Keestash is an open source, self-hosted password manager that gives individuals and teams secure shared credential storage in a web interface they fully control, without trusting a third-party password vault provider.
The Problem
Team password managers like 1Password Teams and LastPass Business store your organization's credentials on their servers. Every shared password, every API key, and every service credential passes through their infrastructure. For organizations with strict data policies or compliance requirements, this creates both trust and regulatory risk. Self-hosting eliminates the third-party exposure but requires a server-side solution, not a local file.
How Keestash Solves It
Keestash deploys as a PHP web application on your own server, providing a browser-accessible credential vault with user management, team-based sharing, and AES-encrypted storage. Your credential data never leaves your infrastructure. User and group management lets you control exactly who sees which credentials. GPL-3.0 license applies.
Key Features
- Web-based interface for accessing and sharing passwords across a team without syncing local files
- AES CBC encryption for credentials stored on your own server
- User and group management with role-based access control for team credential sharing
- Self-hosted: all password data stays on your infrastructure, no third-party cloud
- Open source codebase: fully auditable security implementation
Who It's For
Keestash is best for small teams and organizations that need a shared password manager with a web interface, want full control over where credential data is stored, and are unwilling to trust managed SaaS providers with their organization's secrets.
Compared to 1Password Teams
Unlike 1Password Teams, which stores vaults on 1Password's infrastructure and charges per seat monthly, Keestash is GPL-3.0 licensed, self-hosted, and free to run. Your credential data never leaves your own server.
