You mention the goal is to build a password manager as a cloud service. First I'd like to say that if you want to build this in production, you will want to have really good security consult. Also, before deploying this you will want to have it audited by a security company. Generally I'd recommend not going there at all.
Note: If you are doing this as a hobby project and only risk compromising your own security, go for it. I have also once built such a system for myself (although I never used it :P).
The most secure way of storing the passwords is by only storing the encrypted form on the server. Most importantly, store the key on the user's device and do all the encryption/decryption there. In theory, as long as the key stays on the device, the passwords are secure, even if the server is hacked.
In practice this is a Hard Problem. You have to think of using a 2nd factor for decryption (keyfiles, passwords, maybe NFC tokens), backups, access control, key revocation, re-encryption, protection against data exfiltration (keyloggers, screenshots, clipboard, side-channel attacks), et cetera. All these factors make it nigh-on impossible to make these kinds of schemes both usable and secure.