Why are cloud password managers a liability for MSPs?

An MSP that stores N clients' credentials in a single cloud vault has created a single point of failure for all N clients. A vendor breach, a stolen MSP technician account, or even a misconfigured share can cascade into a multi-client incident. The blast radius is no longer one customer — it's the whole book of business.

What's the alternative to a cloud password manager for consultants?

An on-device vault: an encrypted file that lives on a single workstation you control. No central server, no shared cloud tenant, no third-party processor. The trade-off is the loss of automatic multi-device sync. For a solo consultant or small MSP team, that trade-off is often acceptable in exchange for a far smaller breach surface.

Can I store SSH keys and API tokens in an on-device vault?

Yes. OneCritto stores passwords, SSH keys, API tokens, certificates, configuration files and arbitrary binary attachments inside a single encrypted .onecritto file. File attachments are encrypted with AES-256-GCM streaming so large files are not loaded fully into RAM.

Does this comply with my MSA / DPA obligations?

This is not legal advice. That said, an on-device vault simplifies many common contractual obligations: there is no sub-processor to disclose, no data transfer outside your jurisdiction, and no third-party DPA to chain. Your customers' credentials never leave hardware you operate.

Password Manager for MSPs and IT Consultants (2026): Why Cloud Vaults Are a Liability

Published June 2, 2026 · 10 min read

Every IT consultant and MSP eventually faces the same question: where do I keep all my clients' credentials? Server logins, RDP passwords, router admin accounts, SSH keys, cloud-console API tokens, VPN profiles, vendor portals — multiplied across dozens of customers.

The default answer in 2026 is still a cloud-hosted team password manager. It's convenient, it syncs across devices, and the marketing pages all show shiny dashboards. It's also, for this specific role, a structural liability. This post explains why — and what an on-device alternative looks like in practice.

The MSP blast-radius problem

A residential customer who loses a personal password manager exposes themselves. An MSP who loses a shared client vault exposes every client in that vault. The blast radius scales with your book of business.

Concretely, an attacker who compromises a single MSP technician's account or the upstream vendor can potentially reach:

Domain admin credentials for 20+ client networks.
SSH keys to production servers across multiple industries.
Hosting and DNS-registrar logins (where most account takeovers ultimately go).
Cloud-console root accounts (AWS, Azure, GCP) for any client you've ever helped.
Backup-system credentials — which means recovery is no longer a safe assumption.

This isn't theoretical. The pattern of "supply-chain attack through an MSP's shared tooling" is one of the best-documented attack chains of the past five years, with well-publicised incidents involving RMM platforms, PSA tools and shared password managers across multiple vendors.

The four risks specific to a cloud-hosted vault for consultants

1. Vendor breach

The vendor itself can be compromised. LastPass in 2022 is the canonical example, but it's not unique. Whatever vendor you choose, you are inheriting their security posture, their employees, their infrastructure and their worst week. For an MSP, "worst week at the vendor" can mean "worst week across your whole client base."

2. Account-takeover of an MSP technician

Cloud vaults gate access through user accounts. Phish a technician, defeat the second factor (SMS, push-bombing, session-cookie theft, AiTM proxies — all well-understood in 2026), and the attacker has the same access the technician had. With a shared team vault, that's everything.

3. Insider risk and offboarding gaps

A subcontractor's access lingers. An employee leaves and you're not 100% sure every shared item was rotated. Cloud vaults make access governance easier than spreadsheets, but they don't eliminate it — they shift the risk from "did we store the password securely?" to "did we revoke access to it cleanly?"

4. Contractual and jurisdictional exposure

Many clients now ask, in MSAs and DPAs, where their credentials are processed and which sub-processors touch them. A cloud password vendor is a sub-processor. Their data centres are jurisdictions. Their employees are people with access. Every one of those is a clause in your contract you'd rather not have to defend.

Why on-device storage changes the picture

An on-device password manager stores the encrypted vault as a file on a single workstation you physically control. No central server, no shared tenant, no vendor-managed sync. For an MSP or solo consultant, the implications are concrete:

No vendor breach surface. There is no service to compromise, only your laptop.
No remote technician-account compromise. There is no remote account.
No sub-processor. Nothing to disclose, nothing to chain.
Backups under your control. The vault is a single encrypted file — copy it to encrypted external storage on the schedule you choose.
Per-client segmentation is trivial. Create one vault per client if your risk model needs it. Each is a single file, opened only when needed.

The honest trade-off: no automatic multi-device sync, no built-in team sharing, no web UI. For a solo consultant or a small MSP team using a primary workstation, that's usually an acceptable price. For a 50-technician MSP that needs concurrent shared access, an on-device tool may complement rather than replace a team vault — at minimum, keep the highest-blast-radius secrets (registrar logins, root cloud accounts) off the shared cloud tier.

What a consultant's vault should actually hold

A general-purpose password manager treats every entry as a username/password pair. A consultant's vault needs more. In OneCritto, each .onecritto file holds:

Passwords — with categories, notes, strength scoring and breach checks.
SSH connections and keys — built-in SSH manager: store keys encrypted, launch sessions with one click, keys wiped on exit.
File attachments — certificates, .pem keys, VPN profiles, signed contracts, recovery codes. Encrypted with AES-256-GCM streaming so large files aren't loaded fully into RAM.
Encrypted notes — runbooks, recovery procedures, internal documentation that shouldn't live in a wiki.
API tokens and secrets — treated as first-class entries, with the same reveal countdowns and clipboard auto-clear (20 s) as passwords.

A pragmatic architecture for MSPs and consultants

Here's a model that has worked for several small consultancies migrating off shared cloud vaults:

One vault per client. A single client-acme.onecritto file per customer. Opens only when you're working on that customer. Reduces accidental cross-customer credential exposure (copy-paste mistakes, screenshares with the wrong vault open).
One "infra" vault for your own consultancy. Your registrar, your hosting, your billing — strictly separated from any client vault.
Encrypted backup to two independent locations. The vault is already encrypted — a USB stick in a safe and an encrypted external drive at home are enough. Cloud storage works too, since the file is opaque to the provider.
Per-engagement rotation discipline. When an engagement ends or scope changes, rotate the affected credentials, delete the vault file (secure-wipe) and confirm with the client.
Sentinel audit before client meetings. Run OneCritto's Sentinel dashboard on a client vault before a security review — produces a defensible health score, duplicate detection and a rotation plan you can hand to the client.

"But what about my team?"

On-device vaults aren't designed for concurrent multi-user editing. That's a real limit. Two patterns work for small teams:

Designated keeper. One person owns each client vault. Other team members request specific credentials, which are shared out-of-band (encrypted message, in-person, etc.) on a need-to-know basis. Slower, but auditable and minimally exposed.
Two-tier model. A traditional team password manager for day-to-day low-blast-radius credentials. An on-device vault per client for the high-blast-radius secrets — registrar logins, root cloud accounts, code-signing keys, master backup credentials. Cloud breach no longer means total loss.

Comparison at a glance

	Cloud team vault	Self-hosted vault	On-device vault (OneCritto)
Breach surface	Vendor infra + all user accounts	Your server + all user accounts	Your workstation
Operational burden	None	High (you run a server)	None
Sub-processor in contracts	Yes	No (you are processor)	No
Cross-client blast radius	High (shared tenant)	High (shared server)	Low (one file per client)
Concurrent team access	Yes	Yes	No — designated keeper model
File attachments (certs, keys)	Limited, paid tier	Depends	First-class
SSH key / session manager	External tool	External tool	Built-in
Cost	Per-seat subscription	Server + your time	Free, open source

Migrating without breaking active engagements

You don't have to do a big-bang migration. A reasonable rollout for a working MSP:

Pick your three highest-blast-radius secret categories — typically domain registrars, root cloud-provider accounts, and code-signing / backup credentials.
Move only those into a per-client on-device vault. Rotate the credentials as you migrate.
Keep the rest in your existing tool for now. Observe the workflow change for a month.
Expand the on-device tier client by client, oldest engagements first (they have the most stale shared credentials).
Document the new model in your internal runbook and your client-facing security statement. It's a sales asset, not just an internal change.

FAQ

Isn't this just KeePass with extra steps?

KeePassXC is a legitimate option for the same threat model and a great fit for technical users who value minimal UX over polish. A direct comparison is in our LastPass-alternative round-up. OneCritto targets the same threat model with a more polished workflow, first-class file attachments, an integrated SSH manager and the Sentinel audit dashboard.

What about compliance — SOC 2, ISO 27001, CMMC?

On-device vaults make many controls easier to satisfy because the data flow is shorter and there are fewer parties. Encryption-at-rest (AES-256-GCM), key derivation (Argon2id), integrity verification (HMAC-SHA256), automatic session lock and secure-wipe of decrypted temp files are all standard. You'll still need policies, evidence and access logs around how you use the tool — that part of compliance never goes away.

How do I back up the vault?

The vault is a single encrypted file. Copy it. The encryption is the same whether it's sitting on your SSD, a USB stick, an encrypted external drive, or an opaque object in cloud storage. Versioned backup tools work fine because the file is just bytes.

What if I lose the master password?

Nobody can recover the vault — including us. That's the security model. Choose a strong master password you can actually remember (or use a memorised passphrase), store a written copy in a physical safe if your risk tolerance requires it, and treat master-password loss the same way you'd treat losing your laptop without backups: as a real risk you've planned for.

Is OneCritto really free?

Yes. Free and open source. No subscription, no per-seat fee, no premium tier behind a paywall. Sustained by users and partnerships rather than by recurring SaaS billing.

OneCritto — built for professionals who can't outsource trust

A desktop security vault with a strict offline-first threat model. No cloud, no telemetry, no subscription. Free and open source for Windows and Linux.

Download free — Windows & Linux

No account · No sign-up · Audited open source