Guide: Self-Host Bitwarden (Using Vaultwarden)

Introduction

Looking for a secure and self-hosted password manager? Vaultwarden (a lightweight Bitwarden-compatible server) is the perfect choice for privacy-focused users who want full control over their credentials. In this guide, you’ll learn how to install and configure Vaultwarden on your own server.

Who is this for?

• Privacy-minded individuals and teams
• Beginners who want a secure password manager without third-party services
• Self-hosting enthusiasts running small servers or Raspberry Pi

What you’ll get:

• A working Vaultwarden instance
• Access to Bitwarden apps and extensions
• Optional HTTPS and backup configuration

Why Vaultwarden?

Note: Bitwarden itself offers self-hosting too, but requires more resources. Vaultwarden is a lighter, Rust-based alternative.

Requirements

• Linux server or Raspberry Pi (1vCPU, 512MB+ RAM)
• Docker & Docker Compose installed
• Public domain name (optional for HTTPS)
• Port 80/443 open if using reverse proxy

Optional:

• Traefik or NGINX reverse proxy
• HTTPS (Let’s Encrypt)
• Backup storage (for vault data)

Step-by-Step Installation

1. Prepare Your Server

Ensure Docker and Docker Compose are installed:

sudo apt update && sudo apt install docker.io docker-compose -y
sudo systemctl enable docker

2. Create Docker Compose File

In your home directory, create a folder:

mkdir ~/vaultwarden && cd ~/vaultwarden

Create docker-compose.yml:

version: '3'
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - "80:80"
    volumes:
      - ./vw-data:/data
    environment:
      - ADMIN_TOKEN=your_secure_token_here

Tip: Generate a strong admin token with openssl rand -base64 32.

3. Start the Server

docker-compose up -d

Vaultwarden should now be running at http://your-ip

First-Time Setup

1. Visit http://your-ip
2. Register a new account (this becomes your main user)
3. Optional: Visit http://your-ip/admin and log in with the token
4. Configure settings like domain, registration policy, etc.

Enable HTTPS (Optional)

If you have a domain:

1. Set up NGINX or Traefik reverse proxy
2. Use Let’s Encrypt to enable HTTPS

Sample NGINX config:

server {
    listen 80;
    server_name passwords.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name passwords.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://localhost:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Using Bitwarden Clients

You can now use:

• Bitwarden browser extensions (Chrome, Firefox, etc.)
• Bitwarden mobile apps
• Desktop Bitwarden clients

Go to settings and set your custom server URL: https://passwords.yourdomain.com

Backups & Maintenance

Backup Vaultwarden Data:

tar czvf vw-backup-$(date +%F).tar.gz ~/vaultwarden/vw-data

Automate backups with cron or external sync tools.

Update Vaultwarden:

cd ~/vaultwarden
docker-compose pull
docker-compose up -d

Comparison: Vaultwarden vs Bitwarden Cloud

FAQs

Q: Is Vaultwarden safe?
A: Yes, it uses strong encryption and is widely used. Just ensure your server is secured.

Q: Can multiple users share the same instance?
A: Yes, but Vaultwarden lacks the full organization features of paid Bitwarden. Still great for families or small teams.

Q: Can I use 2FA?
A: Absolutely. Vaultwarden supports TOTP and WebAuthn (YubiKey, etc).

Final Thoughts

Vaultwarden is a powerful, no-cost way to gain control over your password security. In under 30 minutes, you can run your own secure vault and ditch third-party services.

Respect your data. Self-host your secrets.

Support SelfhostHero: Appreciate the guide? Share it or use our links for hardware and domains—help us grow privacy-first content like this