Vaultwarden

Self-Hosted Bitwarden-Compatible Password Manager

What is Vaultwarden?

Vaultwarden is an unofficial Bitwarden-compatible server written in Rust. It’s a lightweight, self-hosted alternative to the official Bitwarden server that provides the same functionality with significantly lower resource requirements.

With Vaultwarden, you get complete control over your passwords and sensitive data. All your credentials are encrypted end-to-end and stored on your own server, giving you peace of mind that your most critical information is truly private.

The best part? Vaultwarden is fully compatible with all official Bitwarden clients – desktop apps, mobile apps, browser extensions, and web vault – so you get a polished user experience without compromise.

Why Choose Vaultwarden?

Complete Privacy

Your passwords never leave your server. End-to-end encryption ensures only you can decrypt your vault, even the server can’t read your data.

Extremely Lightweight

Runs efficiently on minimal hardware. Uses only ~10MB RAM compared to the official server’s 1GB+ requirement. Perfect for Raspberry Pi and low-resource environments.

Bitwarden Compatible

Works seamlessly with all official Bitwarden clients – desktop, mobile, browser extensions, and CLI. No custom clients needed.

All Premium Features Free

Get TOTP 2FA generation, emergency access, vault health reports, and all other premium features without subscription costs.

Multi-Device Sync

Synchronize your vault across unlimited devices – phones, tablets, computers, browsers. Always have your passwords when you need them.

Easy to Deploy

Simple Docker deployment with minimal configuration. Set up in minutes with a single container and optional database for multi-user setups.

System Requirements

Minimum Requirements

  • CPU: Any modern CPU (1 core sufficient)
  • RAM: 64 MB minimum (works on 512MB systems)
  • Storage: 100 MB for application + database
  • Database: SQLite (built-in) or MySQL/PostgreSQL
  • Network: HTTPS required for security
  • Platform: Docker recommended

Recommended Setup

  • CPU: 1+ core for smooth performance
  • RAM: 512 MB+ (1GB for many users)
  • Storage: SSD for better responsiveness
  • Database: PostgreSQL for production use
  • SSL: Valid SSL certificate (Let’s Encrypt)
  • Backups: Automated backup solution

Installation Guide

Deploy Vaultwarden in minutes using Docker. This guide includes SSL setup for secure access.

1. Create Directory Structure

Create a directory to store Vaultwarden data:

mkdir -p ~/vaultwarden/data
cd ~/vaultwarden

2. Basic Docker Deployment (SQLite)

For single-user or small deployments, SQLite is perfect:

docker run -d --name vaultwarden 
  -v ./data:/data 
  -p 8080:80 
  --restart unless-stopped 
  vaultwarden/server:latest

3. Docker Compose with PostgreSQL (Recommended)

For production use with multiple users, use PostgreSQL. Create docker-compose.yml:

version: '3'

services:
  vaultwarden-db:
    image: postgres:15-alpine
    container_name: vaultwarden-db
    restart: unless-stopped
    volumes:
      - ./db-data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: vaultwarden
      POSTGRES_USER: vaultwarden
      POSTGRES_PASSWORD: your_secure_password
    networks:
      - vaultwarden-net

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - ./data:/data
    ports:
      - "8080:80"
    environment:
      DATABASE_URL: 'postgresql://vaultwarden:your_secure_password@vaultwarden-db/vaultwarden'
      ADMIN_TOKEN: 'your_admin_token_here'
      SIGNUPS_ALLOWED: 'true'
      INVITATIONS_ALLOWED: 'true'
      DOMAIN: 'https://vault.yourdomain.com'
      SMTP_HOST: 'smtp.gmail.com'
      SMTP_FROM: '[email protected]'
      SMTP_PORT: '587'
      SMTP_SECURITY: 'starttls'
      SMTP_USERNAME: '[email protected]'
      SMTP_PASSWORD: 'your-app-password'
    depends_on:
      - vaultwarden-db
    networks:
      - vaultwarden-net

networks:
  vaultwarden-net:
    driver: bridge

4. Generate Admin Token

Generate a secure admin token for accessing the admin panel:

# Using openssl
openssl rand -base64 48

# Or use an online generator
# Copy the output and replace 'your_admin_token_here'

5. Start Vaultwarden

Launch the Vaultwarden stack:

docker-compose up -d

6. Set Up Reverse Proxy with SSL

CRITICAL: Vaultwarden requires HTTPS for clients to work. Use Nginx with Let’s Encrypt:

server {
    listen 80;
    server_name vault.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name vault.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem;

    client_max_body_size 525M;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
        proxy_pass http://localhost:8080;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

7. Create Your First Account

Navigate to https://vault.yourdomain.com and create your master account. This password is extremely important – it encrypts all your data and cannot be recovered if lost!

Important Notes

HTTPS Required: Bitwarden clients will NOT work without HTTPS. This is a security requirement.

Master Password: Cannot be recovered if lost! Write it down securely or use a memorable passphrase.

Admin Panel: Access at /admin with your ADMIN_TOKEN to manage users and settings.

Disable Signups: After creating accounts, set SIGNUPS_ALLOWED=’false’ for security.

Configuration & Security

Admin Panel Configuration

Access the admin panel at https://vault.yourdomain.com/admin:

  • View all registered users
  • Delete or disable user accounts
  • View server diagnostics
  • Configure SMTP settings
  • Manage user invitations
  • Review server logs

Security Best Practices

  • Use a strong, unique master password
  • Enable 2FA on your account
  • Disable signups after creating accounts
  • Keep ADMIN_TOKEN secret and secure
  • Regularly update Vaultwarden
  • Use fail2ban to prevent brute force

Important Environment Variables

# Security
ADMIN_TOKEN='your_token'
SIGNUPS_ALLOWED='false'
INVITATIONS_ALLOWED='true'
DOMAIN='https://vault.yourdomain.com'

# Email (for invites & 2FA)
SMTP_HOST='smtp.gmail.com'
SMTP_PORT='587'
SMTP_SECURITY='starttls'
SMTP_USERNAME='[email protected]'
SMTP_PASSWORD='app-password'
SMTP_FROM='[email protected]'

# Optional Features
WEBSOCKET_ENABLED='true'
SHOW_PASSWORD_HINT='false'
SENDS_ALLOWED='true'

Backup Your Vault

Regular backups are critical. The data directory contains everything:

tar -czf vaultwarden-backup-$(date +%Y%m%d).tar.gz ./data

Client Apps & Browser Extensions

Desktop Apps

Official Bitwarden desktop apps for:

  • Windows
  • macOS
  • Linux

Configure server URL during setup

Mobile Apps

Download from app stores:

  • iOS (App Store)
  • Android (Play Store)
  • F-Droid (Android)

Auto-fill passwords in apps

Browser Extensions

Install extensions for:

  • Chrome/Edge
  • Firefox
  • Safari
  • Opera
  • Brave

Auto-fill on websites

CLI & Web

Additional access methods:

  • Command Line Interface
  • Web Vault (browser)
  • REST API

Perfect for automation

Configuring Self-Hosted Server

When setting up any Bitwarden client, you need to point it to your self-hosted server:

  1. Open the client (before logging in)
  2. Click the settings/gear icon
  3. Find “Server URL” or “Self-hosted environment”
  4. Enter: https://vault.yourdomain.com
  5. Save and proceed to log in with your credentials

Key Features

Password Management

  • Unlimited passwords and secure notes
  • Password generator with custom rules
  • Auto-fill credentials in browsers and apps
  • Organize with folders and collections
  • Tag and favorite important items
  • Search and filter your vault quickly

Secure Sharing

  • Create organizations for team sharing
  • Collections for grouped access control
  • Share passwords with family or colleagues
  • Granular permissions per user/group
  • Send: Share passwords securely via links

Security Tools

  • TOTP 2FA code generator (built-in authenticator)
  • Vault health reports (weak/reused passwords)
  • Data breach monitoring
  • Password history tracking
  • Master password re-prompt for sensitive items
  • Biometric unlock (fingerprint/Face ID)

Additional Storage

  • Store payment cards and identities
  • Secure notes for sensitive information
  • File attachments (up to 1GB per item)
  • Custom fields for any data type

Troubleshooting & Maintenance

Common Issues

Clients won’t connect:

Ensure you’re using HTTPS. HTTP will not work with Bitwarden clients. Verify SSL certificate is valid.

WebSocket errors:

Check that your reverse proxy is configured to upgrade WebSocket connections for /notifications/hub.

Email not sending:

Verify SMTP settings. Use app-specific passwords for Gmail. Check container logs for errors.

Can’t access admin panel:

Verify ADMIN_TOKEN is set correctly. Hash must match exactly.

Regular Maintenance

Update to the latest version:

docker-compose pull
docker-compose down
docker-compose up -d

Check logs for issues:

docker logs vaultwarden

Automated backup script:

#!/bin/bash
tar -czf /backups/vw-$(date +%Y%m%d).tar.gz 
  ~/vaultwarden/data

Take Back Control of Your Passwords

Deploy Vaultwarden today and never trust a third party with your passwords again.

View All Self-Hosted Services Vaultwarden GitHub & Docs

Vaultwarden is an unofficial Bitwarden server implementation. Visit GitHub for documentation and support.