Self-Hosting Vaultwarden: Run Your Own Bitwarden-Compatible Password Manager
Password managers are one of the most impactful tools for personal security. Bitwarden is the leading open source option, with a generous free tier and solid clients on every platform. But if you want full control over where your passwords are stored, Vaultwarden lets you run a Bitwarden-compatible server on your own hardware.
This guide covers what Vaultwarden is, how to set it up securely, and when you should (and shouldn't) self-host your passwords.
What Is Vaultwarden?
Vaultwarden (formerly bitwarden_rs) is an unofficial, lightweight implementation of the Bitwarden server API. It's written in Rust and uses SQLite by default, making it dramatically lighter than the official Bitwarden server (which requires MSSQL and multiple containers).
Key point: Vaultwarden works with all official Bitwarden clients — browser extensions, desktop apps, mobile apps, and CLI. Your users won't notice any difference.
Vaultwarden vs Official Bitwarden Server
| Aspect | Vaultwarden | Bitwarden Official |
|---|---|---|
| Language | Rust | C# (.NET) |
| Database | SQLite (default), MySQL, PostgreSQL | MSSQL (required) |
| RAM usage | ~50 MB | ~2 GB+ |
| Docker containers | 1 | 6+ |
| Premium features | All included free | Requires $10/year per user |
| FIDO2/WebAuthn | Yes | Yes |
| Organizations | Yes (unlimited) | Yes (limited on free tier) |
| Send (file sharing) | Yes | Yes |
| Emergency access | Yes | Yes (premium) |
| Official support | Community only | Bitwarden Inc. |
| Security audits | Community-reviewed | Professionally audited |
| SSO (SAML/OIDC) | Partial support | Enterprise tier |
The big win: Vaultwarden gives you all of Bitwarden's premium features (TOTP, file attachments, emergency access, vault health reports) without paying per-user licensing. For families and small teams, this is significant.
Should You Self-Host Your Password Manager?
This deserves careful thought. Your password vault is arguably the single most sensitive piece of data you have. A compromised vault means compromised everything.
Self-host if:
- You have the discipline to keep the server updated and monitored
- You understand TLS, reverse proxy configuration, and backup procedures
- You have a reliable hosting setup (UPS, stable VPS, or equivalent)
- You're comfortable being responsible for your own security
Don't self-host if:
- You're not confident in your server administration skills
- You might neglect updates for weeks or months
- You don't have a tested backup strategy
- Your threat model includes nation-state adversaries (Bitwarden's official infrastructure is better hardened)
The honest take: Bitwarden's cloud service (even the free tier) is secure, well-maintained, and professionally audited. Self-hosting adds risk unless you're disciplined about maintenance. The main reasons to self-host are principle (data sovereignty) and saving on premium features.
Setup Guide
Prerequisites
- A Linux server with Docker installed
- A domain name with an A record pointing to your server
- A reverse proxy with TLS (Caddy, nginx, or Traefik)
1. Create the data directory
mkdir -p /opt/vaultwarden/data
2. Run Vaultwarden
docker run -d \
--name vaultwarden \
--restart unless-stopped \
-v /opt/vaultwarden/data:/data \
-p 127.0.0.1:8080:80 \
-e DOMAIN=https://vault.yourdomain.com \
-e SIGNUPS_ALLOWED=false \
-e INVITATIONS_ALLOWED=true \
-e ADMIN_TOKEN=$(openssl rand -base64 48) \
vaultwarden/server:latest
Important notes on the flags:
127.0.0.1:8080:80— Only listen on localhost (your reverse proxy handles external access)SIGNUPS_ALLOWED=false— Prevent random people from creating accounts on your serverADMIN_TOKEN— Enables the admin panel at/admin(save this token somewhere secure)DOMAIN— Must match your actual domain for WebAuthn and other features to work
3. Configure your reverse proxy
With Caddy:
vault.yourdomain.com {
reverse_proxy 127.0.0.1:8080
}
With nginx:
server {
listen 443 ssl http2;
server_name vault.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
4. Create your account
- Visit
https://vault.yourdomain.com - Temporarily enable signups:
docker exec vaultwarden /bin/sh -c "SIGNUPS_ALLOWED=true"(Or setSIGNUPS_ALLOWED=truebriefly and restart) - Create your account
- Disable signups again
5. Configure clients
In any Bitwarden client (browser extension, desktop, mobile), click the gear icon and set the Server URL to https://vault.yourdomain.com. Then log in with your credentials.
Security Hardening
Running a password manager demands extra attention to security:
Keep it updated
docker pull vaultwarden/server:latest
docker stop vaultwarden
docker rm vaultwarden
# Re-run the docker run command from above
Automate this with Watchtower or a weekly cron job. Vaultwarden updates frequently with security patches.
Lock down the admin panel
The /admin endpoint gives full control over your instance. Options:
- Use a strong admin token (the
openssl randcommand above generates one) - Restrict admin access by IP in your reverse proxy
- Disable admin panel when not needed: remove the
ADMIN_TOKENenvironment variable
Enable fail2ban
Protect against brute-force login attempts:
# /etc/fail2ban/filter.d/vaultwarden.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
ignoreregex =
# /etc/fail2ban/jail.d/vaultwarden.local
[vaultwarden]
enabled = true
port = 80,443
filter = vaultwarden
logpath = /opt/vaultwarden/data/vaultwarden.log
maxretry = 5
bantime = 3600
Use WebAuthn/FIDO2
Enable hardware security key authentication (YubiKey, etc.) for your vault. This protects against password-based attacks entirely.
Backups
This is non-negotiable. A corrupted or lost vault is catastrophic.
What to back up
/opt/vaultwarden/data/db.sqlite3— The main database (accounts, vault data)/opt/vaultwarden/data/attachments/— File attachments/opt/vaultwarden/data/sends/— Bitwarden Send files/opt/vaultwarden/data/rsa_key*— RSA keys (needed to decrypt the database)
Backup script
#!/bin/bash
BACKUP_DIR="/backups/vaultwarden/$(date +%Y-%m-%d)"
mkdir -p "$BACKUP_DIR"
# Use sqlite3 .backup for a consistent copy
sqlite3 /opt/vaultwarden/data/db.sqlite3 ".backup '$BACKUP_DIR/db.sqlite3'"
# Copy other important files
cp -r /opt/vaultwarden/data/attachments "$BACKUP_DIR/" 2>/dev/null
cp -r /opt/vaultwarden/data/sends "$BACKUP_DIR/" 2>/dev/null
cp /opt/vaultwarden/data/rsa_key* "$BACKUP_DIR/"
# Encrypt the backup
tar czf - "$BACKUP_DIR" | gpg --symmetric --cipher-algo AES256 > "$BACKUP_DIR.tar.gz.gpg"
rm -rf "$BACKUP_DIR"
# Keep last 30 days
find /backups/vaultwarden -name "*.tar.gz.gpg" -mtime +30 -delete
Run this daily via cron, and copy encrypted backups to a separate location (different server, cloud storage, or even email to yourself).
Test your backups
At least once: restore a backup to a test instance and verify you can log in and access your vault. An untested backup is not a backup.
Performance and Scaling
Vaultwarden is incredibly lightweight:
- 50 MB RAM for a typical personal/family instance
- < 1% CPU during normal operation
- SQLite handles hundreds of users without issue
- A $5/month VPS is more than enough
For larger deployments (100+ users), consider switching to PostgreSQL for better concurrent write handling, but SQLite is fine for the vast majority of self-hosters.
Verdict
Self-host Vaultwarden if:
- You want all Bitwarden premium features without per-user costs
- You're disciplined about updates, backups, and security
- You want to keep your vault data under your own control
- You're running it for a family, small team, or personal use
Use Bitwarden's cloud service if:
- You don't want the responsibility of securing a password vault
- You need official support and SLA guarantees
- The $10/year premium or $40/year family plan is acceptable
- You want professional security audits backing your vault
Vaultwarden is one of the best self-hosted projects out there — lightweight, compatible with all Bitwarden clients, and well-maintained. Just remember: with a password manager, the stakes for downtime or data loss are higher than almost any other service. Back up religiously and keep it updated.