How to Deploy a Password Manager on Your Own Server

Managing passwords securely is one of the most critical challenges facing modern businesses. Cloud-based solutions introduce third-party risk, while simple spreadsheets and shared documents are a security disaster waiting to happen. The answer? Deploying a self-hosted password manager on infrastructure you fully control. In this guide, we walk you through the entire process — from server requirements to team onboarding — and explain why InPassTo makes self-hosted deployment effortless.

Why Self-Host Your Password Manager?

When your organization stores credentials in a third-party cloud, you are trusting that provider with the keys to your entire digital kingdom. Data breaches at major password management vendors have made headlines repeatedly, exposing millions of encrypted vaults. Self-hosting eliminates this single point of failure by keeping all data on servers you own and operate.

Compliance is another powerful driver. Regulations such as GDPR, HIPAA, and SOC 2 often require organizations to demonstrate exactly where sensitive data resides and who has access to it. With a self-hosted solution, you can point auditors to your own data center or private cloud instance, providing clear evidence of data sovereignty and access controls.

Self-hosting also grants you complete control over update schedules, backup strategies, and network architecture. You decide when patches are applied, how backups are encrypted and rotated, and whether the service is accessible only through a VPN or internal network. This level of control is impossible with SaaS offerings that operate on shared infrastructure. For businesses that handle financial data, healthcare records, or government contracts, self-hosting is not just a preference — it is a requirement. InPassTo was built from the ground up for exactly this deployment model.

Server Requirements

Before deploying InPassTo, ensure your server meets the following minimum specifications. These requirements are designed to support teams of up to 50 users with comfortable performance margins. For larger organizations, we recommend scaling resources proportionally or contacting our team for a tailored architecture recommendation.

Operating System  : Ubuntu 22.04 LTS / Debian 12+
PHP               : 8.2 or higher (with extensions: pgsql, redis, mbstring, openssl, curl)
Database          : PostgreSQL 15+ (recommended) or MySQL 8.0+
Cache / Queue     : Redis 7+
Web Server        : Nginx 1.24+ (with SSL/TLS support)
RAM               : 2 GB minimum (4 GB recommended)
Storage           : 20 GB SSD minimum
CPU               : 2 vCPU cores minimum
Network           : Static IP address, open ports 80/443
SSL Certificate   : Let's Encrypt (free) or commercial certificate

We strongly recommend using Ubuntu 22.04 LTS as the operating system, since it provides long-term security updates and excellent compatibility with the rest of the stack. PostgreSQL is preferred over MySQL for its superior encryption capabilities, robust JSON support, and advanced indexing features that InPassTo leverages for vault storage. Redis handles session management, queue processing, and caching, ensuring fast response times even under heavy load. Your server should be provisioned with a static IP address and a valid domain name pointing to it, as this is required for SSL certificate issuance and secure HTTPS access.

Step-by-Step Deployment Guide

Deploying InPassTo follows a structured process that ensures every component is properly configured and secured. While the InPassTo team can handle the entire deployment for you, here is an overview of what the process involves so you understand each stage.

1. Server Preparation. The target server is hardened by disabling root SSH access, configuring a firewall (UFW or iptables), enabling automatic security updates, and creating a dedicated system user for the application. All unnecessary services are disabled to minimize the attack surface.

2. Software Stack Installation. PHP 8.2 with all required extensions is installed and tuned for production workloads. PostgreSQL is configured with connection pooling and optimized memory settings. Redis is set up with password authentication and bound to localhost. Nginx is installed and configured as a reverse proxy with HTTP/2 support.

3. Application Deployment. The InPassTo codebase is deployed to the server, environment variables are configured, database migrations are executed, and encryption keys are generated. The application queue worker and scheduler are set up as systemd services for reliability.

4. SSL and DNS Configuration. A Let's Encrypt certificate is issued using Certbot with automatic renewal configured. DNS records are verified, and HSTS headers are enabled to enforce encrypted connections. Optional: Cloudflare or another CDN can be configured for DDoS protection.

5. Verification and Testing. The entire deployment is tested end-to-end, including login flows, vault encryption, team sharing, and API access. Performance benchmarks are run to confirm the server meets response time targets.

Configuring Security: Encryption and 2FA

Security is the foundation of any password manager, and InPassTo implements multiple layers of protection to ensure your credentials remain safe even in the event of a server breach. The encryption architecture uses AES-256-GCM, the same standard employed by governments and financial institutions worldwide, to encrypt every vault entry at the application level before it reaches the database.

Each user's vault is encrypted with a unique key derived from their master password using Argon2id, a memory-hard hashing algorithm specifically designed to resist GPU-based brute-force attacks. The server never stores the master password or the derived encryption key — decryption happens only in the user's session. This means that even if an attacker gains access to the database, the encrypted data is useless without each individual user's master password.

Two-factor authentication adds a critical second layer. InPassTo supports Telegram-based 2FA, which provides a seamless experience for teams already using Telegram for communication. When a user logs in, a one-time code is sent to their Telegram account via a secure bot. This eliminates the need for third-party authenticator apps and simplifies the rollout across your organization. TOTP-based authentication is also supported for teams that prefer traditional authenticator apps. Enforcing 2FA across all user accounts is a single toggle in the admin panel, giving administrators immediate security compliance without chasing individual team members.

Team Onboarding and Chrome Extension

Once InPassTo is deployed and secured, the next step is onboarding your team. The admin panel provides a straightforward interface for creating user accounts and assigning roles. InPassTo supports granular role-based access control: administrators have full system access, managers can create shared vaults and manage their teams, and regular users can access only the vaults assigned to them.

Shared vaults are one of the most powerful features for teams. You can create project-specific or department-specific vaults — for example, a "Production Servers" vault accessible only to the DevOps team, or a "Social Media Accounts" vault for the marketing department. Permissions are set at the vault level, and audit logs track every access event for compliance purposes.

The InPassTo Chrome extension integrates directly with your self-hosted instance. After installing the extension from the Chrome Web Store, users simply enter the URL of your InPassTo server and log in. The extension auto-fills credentials on recognized websites, generates strong passwords for new accounts, and saves new logins directly to the appropriate vault. For development teams, InPassTo also offers a full REST API with token-based authentication, enabling integration with CI/CD pipelines, deployment scripts, and internal automation tools. API documentation is included with every deployment and accessible directly from your instance.

Why Choose InPassTo for Self-Hosted Deployment

There are several self-hosted password managers on the market, but InPassTo is purpose-built for businesses that need a production-ready solution without the overhead of managing open-source software. Unlike community-driven tools that require you to piece together components, configure encryption manually, and troubleshoot compatibility issues, InPassTo delivers a fully integrated, enterprise-grade platform.

Every InPassTo license includes managed deployment support. This means you do not need a dedicated DevOps team to get started. Our engineers will configure your server, install and optimize the entire stack, set up SSL, configure backups, and hand you a fully operational password manager. We also provide ongoing support for updates, security patches, and scaling as your team grows.

Feature parity is another key advantage. Unlike many competitors that lock essential features behind enterprise tiers, every InPassTo plan includes AES-256-GCM encryption, Telegram 2FA, shared vaults, role-based access, the Chrome extension, REST API access, and audit logging. You get the complete platform regardless of your team size. InPassTo is built with Laravel and Vue.js, using technologies that are well-documented, widely supported, and easy to audit. Your data stays on your server, encrypted with keys only your team controls, and accessible only through the interfaces you authorize.