Self-Hosting Guide: Deploy Bitwarden for Password Management
Self-Hosting Guide: Deploy Bitwarden for Password Management
Bitwarden is the most popular open source password manager. Self-hosting with Vaultwarden (a lightweight, community-maintained Bitwarden-compatible server) gives you all premium features for free — TOTP, file attachments, organizations, and Bitwarden Send — using a fraction of the resources.
Why Vaultwarden?
| Feature | Official Bitwarden Server | Vaultwarden |
|---|---|---|
| RAM | 2+ GB (C#/.NET) | 50-100 MB (Rust) |
| Containers | 10+ services | 1 container |
| Premium features | Paid ($10/year) | Free |
| Organizations | Paid ($4/user/month) | Free |
| Compatibility | Full API | Full API |
| License | AGPL | GPL-3.0 |
Requirements
- VPS with 512 MB RAM minimum
- Docker
- Domain name (e.g.,
vault.yourdomain.com) - HTTPS required (Bitwarden clients refuse HTTP)
- 5+ GB disk
Step 1: Deploy with Docker
docker run -d \
--name vaultwarden \
--restart unless-stopped \
-p 8080:80 \
-v vw-data:/data \
-e DOMAIN=https://vault.yourdomain.com \
-e SIGNUPS_ALLOWED=true \
-e ADMIN_TOKEN=your-long-random-admin-token \
vaultwarden/server:latest
Generate admin token:
openssl rand -hex 32
Step 2: Reverse Proxy (Caddy) — HTTPS Required
# /etc/caddy/Caddyfile
vault.yourdomain.com {
reverse_proxy localhost:8080
}
sudo systemctl restart caddy
HTTPS is mandatory. Bitwarden clients will not connect over HTTP.
Step 3: DNS
Add an A record: vault.yourdomain.com → your server IP
Step 4: Create Your Account
- Open
https://vault.yourdomain.com - Click Create Account
- Set a strong master password (this is the only password you need to remember)
Important: After creating your account, disable sign-ups:
docker stop vaultwarden
docker rm vaultwarden
docker run -d \
--name vaultwarden \
--restart unless-stopped \
-p 8080:80 \
-v vw-data:/data \
-e DOMAIN=https://vault.yourdomain.com \
-e SIGNUPS_ALLOWED=false \
-e ADMIN_TOKEN=your-long-random-admin-token \
vaultwarden/server:latest
Or use the admin panel to invite specific users.
Step 5: Install Clients
All official Bitwarden clients work with Vaultwarden:
| Platform | Client | Custom Server URL |
|---|---|---|
| Browser | Bitwarden extension (Chrome, Firefox, Safari) | Settings → Self-hosted → https://vault.yourdomain.com |
| Desktop | Bitwarden Desktop (Mac, Windows, Linux) | Login → Self-hosted → https://vault.yourdomain.com |
| iOS | Bitwarden iOS app | Login → Self-hosted → https://vault.yourdomain.com |
| Android | Bitwarden Android app | Login → Self-hosted → https://vault.yourdomain.com |
| CLI | bw config server https://vault.yourdomain.com | CLI flag |
Step 6: Configure SMTP (For Invitations)
docker run -d \
--name vaultwarden \
--restart unless-stopped \
-p 8080:80 \
-v vw-data:/data \
-e DOMAIN=https://vault.yourdomain.com \
-e SIGNUPS_ALLOWED=false \
-e ADMIN_TOKEN=your-admin-token \
-e SMTP_HOST=smtp.resend.com \
-e SMTP_PORT=587 \
-e SMTP_SECURITY=starttls \
-e SMTP_USERNAME=resend \
-e SMTP_PASSWORD=re_your_api_key \
-e SMTP_FROM=vault@yourdomain.com \
vaultwarden/server:latest
Step 7: Admin Panel
Access at https://vault.yourdomain.com/admin
Admin capabilities:
- Invite users (bypasses sign-up restriction)
- View all users and their status
- Delete users
- View organization details
- Configure server settings
- Check diagnostics
Step 8: Set Up Organizations (Team Sharing)
- Login to web vault
- Settings → Organizations → New Organization
- Invite team members
- Create Collections (shared folders):
- Engineering passwords
- Infrastructure secrets
- Marketing accounts
- Shared company logins
Permissions:
- Owner → full control
- Admin → manage collections and members
- User → access assigned collections
- Custom → granular permissions per collection
Step 9: Enable 2FA
In your vault → Settings → Two-step Login:
| Method | Setup |
|---|---|
| Authenticator app | Scan QR with Google Authenticator, Authy, etc. |
| Receive code via email | |
| YubiKey | Hardware key (premium feature — free in Vaultwarden) |
| WebAuthn/FIDO2 | Fingerprint, Face ID, security key |
Always set up 2FA. Your master password protects all other passwords.
Step 10: Import Existing Passwords
-
Export from your current password manager:
- 1Password →
.1puxor CSV - LastPass → CSV
- Chrome → CSV (
chrome://settings/passwords→ Export) - KeePass →
.kdbxor CSV
- 1Password →
-
In Bitwarden web vault → Tools → Import data
-
Select format and upload
-
Verify imported entries
Production Hardening
Docker Compose (recommended):
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
ports:
- "8080:80"
volumes:
- vw-data:/data
environment:
- DOMAIN=https://vault.yourdomain.com
- SIGNUPS_ALLOWED=false
- ADMIN_TOKEN=your-admin-token
- SMTP_HOST=smtp.resend.com
- SMTP_PORT=587
- SMTP_SECURITY=starttls
- SMTP_USERNAME=resend
- SMTP_PASSWORD=re_your_api_key
- SMTP_FROM=vault@yourdomain.com
- LOG_LEVEL=warn
- WEBSOCKET_ENABLED=true
volumes:
vw-data:
Backups (CRITICAL — this is your password vault):
# Daily backup of the data directory
docker run --rm -v vw-data:/data -v /backups:/backup alpine \
tar czf /backup/vaultwarden-$(date +%Y%m%d).tar.gz /data
# Copy backup off-server (S3, another VPS, or local)
rclone copy /backups/vaultwarden-$(date +%Y%m%d).tar.gz remote:backups/
Set up multiple backup locations. If you lose this data, you lose all passwords.
Updates:
docker pull vaultwarden/server:latest
docker stop vaultwarden
docker rm vaultwarden
# Re-run docker run command (data persists in volume)
Security:
- Strong admin token (64+ characters)
- Disable sign-ups after creating accounts
- Enable 2FA for all users
- Regular backups to off-site locations
- Monitor for unauthorized access in admin panel
- Keep Vaultwarden updated
Resource Usage
| Users | RAM | CPU | Disk |
|---|---|---|---|
| 1-10 | 50 MB | 1 core | 100 MB |
| 10-50 | 100 MB | 1 core | 500 MB |
| 50-200 | 256 MB | 1 core | 1 GB |
Vaultwarden is incredibly lightweight — it can easily share a VPS with other services.
VPS Recommendations
| Provider | Spec | Price |
|---|---|---|
| Hetzner | 2 vCPU, 2 GB RAM | €4.50/month |
| DigitalOcean | 1 vCPU, 1 GB RAM | $6/month |
| Linode | 1 vCPU, 1 GB RAM | $5/month |
vs Bitwarden Teams ($4/user/month): A 20-person team saves $960/year with self-hosted Vaultwarden.
Compare password managers on OSSAlt — features, security, and pricing side by side.