Free personal use — Bitwarden's free tier is generous Self-hosting option — Vaultwarden runs on a $5 VPS Open source — audit the code yourself Send — share text/files securely (like 1Password sharing) Emergency access — trusted contacts can access your vault CLI access — script password management Bitwarden Authenticator — built-in TOTP

Watchtower (1Password's security monitoring) → Bitwarden has reports but less polished 1Password's slightly more polished desktop UX Travel mode (hide vaults at borders)

How to Migrate from 1Password to Bitwarden

1Password costs $3-8/user/month. Bitwarden is free for personal use and $4/user/month for teams — or completely free with Vaultwarden (self-hosted). Here's how to switch.

Step 1: Set Up Bitwarden

Option A: Bitwarden Cloud (free)

Sign up at bitwarden.com
Verify email

Option B: Vaultwarden (self-hosted, free)

docker run -d \
  --name vaultwarden \
  -v vw-data:/data \
  -p 80:80 \
  -e ADMIN_TOKEN=your-admin-token \
  vaultwarden/server:latest

Vaultwarden is a lightweight, Rust-based Bitwarden server that uses the official Bitwarden clients.

Step 2: Export from 1Password

Open 1Password desktop app
File → Export → All Items
Choose format: 1Password Unencrypted Export (.1pux) or CSV
Authenticate and save the file

Security note: The export file contains all your passwords in plain text. Delete it immediately after import.

Step 3: Import to Bitwarden

Log in to Bitwarden web vault
Tools → Import Data
Select format: 1Password (1pux) or 1Password (CSV)
Upload the export file
Click Import Data

What imports:

✅ Logins (username, password, URL, notes)
✅ Secure notes
✅ Credit cards
✅ Identities
✅ Folders/vaults → Bitwarden folders
⚠️ Attachments — need manual re-upload
⚠️ TOTP seeds — check they transferred correctly
❌ Watchtower alerts — not applicable

Step 4: Install Clients

Platform	Client
Browser	Bitwarden extension (Chrome, Firefox, Safari, Edge)
Desktop	Bitwarden desktop (Windows, macOS, Linux)
iOS	Bitwarden iOS
Android	Bitwarden Android
CLI	`bw` command-line tool

For Vaultwarden: use the same official Bitwarden clients, just point them to your self-hosted URL.

Step 5: Configure Autofill

Browser extension → Settings → enable auto-fill on page load
Mobile → Settings → set Bitwarden as autofill provider
- iOS: Settings → Passwords → AutoFill Passwords → Bitwarden
- Android: Settings → Autofill → Bitwarden

Step 6: Verify and Clean Up

Check TOTP codes — verify 2FA codes still work for critical accounts
Test logins — try logging into your top 10 most-used sites
Delete export file — securely delete the unencrypted export
Disable 1Password — remove browser extension, sign out of apps

What You'll Gain

Free personal use — Bitwarden's free tier is generous
Self-hosting option — Vaultwarden runs on a $5 VPS
Open source — audit the code yourself
Send — share text/files securely (like 1Password sharing)
Emergency access — trusted contacts can access your vault
CLI access — script password management
Bitwarden Authenticator — built-in TOTP

What You'll Lose

Watchtower (1Password's security monitoring) → Bitwarden has reports but less polished
1Password's slightly more polished desktop UX
Travel mode (hide vaults at borders)

Cost Comparison

Plan	1Password	Bitwarden	Vaultwarden
Personal	$3/month	Free	Free (self-hosted)
Family (5)	$5/month	$3.33/month	Free
Team (10)	$80/month	$40/month	Free
Business (50)	$400/month	$200/month	Free

Full Vaultwarden Deployment Walkthrough

The docker run command above gets Vaultwarden running, but a production self-hosted deployment needs more thought — particularly around HTTPS, persistence, and the admin interface. This section covers a complete, production-ready Vaultwarden setup.

Vaultwarden must be served over HTTPS. The official Bitwarden clients refuse to connect to non-HTTPS servers. The simplest approach is Caddy as a reverse proxy with automatic Let's Encrypt certificate provisioning:

vault.yourdomain.com {
    reverse_proxy localhost:3000
}

A minimal but more complete Docker Compose configuration maps ports correctly and stores data in a named volume:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - vaultwarden_data:/data
    environment:
      DOMAIN: "https://vault.yourdomain.com"
      SIGNUPS_ALLOWED: "false"        # Disable after creating accounts
      ADMIN_TOKEN: "${ADMIN_TOKEN}"   # Generate: openssl rand -base64 32
      SMTP_HOST: "email-smtp.us-east-1.amazonaws.com"
      SMTP_FROM: "vault@yourdomain.com"
      SMTP_PORT: "587"
      SMTP_SECURITY: "starttls"
      SMTP_USERNAME: "${SMTP_USERNAME}"
      SMTP_PASSWORD: "${SMTP_PASSWORD}"
      PUSH_ENABLED: "true"            # Push notifications for mobile clients
      PUSH_INSTALLATION_ID: "${PUSH_ID}"
      PUSH_INSTALLATION_KEY: "${PUSH_KEY}"
    ports:
      - "127.0.0.1:3000:80"

volumes:
  vaultwarden_data:

Set SIGNUPS_ALLOWED to "false" after creating user accounts. An open Vaultwarden instance with public registration exposes your password manager to unauthorized accounts.

The Vaultwarden admin panel at /admin (protected by ADMIN_TOKEN) provides server-wide configuration, user management, and diagnostics. The admin panel should never be publicly accessible — restrict it to internal network access using your reverse proxy:

vault.yourdomain.com {
    reverse_proxy localhost:3000

    @admin {
        path /admin*
    }
    respond @admin "Forbidden" 403
}

Then access the admin panel via SSH tunnel when needed: ssh -L 8080:localhost:3000 your-server and navigate to http://localhost:8080/admin.

For teams wanting to go deeper on Vaultwarden hardening, the Vaultwarden advanced setup and security hardening guide covers fail2ban integration, HTTPS-only admin access, backup automation, and YubiKey support.

For teams evaluating which self-hosted password manager fits their threat model, the best open source alternatives to 1Password comparison covers Bitwarden, Vaultwarden, Passbolt, and KeePassXC with detailed security model comparisons.

Security and Operational Hardening

Migrating to a self-hosted password manager shifts security responsibility from 1Password's team to you. This is worth taking seriously — your password vault is the most sensitive data you manage.

Master password strength: Bitwarden and Vaultwarden derive the vault encryption key from your master password. A weak master password means a weak vault. Use a randomly generated passphrase of at least six words (Diceware or similar), not a memorable phrase you constructed yourself. The master password should be stored nowhere except your memory and a physical backup in a secure location.

Two-factor authentication: Enable 2FA on your Bitwarden account before completing the 1Password migration. Bitwarden supports TOTP, email codes, and FIDO2/WebAuthn hardware keys. FIDO2 hardware keys (YubiKey, Google Titan) are the most phishing-resistant option and are supported on Bitwarden's free tier for personal accounts.

Backup the Vaultwarden data volume: Vaultwarden stores your encrypted vault database in the /data directory inside the container. Back up the named volume daily to object storage. An encrypted Bitwarden vault backup is worthless without the master password, so the backup itself doesn't need additional encryption — but the master password must be stored independently of the backup. If you lose both the server data and the master password, the vault is unrecoverable.

Monitoring and alerts: Set up uptime monitoring on your Vaultwarden instance. A password manager that becomes unavailable when you need it is a critical outage. Tools like Uptime Kuma (self-hosted) or a free tier of Uptime Robot can monitor the /alive health check endpoint and alert you within minutes of downtime.

Audit log review: Vaultwarden logs login events, failed authentication attempts, and admin actions. Review the logs periodically for unexpected access attempts. Integrate Vaultwarden's logs with a centralized logging stack if you're already running one.

Client-side security: The official Bitwarden clients are open source and audited. Avoid third-party Bitwarden clients — they may not implement the encryption protocol correctly. For browser extensions, install from official sources only (Chrome Web Store, Firefox Add-ons). The browser extension's vault timeout and lock settings should be configured to balance usability and security: a 15-minute timeout with PIN unlock is a reasonable default for most users.

What Doesn't Transfer and How to Handle It

The import process is thorough but not perfect. Understanding the gaps before migration prevents unpleasant surprises on the first day after switching.

Attachments: 1Password allows attaching files to vault items — scanned documents, SSH keys, software licenses. These attachments are not included in the 1pux export in a form that imports cleanly into Bitwarden. Before migrating, list all vault items with attachments and plan to re-upload them manually after import. Bitwarden's attachment feature requires a premium subscription ($10/year) or is included with Bitwarden Teams.

TOTP seeds: The 1pux format includes TOTP secrets, and Bitwarden's importer handles them — but verify each one after import. Open the TOTP code in Bitwarden and compare it against the code generated by your previous authenticator app. They should match. If there's a discrepancy, the TOTP seed didn't import correctly and you'll need to re-scan the QR code for those accounts before disabling 1Password.

Shared vaults and teams: 1Password's team vault structure maps to Bitwarden's Organizations feature. When migrating a team, set up the Bitwarden Organization first, then import credentials into the organization's vault rather than individual user vaults. Recreate the folder structure manually — the 1Password vault hierarchy becomes Bitwarden folders, which are a flat list, not a hierarchy.

Watchtower: 1Password's Watchtower feature checks your passwords against Have I Been Pwned, flags reused passwords, identifies accounts without 2FA, and monitors for weak passwords. Bitwarden has a Reports feature that provides similar functionality, accessible under Tools → Reports. The coverage is comparable but the interface is less prominent. After migration, run a full Bitwarden security report and address the flagged items before canceling 1Password.

Travel Mode: 1Password's Travel Mode temporarily removes vaults from devices when crossing borders. Bitwarden has no equivalent feature. If travel mode is a meaningful part of your security workflow, this is a real feature gap. The workaround is to maintain a separate minimal-access Bitwarden account for travel situations.

Migration Timeline

The actual mechanical migration — export, import, verify — takes 1-2 hours. The real timeline is giving yourself enough time to verify everything is correct before canceling 1Password.

Run both Bitwarden and 1Password in parallel for at least one week. During that week, actively use Bitwarden for new logins and let 1Password be your fallback. Any credential that doesn't work correctly in Bitwarden surfaces during this period while you can still reference 1Password. Only cancel your 1Password subscription after two to three weeks of primary Bitwarden usage with no issues.

Bitwarden vs Vaultwarden: Making the Right Infrastructure Choice

The decision between Bitwarden Cloud and Vaultwarden self-hosted is worth examining carefully because it's not just a cost decision — it's a responsibility decision.

Bitwarden Cloud handles all infrastructure, updates, availability, and backups. You pay nothing for personal use and a reasonable amount for teams. If Bitwarden's servers go down, Bitwarden's team fixes it. If there's a security vulnerability, Bitwarden's team patches and updates the servers. This is the right choice for teams without DevOps capacity or for individuals who want a password manager that requires zero ongoing maintenance.

Vaultwarden self-hosted is the right choice when data sovereignty matters, when you want to eliminate the per-user cost for a large team, or when you have the technical infrastructure to run it reliably. "Reliably" means: automated daily backups verified by restore testing, monitored uptime with alerts, and a process for applying security patches within a few days of release. If your VPS goes down or your backup fails silently, you're responsible for recovering.

A middle path that some teams choose is Bitwarden's self-hosted option, which uses the official Bitwarden server software rather than Vaultwarden. Official Bitwarden self-hosted includes premium features, official support, and more frequent audits than Vaultwarden receives. The trade-off is resource requirements — the official server stack requires significantly more RAM than Vaultwarden's lean Rust implementation.

For solo founders, indie hackers, and small technical teams, Vaultwarden on a shared VPS is the cost-effective sweet spot. The best open source alternatives to 1Password guide covers all three options alongside Passbolt (which is built for team password sharing with GPG-based encryption) and KeePassXC (offline only, no sync). Understanding the full landscape prevents migrating to Bitwarden/Vaultwarden only to discover that Passbolt's access control model is a better fit for your team's security requirements. For hardening the Vaultwarden server deployment itself, the Vaultwarden advanced setup and security hardening guide covers reverse proxy configuration, fail2ban integration, and backup strategies beyond the default Docker setup. Teams building out a complete self-hosted security posture should also review the best open source password managers 2026 for the comprehensive landscape including Passbolt enterprise features and KeePassXC offline workflows.

Compare password managers on OSSAlt — security features, platform support, and pricing side by side.

See open source alternatives to 1password on OSSAlt.

How to Migrate from 1Password to Bitwarden 2026