Skip to main content

How to Self-Host Vaultwarden: Bitwarden-Compatible Password Manager 2026

·OSSAlt Team
vaultwardenbitwardenpassword-managerself-hostingdockersecurity2026

TL;DR

Vaultwarden (GPL 3.0, ~38K GitHub stars, Rust) is an unofficial Bitwarden-compatible server written in Rust. It works with all official Bitwarden clients (browser extensions, desktop apps, mobile apps, CLI) but runs in ~10MB RAM vs Bitwarden's ~500MB. LastPass charges $3/month; 1Password charges $2.99/month. Vaultwarden gives you the same security model — zero-knowledge, end-to-end encrypted — on your own server, free.

Key Takeaways

  • Vaultwarden: GPL 3.0, ~38K stars, Rust — Bitwarden-compatible server using official clients
  • 10MB RAM: Runs on any hardware — Raspberry Pi, VPS, NAS
  • All Bitwarden features: Organizations, collections, sends, emergency access, TOTP generator
  • Admin panel: Built-in admin UI for user and organization management
  • Zero-knowledge: Vault data encrypted client-side — server never sees plaintext passwords
  • Official clients: Use the official Bitwarden browser extension, desktop app, and mobile app

Part 1: Docker Setup

# docker-compose.yml
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - "8080:80"
    volumes:
      - vaultwarden_data:/data
    environment:
      # Domain (required for WebAuthn):
      DOMAIN: "https://vault.yourdomain.com"

      # Admin token (for /admin panel):
      ADMIN_TOKEN: "${ADMIN_TOKEN}"   # openssl rand -base64 48

      # Disable public registration after you create your account:
      SIGNUPS_ALLOWED: "false"

      # Invite-only registration:
      INVITATIONS_ALLOWED: "true"

      # Email (for 2FA codes, invitations, emergency access):
      SMTP_HOST: mail.yourdomain.com
      SMTP_PORT: 587
      SMTP_SECURITY: starttls
      SMTP_FROM: vault@yourdomain.com
      SMTP_USERNAME: vault@yourdomain.com
      SMTP_PASSWORD: "${MAIL_PASSWORD}"

      # Enable WebAuthn (hardware keys):
      # Already enabled by default

      # Show password hints (disable for security):
      SHOW_PASSWORD_HINT: "false"

      # Enable organizations:
      ORG_CREATION_USERS: "all"   # or specific email

      # Sends (file sharing):
      SENDS_ALLOWED: "true"

volumes:
  vaultwarden_data:

# Generate admin token:
echo "ADMIN_TOKEN=$(openssl rand -base64 48)" >> .env

docker compose up -d

Part 2: HTTPS with Caddy

HTTPS is required — Bitwarden clients refuse to connect over HTTP:

vault.yourdomain.com {
    reverse_proxy localhost:8080
}

Part 3: Create Your Account

  1. Visit https://vault.yourdomain.com
  2. Create Account:
    • Email: your email
    • Name: your name
    • Master Password: strong, memorable passphrase (NEVER forget this)
    • Hint: optional — keep vague
  3. Verify email
  4. Disable signups: set SIGNUPS_ALLOWED: "false" and restart

Part 4: Admin Panel

Access the admin panel at https://vault.yourdomain.com/admin using your ADMIN_TOKEN.

Admin panel capabilities

  • View all users and organizations
  • Delete users or deactivate accounts
  • Resend email invitations
  • Send test emails
  • View event logs
  • Force 2FA for all users
  • Set org storage limits

Invite additional users

Admin Panel → Users → Invite User → email@example.com

The user receives an invitation email and can create their account.

Part 5: Browser Extension Setup

Chrome / Chromium / Edge / Firefox / Safari

  1. Install Bitwarden Browser Extension
  2. Click the extension icon → Log In
  3. Server URL → Enter: https://vault.yourdomain.com
  4. Log in with your email and master password
  5. All your vault items sync immediately

The extension auto-fills logins, generates passwords, and shows TOTP codes.

Configuration tips

Settings → Security:
  - Vault timeout: 15 minutes (or On Browser Restart)
  - Vault timeout action: Lock (not Log Out)
  - Unlock with biometrics: Yes (if supported)
  - Two-step login: Enable TOTP or WebAuthn

Part 6: Mobile Apps

iOS and Android

  1. Install official Bitwarden app
  2. Log In → tap gear icon → Self-hosted
  3. Server URL: https://vault.yourdomain.com
  4. Log in with credentials
  5. Enable biometric unlock in settings

iOS AutoFill

  1. iPhone Settings → Passwords → AutoFill Passwords
  2. Enable Bitwarden
  3. Bitwarden now fills passwords system-wide in all apps

Part 7: Organizations and Sharing

Organizations allow sharing vault items with family or team:

Create an organization

  1. New Organization in the Bitwarden web vault
  2. Name: Family, Work
  3. Plan: Free (up to 2 users) or Families equivalent

Note: Vaultwarden allows unlimited org members regardless of Bitwarden plan tier.

Share a password

  1. Edit item → Move to Organization
  2. Select the organization
  3. Choose collection: Shared, Work Tools, etc.
  4. Permission: Can View or Can Edit

Invite family members

  1. Organization Settings → People → Invite
  2. Enter email → Confirm role (Member or Manager)
  3. User accepts invite and accesses shared collection

Part 8: Advanced Features

Emergency Access

Allow a trusted person to access your vault if you're incapacitated:

  1. Settings → Emergency Access → Add
  2. Enter trusted contact's email (must be a Vaultwarden user)
  3. Access type: View or Takeover
  4. Wait time: 1 day, 2 days, 7 days (they can request access, you have time to deny)

Sends (Encrypted File/Text Sharing)

Share text or files securely — recipient gets a temporary link:

# Via Bitwarden CLI:
bw send -n "Secret note" -d 7 --text "The server password is..."
# Returns: https://vault.yourdomain.com/#/send/...

# File send:
bw send -n "Document" -d 1 -f /path/to/document.pdf

Bitwarden CLI

# Install:
npm install -g @bitwarden/cli
# or brew install bitwarden-cli

# Configure server:
bw config server https://vault.yourdomain.com

# Login:
bw login

# Get a password:
bw get password "GitHub"

# List items:
bw list items | jq '.[].name'

# Generate a password:
bw generate --length 20 --uppercase --lowercase --number --special

# Sync vault:
bw sync

# Export vault:
bw export --format encrypted_json --output vault-backup.json

Backup Strategy

# Backup the SQLite database (the entire vault):
docker compose stop vaultwarden

docker cp vaultwarden:/data/db.sqlite3 \
  vault-backup-$(date +%Y%m%d).db

docker compose start vaultwarden

# Full data backup (includes attachments):
tar -czf vaultwarden-full-$(date +%Y%m%d).tar.gz \
  $(docker volume inspect vaultwarden_vaultwarden_data --format '{{.Mountpoint}}')

# Automated nightly backup script:
#!/bin/bash
BACKUP_DIR=/home/user/backups/vaultwarden
mkdir -p "$BACKUP_DIR"

# Export via Bitwarden CLI (encrypted):
bw export --format encrypted_json \
  --output "$BACKUP_DIR/vault-$(date +%Y%m%d).json"

# Keep last 30 days:
find "$BACKUP_DIR" -name "*.json" -mtime +30 -delete
find "$BACKUP_DIR" -name "*.db" -mtime +30 -delete

Update and Maintenance

# Update (check release notes first — breaking changes possible):
docker compose pull
docker compose up -d

# View active sessions:
# Admin Panel → Users → [user] → View Sessions

# Force logout all sessions (if compromised):
# Admin Panel → Users → [user] → Deactivate

# Logs:
docker compose logs -f vaultwarden

See all open source security tools at OSSAlt.com/categories/security.

Comments