ADR-0003: Enterprise Password Manager Selection¶
- Status: ✅ Accepted
- Date: 2026-01-28
- Amended: 2026-06-08
- Owners: @team/devops, @osmank, @berk
Context¶
Appcircle requires a centralized, secure, and auditable password management solution for storing and sharing credentials across teams. As our infrastructure grows, managing secrets (API keys, service accounts, shared credentials, SSH keys, certificates) in a secure, controlled, and traceable manner becomes critical.
Requirements / Constraints¶
We need:
- Zero-Knowledge Architecture
- Client-side encryption where the provider cannot access plaintext secrets.
- Strong Encryption Standards
- AES-256 or equivalent, with modern key derivation functions (Argon2, PBKDF2).
- Multi-Factor Authentication (MFA) Enforcement
- Ability to enforce MFA at the organizational level via policy.
- Team-Based Sharing Model
- Secure sharing with RBAC (Role-Based Access Control), vaults, and collections.
- SSO Integration
- SAML, OIDC, LDAP, or SCIM support for centralized identity management.
- Self-Host Capability
- Option to host on our own infrastructure for data sovereignty and compliance.
- Audit & Logging
- Comprehensive audit trails, event logs, and SIEM integration for compliance.
- Enterprise Support
- Reliable vendor support, SLA guarantees, and security certifications.
- CLI Tools & API Access
- Command-line interface for server-side automation and scripting.
- Support for automated credential rotation (passwords, SSH keys, API tokens).
- Headless/non-interactive authentication for service accounts.
Decision¶
We will adopt Vaultwarden (Self-Hosted) as the standard password manager for Appcircle.
The initial proposal evaluated Passbolt. After further review, Vaultwarden was selected because SSO via OIDC became available in Vaultwarden, removing the primary concern that had previously ruled it out. Combined with zero licensing cost and native compatibility with the Bitwarden client ecosystem, Vaultwarden became the better fit.
Key points:
- Vaultwarden is deployed on Appcircle infrastructure and accessible at
https://pass.appcircle.io. - AES-256-GCM encryption with Argon2id key derivation — same cryptographic model as Bitwarden.
- All official Bitwarden clients (browser extensions, desktop and mobile apps) are used as the front-end; no custom client is required.
- Credentials are organized using organizations, collections, and RBAC — one organization per company, collections per team.
- SSO is configured via Microsoft Entra ID (OIDC), enabling users to authenticate with their
@appcircle.ioaccount. - Full data sovereignty — all credentials remain on Appcircle-controlled infrastructure.
- Zero licensing cost — Vaultwarden is free and open-source.
Options Considered¶
Comparison Matrix¶
| Product | Encryption Model | Key Derivation / KDF | Zero-Knowledge | MFA Enforcement | Sharing Model | SSO Support | Self-Host | Audit / Logging | Licensing / Cost | Security Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| Bitwarden Enterprise | AES-256-GCM | Argon2id (configurable) | Yes | Yes (policy-enforced) | Org vaults, collections, RBAC | Yes (OIDC, SAML) | Yes (Docker/K8s) | Advanced audit logs, SIEM integration | Per-user pricing (Teams/Enterprise plans) | Mature and supported for enterprise use. |
| Vaultwarden ✅ | AES-256-GCM | Argon2id (configurable) | Yes (same encryption as Bitwarden, not officially audited) | Available but limited enforcement | Collection and vault logic compatible | Yes (OIDC added; SSO now available) | Yes (Docker, low resource) | Basic level, requires custom improvements | Free (community), no official support | SSO availability resolved the original blocker; selected for zero cost and Bitwarden client compatibility. |
| 1Password Business | AES-256 | PBKDF2 + Secret Key (SRP-based) | Yes (very strong model) | Yes | Team vaults, access policies | Yes (SCIM + SAML/Entra) | No (SaaS only, region selectable) | Advanced access and event reports | Per-user licensing | Strong security model but SaaS dependency. |
| Passbolt | OpenPGP (user key pairs) | User GPG key generation | Yes (client-side decryption) | Yes | Groups and access permissions | Yes (SAML, LDAP) | Yes (Docker/K8s) | Advanced audit logs | Community + Enterprise options | Excellent for self-host and secure sharing. |
| KeePassXC | AES-256 / ChaCha20 (configurable) | Argon2 | Yes (local storage) | No (no central MFA enforcement) | Manual file sharing (NOT suitable for secure team sharing) | No | Yes (file-based) | No (no central logging) | Free | Not suitable for team use or auditability. |
| Keeper | AES-256 | PBKDF2 (configurable) | Yes | Yes | Vault sharing, folder-based access control | Yes (SAML/LDAP/OIDC) | Yes (privately hosted enterprise options) | Advanced reporting and alerting | Per-user licensing | Strong enterprise management and SSO integrations. |
Consequences¶
Positive¶
- Full data sovereignty — all credentials remain on Appcircle-controlled infrastructure.
- Zero licensing cost — Vaultwarden is free and open-source; no per-user fees.
- Bitwarden client ecosystem — users get a polished, widely supported client on all platforms without any custom tooling.
- SSO via Microsoft Entra ID (OIDC) centralizes authentication and simplifies user lifecycle management.
- Collection-based RBAC enables fine-grained per-team and per-role access control.
- Bitwarden Send provides a secure, expiring channel for sharing secrets without using Slack or email.
- Low resource footprint; runs on a single Docker container.
Negative / Trade-offs¶
- No official vendor support — Vaultwarden is community-maintained; security patches depend on the upstream project.
- Not officially audited — cryptographic implementation mirrors Bitwarden but has not undergone independent third-party audit.
- Operational overhead — backups, upgrades, and monitoring are entirely self-managed.
- MFA policy enforcement is limited compared to the official Bitwarden Enterprise offering.
Follow-ups / Migrations¶
- ~~Infrastructure Setup: Deploy on Docker~~ — done; running at
https://pass.appcircle.io. - ~~SSO Integration: Configure Microsoft Entra ID (OIDC)~~ — done.
- Organization invite workflow: Document and socialize the manual invite process (no SCIM auto-provisioning).
- Collection structure: Finalize
<Team>/<Team>/Privilegedcollection hierarchy for all teams. - Offboarding: Add Vaultwarden account removal to the offboarding checklist.
- Backup verification: Confirm automated backup and restore procedure is tested.