Skip to main content

Self-Host Vaultwarden: Bitwarden Password Manager 2026

·OSSAlt Team
vaultwardenbitwardenpassword-managerself-hostingdockersecurity2026

TL;DR

Vaultwarden (AGPL 3.0, ~40K GitHub stars, Rust) is an unofficial Bitwarden-compatible server — the most popular self-hosted password manager setup. Bitwarden charges $10/year for premium features. Vaultwarden gives you all premium features free: TOTP, file attachments, emergency access, organization sharing, and Bitwarden Send — on your own hardware. The official Bitwarden browser extensions, mobile apps, and desktop clients all connect to your Vaultwarden server seamlessly.

Key Takeaways

  • Vaultwarden: AGPL 3.0, ~40K stars, Rust — Bitwarden-compatible, all premium features free
  • Bitwarden clients: Official iOS, Android, browser extensions, desktop apps — all work with Vaultwarden
  • Zero-knowledge: Passwords are E2E encrypted; your server never sees plaintext
  • Organizations: Share passwords with family or team via collections
  • TOTP: Store TOTP secrets and auto-fill 2FA codes (Bitwarden Authenticator)
  • Admin panel: Manage users, organizations, and settings via /admin

Vaultwarden vs Bitwarden Cloud vs 1Password

FeatureVaultwardenBitwarden Cloud1Password
LicenseAGPL 3.0Bitwarden Open SourceProprietary
CostFree (self-host)Free / $10/yr premium$2.99/mo
TOTP/2FA storageFree$10/yr premiumYes
File attachmentsFree$10/yr premiumYes
OrganizationsFree$40/yr$4.99/mo/family
Emergency accessFree$10/yrLimited
Bitwarden SendFreeFreeNo
Passkey supportYesYesYes
E2E encryptionYesYesYes

Part 1: Docker Setup

# docker-compose.yml
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - "8080:80"
    volumes:
      - vaultwarden_data:/data
    environment:
      DOMAIN: "https://vault.yourdomain.com"
      # Disable signups after you've created your account:
      SIGNUPS_ALLOWED: "true"
      # Admin token (for /admin panel) - generate with: openssl rand -base64 48
      ADMIN_TOKEN: "${ADMIN_TOKEN}"
      # Rate limiting:
      LOGIN_RATELIMIT_MAX_BURST: 10
      LOGIN_RATELIMIT_SECONDS: 60
      ADMIN_RATELIMIT_MAX_BURST: 5
      ADMIN_RATELIMIT_SECONDS: 300
      # Push notifications (optional, for mobile sync):
      PUSH_ENABLED: "false"
      # Require email verification:
      SIGNUPS_VERIFY: "true"
      # Email settings:
      SMTP_HOST: "smtp.yourdomain.com"
      SMTP_PORT: 587
      SMTP_SECURITY: "starttls"
      SMTP_FROM: "vault@yourdomain.com"
      SMTP_USERNAME: "${SMTP_USER}"
      SMTP_PASSWORD: "${SMTP_PASS}"

volumes:
  vaultwarden_data:

# .env
ADMIN_TOKEN=$(openssl rand -base64 48)

docker compose up -d

Visit http://your-server:8080Create Account → register your first user.

Part 2: HTTPS with Caddy

HTTPS is required — Bitwarden clients will refuse to connect to HTTP:

vault.yourdomain.com {
    reverse_proxy localhost:8080
}

Now visit https://vault.yourdomain.com to access your vault.

Part 3: Disable Open Registration

After creating your account (and any family/team accounts), disable signups:

environment:
  SIGNUPS_ALLOWED: "false"

docker compose up -d

To invite specific users later, use the admin panel at https://vault.yourdomain.com/admin.

Part 4: Browser Extensions

Connect official Bitwarden extensions to your self-hosted server:

Chrome / Firefox / Edge

  1. Install Bitwarden browser extension
  2. Click the extension → Log in → click Self-hosted
  3. Server URL: https://vault.yourdomain.com
  4. Log in with your email and master password
  5. Extension auto-fills passwords and generates new ones

Part 5: Mobile Apps

iOS

  1. Install Bitwarden from App Store
  2. Tap Self-hosted environment
  3. Server URL: https://vault.yourdomain.com
  4. Log in → enable Autofill in iOS Settings → Passwords → AutoFill Passwords → Bitwarden

Android

  1. Install from Google Play or F-Droid
  2. Same server setup process
  3. Enable Autofill: Accessibility Settings → Bitwarden

Part 6: Organizations (Family/Team Sharing)

Share passwords with family members or a team:

Create an organization

  1. Web vault → Organizations → New Organization
  2. Name: Family or Company
  3. Billing email: your email (free on Vaultwarden)

Create collections

Organization: "Family"
├── Collection: "Shared Accounts" (all members can view)
│   ├── Netflix login
│   ├── Spotify family
│   └── Home WiFi
├── Collection: "Financial" (adults only)
│   ├── Bank accounts
│   └── Investment accounts
└── Collection: "Kids" (children can access)
    ├── School accounts
    └── Gaming accounts

Invite members

  1. Organization → Members → Invite Member
  2. Enter email → select role (Owner/Admin/Manager/Member/Custom)
  3. Assign collections

Part 7: TOTP (2FA Authenticator)

Store TOTP seeds alongside passwords:

  1. When adding/editing a password entry, scroll to Authenticator Key (TOTP)
  2. Scan the QR code or paste the secret key
  3. Bitwarden shows the live TOTP code when viewing the entry
  4. Browser extension auto-fills TOTP codes on 2FA prompts

Part 8: Admin Panel

Access https://vault.yourdomain.com/admin with your ADMIN_TOKEN:

Key settings:

  • Users → list users, invite new ones, force 2FA enrollment
  • Organizations → view all orgs and members
  • Diagnostics → check config and connectivity
  • Settings → enable/disable features, set limits
# Common admin tasks via env vars:
# Invite-only mode:
SIGNUPS_ALLOWED: "false"
INVITATIONS_ALLOWED: "true"

# Require TOTP/2FA for all users:
REQUIRE_DEVICE_EMAIL: "true"

# Limit attachment size:
ROCKET_LIMITS: "{ json = 10485760 }"

# Org limit:
ORG_CREATION_USERS: "alice@example.com"    # Only Alice can create orgs

Part 9: Push Notifications (Mobile Sync)

For real-time vault sync on mobile (optional):

  1. Register at bitwarden.com/host — free, get installation ID + key
  2. Update docker-compose.yml:
environment:
  PUSH_ENABLED: "true"
  PUSH_INSTALLATION_ID: "${PUSH_INSTALLATION_ID}"
  PUSH_INSTALLATION_KEY: "${PUSH_INSTALLATION_KEY}"

Without push: vault syncs when you open the app. With push: syncs immediately when you save a new password.

Maintenance

# Update Vaultwarden:
docker compose pull
docker compose up -d

# Backup (critical!):
tar -czf vaultwarden-backup-$(date +%Y%m%d).tar.gz \
  $(docker volume inspect vaultwarden_vaultwarden_data --format '{{.Mountpoint}}')

# Restore from backup:
tar -xzf vaultwarden-backup-20260101.tar.gz -C /
docker compose restart vaultwarden

# Logs:
docker compose logs -f vaultwarden

# Check admin panel health:
curl -s https://vault.yourdomain.com/api/config | jq

See our advanced Vaultwarden hardening guide for PostgreSQL backend, fail2ban, 2FA enforcement, and production security.

See all open source security tools at OSSAlt.com/categories/security.

Comments