Vaultwarden: Self-Hosted Bitwarden-Compatible Password Manager
Security

Vaultwarden: Self-Hosted Bitwarden-Compatible Password Manager

  • Author :Liam K.
  • Date :July 03, 2026
  • Time :24 minutes

Vaultwarden is a lightweight, open-source implementation of the Bitwarden server API. It runs on a fraction of the resources the official Bitwarden stack requires while supporting all standard Bitwarden clients — browser extensions, desktop apps, and mobile apps. Your passwords are encrypted client-side before they reach the server; Vaultwarden stores only encrypted blobs it cannot read without your master password.

Self-hosting gives you data sovereignty, no per-user subscription fees, and full control over backups and access policies. This guide deploys Vaultwarden with Docker on a Linux server, terminates TLS at a reverse proxy, enables the admin panel for user management, and establishes a backup routine for the SQLite database.

Vaultwarden vs Official Bitwarden

  • Vaultwarden — single Rust binary, ~50 MB RAM, SQLite backend, ideal for teams under 100 users.
  • Official Bitwarden — full .NET stack, MSSQL, enterprise features, higher resource requirements.
  • Client compatibility — both work with the same Bitwarden clients; point the client to your server URL.

Step 1: Create Docker Compose Stack

bash
sudo mkdir -p /opt/vaultwarden/data
cd /opt/vaultwarden
sudo tee docker-compose.yml >/dev/null <<'EOF'
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
[...]
Command truncated. Copy to view full command.

Step 2: Configure HTTPS with Caddy

bash
# /etc/caddy/Caddyfile
vault.example.com {
    reverse_proxy 127.0.0.1:8080
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
    }
[...]
Command truncated. Copy to view full command.

Step 3: Access Admin Panel

Open https://vault.example.com/admin and enter yourADMIN_TOKEN. From here you can invite users, disable accounts, and review organization settings. Disable signups after initial setup to prevent unauthorized registration.

Step 4: Connect Bitwarden Clients

  • Install the Bitwarden browser extension or desktop app.
  • Before login, go to Settings → Self-hosted environment.
  • Set server URL to https://vault.example.com.
  • Log in with the account you created (or were invited to).
  • Enable 2FA in account settings for additional protection.

Step 5: Automated Backups

bash
sudo tee /usr/local/bin/vaultwarden-backup.sh >/dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
BACKUP_DIR="/backup/vaultwarden"
mkdir -p "$BACKUP_DIR"
sqlite3 /opt/vaultwarden/data/db.sqlite3 ".backup '$BACKUP_DIR/db-$(date +%F).sqlite3'"
find "$BACKUP_DIR" -name "db-*.sqlite3" -mtime +30 -delete
EOF
[...]
Command truncated. Copy to view full command.

Step 6: Enable WebSocket for Live Sync

Vaultwarden uses a separate WebSocket endpoint for real-time vault sync. Most reverse proxy configs handle this automatically, but verify live sync works after setup by editing a password on one device and confirming it appears on another within seconds.

bash
# Caddy handles WebSocket upgrade automatically.
# For Nginx, add to location block:
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";

Security Hardening

  • Set SIGNUPS_ALLOWED=false after creating admin accounts.
  • Use a long random ADMIN_TOKEN — treat it like a root password.
  • Require 2FA for all team members via organization policy.
  • Restrict access via Tailscale or VPN — do not expose to the open internet if avoidable.
  • Back up /opt/vaultwarden/data daily and test restore quarterly.
  • Keep Docker image updated: docker compose pull && docker compose up -d.

"A password manager is only as trustworthy as its backups and access controls — encrypt client-side, back up server-side, and restrict who can reach the vault."

Technical Author

Technical Author - Liam K.
Liam K.

System administrator and technical writer specializing in server infrastructure, security and deployment. Creating comprehensive guides to help you master server administration.