Vaultwarden: Self-Hosted Bitwarden-Compatible Password Manager
- Author :Liam K.
- Date :July 03, 2026
- Time :24 minutes
Vaultwarden is a lightweight, open-source implementation of the Bitwarden server API. It runs on a fraction of the resources the official Bitwarden stack requires while supporting all standard Bitwarden clients — browser extensions, desktop apps, and mobile apps. Your passwords are encrypted client-side before they reach the server; Vaultwarden stores only encrypted blobs it cannot read without your master password.
Self-hosting gives you data sovereignty, no per-user subscription fees, and full control over backups and access policies. This guide deploys Vaultwarden with Docker on a Linux server, terminates TLS at a reverse proxy, enables the admin panel for user management, and establishes a backup routine for the SQLite database.
Vaultwarden vs Official Bitwarden
- Vaultwarden — single Rust binary, ~50 MB RAM, SQLite backend, ideal for teams under 100 users.
- Official Bitwarden — full .NET stack, MSSQL, enterprise features, higher resource requirements.
- Client compatibility — both work with the same Bitwarden clients; point the client to your server URL.
Step 1: Create Docker Compose Stack
sudo mkdir -p /opt/vaultwarden/data
cd /opt/vaultwarden
sudo tee docker-compose.yml >/dev/null <<'EOF'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
[...]Step 2: Configure HTTPS with Caddy
# /etc/caddy/Caddyfile
vault.example.com {
reverse_proxy 127.0.0.1:8080
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options nosniff
X-Frame-Options DENY
}
[...]Step 3: Access Admin Panel
Open https://vault.example.com/admin and enter yourADMIN_TOKEN. From here you can invite users, disable accounts, and review organization settings. Disable signups after initial setup to prevent unauthorized registration.
Step 4: Connect Bitwarden Clients
- Install the Bitwarden browser extension or desktop app.
- Before login, go to Settings → Self-hosted environment.
- Set server URL to
https://vault.example.com. - Log in with the account you created (or were invited to).
- Enable 2FA in account settings for additional protection.
Step 5: Automated Backups
sudo tee /usr/local/bin/vaultwarden-backup.sh >/dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
BACKUP_DIR="/backup/vaultwarden"
mkdir -p "$BACKUP_DIR"
sqlite3 /opt/vaultwarden/data/db.sqlite3 ".backup '$BACKUP_DIR/db-$(date +%F).sqlite3'"
find "$BACKUP_DIR" -name "db-*.sqlite3" -mtime +30 -delete
EOF
[...]Step 6: Enable WebSocket for Live Sync
Vaultwarden uses a separate WebSocket endpoint for real-time vault sync. Most reverse proxy configs handle this automatically, but verify live sync works after setup by editing a password on one device and confirming it appears on another within seconds.
# Caddy handles WebSocket upgrade automatically.
# For Nginx, add to location block:
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";Security Hardening
- Set
SIGNUPS_ALLOWED=falseafter creating admin accounts. - Use a long random
ADMIN_TOKEN— treat it like a root password. - Require 2FA for all team members via organization policy.
- Restrict access via Tailscale or VPN — do not expose to the open internet if avoidable.
- Back up
/opt/vaultwarden/datadaily and test restore quarterly. - Keep Docker image updated:
docker compose pull && docker compose up -d.
"A password manager is only as trustworthy as its backups and access controls — encrypt client-side, back up server-side, and restrict who can reach the vault."
Technical Author

System administrator and technical writer specializing in server infrastructure, security and deployment. Creating comprehensive guides to help you master server administration.