has practical appeal.

Features

Based on the GitHub README and website:

Core vault:

  • Unlimited vault items on all tiers (including free) [2]
  • Passwords, credit cards, notes with markdown support, documents, banking data [2]
  • Built-in TOTP authenticator (no need for a separate 2FA app) [2]
  • Encrypted file storage (1GB on Premium, 5GB on Team, 20GB on Business, unlimited on Enterprise) [2]
  • Security report — scans vault for weak, reused, or compromised passwords [2]
  • Rich text notes with markdown [2]

Sharing:

  • Shared vaults available on all tiers [2]
  • Family plan supports up to 5 users with up to 5 shared vaults [2]
  • Team plan: up to 20 shared vaults, up to 10 groups for permission management [2]
  • Business plan: up to 50 shared vaults, up to 20 groups [2]
  • Directory sync / automatic provisioning on Team and above [2]

Clients (all included):

  • Progressive Web App — runs in any browser [1]
  • Electron desktop app for Windows, macOS, Linux [1][2]
  • Tauri cross-platform native app [1]
  • Cordova-based iOS and Android apps [1]
  • Browser extension [1]

Multi-factor authentication:

  • Standard MFA on all tiers [2]
  • “Advanced multi-factor authentication” on Premium and above (specifics not detailed on the website) [2]

Self-hosting:

  • Server package available for self-deployment [1]
  • DigitalOcean one-click deploy button in the README [1]
  • Docker-based local setup documented in the README [1]

What’s missing from the public documentation:

  • No SSO/LDAP mention outside Enterprise tier
  • No API documentation referenced
  • No CLI client
  • No browser extension auto-fill details publicly documented beyond “browser extension exists”

Pricing: SaaS vs Self-Hosted Math

Padloc Cloud:

  • Free: Unlimited vault items, unlimited devices, MFA, shared vaults, encrypted file storage, built-in TOTP, markdown notes [2]
  • Premium: $3.49/mo or $34.90/yr — adds up to 1GB encrypted file storage, advanced MFA [2]
  • Family: $5.95/mo or $59.50/yr — up to 5 users, up to 5 shared vaults, 1GB file storage [2]
  • Team: $3.49/user/mo or $34.90/user/yr — 5GB storage, 20 shared vaults, 10 groups, directory sync [2]
  • Business: $6.99/user/mo or $69.90/user/yr — 20GB storage, 50 shared vaults, 20 groups [2]
  • Enterprise: price on request, unlimited vaults/groups/storage, customized appearance [2]

Self-hosted:

  • Software license: $0 (AGPL-3.0) [1]
  • Server to run it: $5–10/mo on Hetzner, Contabo, or DigitalOcean
  • Your time to deploy and maintain it

Honest comparison against the category:

ProductPersonal/yrTeams/user/mo
Bitwarden Premium$10$4
Padloc Premium$34.90$3.49
1Password$35.88$7.99
LastPass$36$4+

Padloc’s individual pricing is competitive with 1Password but 3.5x more expensive than Bitwarden Premium for roughly equivalent features [2]. For teams, Padloc at $3.49/user/mo is slightly cheaper than Bitwarden Teams ($4/user/mo), but Bitwarden’s individual tier costs $0.83/mo vs. Padloc’s $2.91/mo.

The self-hosting case is real: A 5-person team paying Padloc Cloud $3.49/user = $17.45/mo = $209.40/yr. A self-hosted instance on a $6/mo Hetzner VPS = $72/yr — roughly $137 saved annually, more if the team is larger. The savings compound fast at 10-20 users.

The free tier is notably generous: unlimited vault items, unlimited devices, shared vaults, and the built-in TOTP authenticator are all free [2]. For a solo founder who doesn’t need encrypted file storage, the free tier is a viable permanent option.

Deployment Reality Check

The README shows a local setup that’s genuinely simple [1]:

git clone [email protected]:padloc/padloc.git
cd padloc
npm ci
npm start

Web client available at http://localhost:8080. For a local test, that’s about as frictionless as self-hosted software gets.

For a production instance, the README’s DigitalOcean one-click deploy button [1] suggests the team has thought about the deployment path. However, the README explicitly states that “in-depth guides on how to host your own ‘productive’ version of Padloc and how to build and distribute your own versions of the desktop and mobile apps are coming soon” [1] — which signals that production deployment documentation was still incomplete at time of writing.

What you actually need for production:

  • A Linux VPS (minimum 1GB RAM is likely sufficient for a small team)
  • Docker or Node.js environment
  • A domain name and HTTPS (Caddy or nginx as reverse proxy)
  • An email provider for account invites and recovery

What can go sideways:

  • The “coming soon” documentation warning is real — expect to figure out some configuration by reading the source if you hit edge cases [1].
  • AGPL-3.0 means if you modify the server code and expose it as a service, you must publish those modifications. For internal team use this doesn’t matter; for building a product on top of Padloc, it does.
  • Mobile apps (iOS, Android) are built via Cordova and listed in the repo, but building your own distribution would require App Store/Play Store developer accounts and signing infrastructure [1]. If you self-host the server, you’ll still need to use the official app clients or build your own.

Realistic estimate for a technical user: 1–2 hours to a working instance. For a non-technical founder: budget a full afternoon or have someone set it up once.

Pros and Cons

Pros

  • Three independent security audits including Radically Open Security — this is verifiable external validation, not marketing copy [2].
  • Published security whitepaper — you can read how the cryptography actually works [1][2].
  • Full native client matrix — PWA, Electron, Tauri, Cordova (iOS/Android), browser extension, all included [1]. Not all self-hosted password managers ship this complete a client set.
  • Built-in TOTP authenticator — eliminates the need for a separate 2FA app [2].
  • Generous free tier — unlimited items, unlimited devices, shared vaults, TOTP, markdown notes — all free [2].
  • AGPL-3.0 — the core is genuinely open source with no proprietary server components locked behind a commercial license [1].
  • Beyond passwords — encrypted file storage, notes, credit cards, documents in one vault [2].
  • Directory sync on Team tier — automatic provisioning without paying Enterprise rates [2].
  • DigitalOcean one-click deploy for quick evaluation [1].

Cons

  • Smaller community than Bitwarden — 2,922 stars vs. 37K+. Fewer community answers, fewer third-party integrations, smaller ecosystem to rely on if something breaks [1].
  • Production self-hosting documentation is incomplete — the README explicitly says deployment guides are “coming soon” [1]. That’s a real friction point for non-technical founders.
  • Individual SaaS pricing is not competitive — $34.90/yr vs. Bitwarden’s $10/yr for a similar feature set. If you’re using managed cloud and not self-hosting, Bitwarden wins on price [2].
  • No CLI client — if you need to script credential retrieval (deploy pipelines, CI/CD), there’s no documented programmatic interface [1].
  • Mobile apps require building from source for self-hosted deployments — you’ll use official app clients that point to Padloc’s cloud, or you need to build and sign your own binaries [1].
  • “Plugins” feature listed as canonical but not detailed anywhere in the README or website [1]. Unclear what’s actually available.
  • No SSO/LDAP documentation outside Enterprise tier contact-sales [2].

Who Should Use This / Who Shouldn’t

Use Padloc if:

  • You want a password manager with verified E2E encryption — audited by external researchers, not just claimed in marketing [2].
  • You’re self-hosting and want a full native client set without building clients yourself [1].
  • You need TOTP codes in the same vault as passwords, and don’t want to manage a separate authenticator app [2].
  • You’re running a team and the $3.49/user/mo cloud tier or self-hosted option is acceptable — and you want directory sync without paying Enterprise prices [2].
  • You want to store more than just passwords: encrypted notes, documents, credit cards, and files in a single E2E encrypted system [2].

Skip it (use Bitwarden instead) if:

  • You want the most mature, widely-deployed self-hosted password manager with the largest community. Bitwarden has 10x the GitHub presence and extensive self-hosting documentation.
  • Your priority is cheapest SaaS — Bitwarden Premium at $10/yr is the benchmark, and Padloc doesn’t match it.
  • You need a CLI client for scripting or CI/CD pipeline credential injection.
  • You want a huge library of community resources, forum answers, and third-party guides.

Skip it (use KeePass/KeePassXC instead) if:

  • You want a completely local, no-server-required solution with no self-hosting overhead.
  • Your threat model requires zero network exposure of credentials.

Skip it (stay on 1Password) if:

  • You need polished enterprise features (SSO, DUO integration, Activity logs, watchtower) with guaranteed support SLAs and aren’t willing to figure out incomplete self-hosting docs.
  • You have a team that would revolt at any UX friction versus a mature commercial product.

Alternatives Worth Considering

  • Bitwarden — the most direct comparison. Also open source (AGPL + some proprietary server components in the original, or Vaultwarden community fork), 37K+ GitHub stars, much more mature self-hosting ecosystem, $10/yr personal, $4/user/mo teams. If you want the most battle-tested open-source password manager, start here.
  • Vaultwarden — unofficial Bitwarden-compatible server written in Rust. Runs on minimal hardware (a Raspberry Pi), fully compatible with all Bitwarden clients. The go-to for self-hosting Bitwarden on low-resource servers.
  • KeePassXC — local-only, no sync. Excellent for users who want zero network exposure, but requires a separate syncing solution (Syncthing, Nextcloud, etc.) for multi-device access.
  • 1Password — the incumbent commercial option. Best UX in the category, SSH key management, Developer CLI, Secrets Automation. Fully closed source, $35.88/yr individual, $7.99/user/mo teams.
  • LastPass — avoid. The 2022 breach where encrypted vaults were exfiltrated made it hard to recommend, regardless of their remediation steps.
  • Hashicorp Vault — if you’re managing secrets for infrastructure rather than human users. Different use case, but often worth distinguishing when people say “password manager for the team.”

Bottom Line

Padloc is a technically solid, genuinely open-source password manager with one standout credential: three independent security audits including one by a named external firm [2]. The full native client set — desktop, mobile, PWA, and browser extension all in the same repo — is a real differentiator versus password managers that ship a web app and call it done. The free tier is genuinely useful, and the team pricing at $3.49/user/mo undercuts Bitwarden’s Teams tier.

The trade-off is community size and documentation maturity. At 2,922 GitHub stars versus Bitwarden’s 37K+, you’re betting on a smaller project with fewer community resources and self-hosting guides that were still incomplete at the time of this review [1]. For an individual or small team where someone technical will handle setup, that’s acceptable. For a non-technical founder who needs a self-hosted password manager to Just Work without reading source code, Bitwarden + Vaultwarden is the safer path with more documentation support.

If Padloc’s independent security audits and multi-store approach (passwords + files + notes in one E2E vault) fit your threat model, and you’re willing to accept the smaller community, it’s worth a serious evaluation. If setup friction is the blocker, that’s exactly what upready.dev handles for clients — one-time deployment, you own the infrastructure.

Sources

  1. Padloc GitHub Repository — README, package structure, security whitepaper reference, DigitalOcean deploy. https://github.com/padloc/padloc (2,922 stars, AGPL-3.0 license)
  2. Padloc Official Website and Pricing — homepage, feature descriptions, pricing tiers, security audit disclosure, client platform list. https://padloc.app

Features

Integrations & APIs

  • Plugin / Extension System

Mobile & Desktop

  • Mobile App

Category

Security & Authentication (159)

Replaces

1Password
14 tools
Dashlane
9 tools
Keeper
11 tools
LastPass
21 tools
proton-pass
Proton Pass
5 tools

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0

Vault

35K

Manage secrets and protect sensitive data. Securely store and control access to tokens, passwords, certificates, and encryption keys.

security

KeyCloak

33K

Open source identity and access management. Add authentication to applications and secure services with minimum effort.

security Apache-2.0