Vaultwarden: Self-Hosted Bitwarden Password Manager for Your Homelab
Password managers are essential security tools, but relying on a third-party service means trusting them with your most sensitive data. Vaultwarden is a self-hosted, Bitwarden-compatible password manager — you get all the Bitwarden clients (browser extensions, mobile apps, desktop apps) while running the server yourself.
Photo by Roger Starnes Sr on Unsplash
Vaultwarden vs. Bitwarden
Bitwarden is an excellent password manager with a good free tier and reasonable paid plans. Vaultwarden is an unofficial Bitwarden-compatible server implementation written in Rust.
Key differences:
- Vaultwarden uses ~10MB RAM vs Bitwarden Server's 1GB+ requirement
- Vaultwarden runs on any modest hardware (Raspberry Pi included)
- Vaultwarden supports all Bitwarden clients unchanged
- Vaultwarden enables premium features (TOTP, attachments) for free
- Vaultwarden is not officially supported by Bitwarden
All official Bitwarden apps (browser extensions, mobile apps) connect to Vaultwarden seamlessly — just point them to your server URL instead of bitwarden.com.
Security Considerations
Before deploying, understand the responsibility:
- Your server becomes the target for credential theft
- You're responsible for updates, backups, and security hardening
- A breach would expose all stored passwords
Minimum security requirements:
- HTTPS is mandatory — never run Vaultwarden without TLS
- Backups are non-negotiable — a server failure without backup means permanent password loss
- Keep it updated — security vulnerabilities get patched in new releases
- Strong admin password — the admin panel is a significant attack surface
With those in mind: a properly secured Vaultwarden instance is more secure than using a cloud manager without end-to-end encryption — your encrypted vault never leaves your network.
Deployment with Docker Compose
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
volumes:
- /path/to/vaultwarden-data:/data
environment:
DOMAIN: "https://vault.yourdomain.com"
ADMIN_TOKEN: "your-secure-admin-token"
SIGNUPS_ALLOWED: "false" # Disable after creating accounts
INVITATIONS_ALLOWED: "true" # Invite family members
SMTP_HOST: "smtp.fastmail.com"
SMTP_FROM: "[email protected]"
SMTP_PORT: "587"
SMTP_USERNAME: "[email protected]"
SMTP_PASSWORD: "your-smtp-password"
ports:
- "127.0.0.1:8080:80"
restart: unless-stopped
Start it:
docker compose up -d
Like what you're reading? Subscribe to HomeLab Starter — free weekly guides in your inbox.
Generating a Secure Admin Token
Never use a simple password as the admin token. Generate a bcrypt hash:
# Install htpasswd (usually in apache2-utils)
sudo apt install apache2-utils
# Generate bcrypt hash (use exactly this format)
htpasswd -bnBC 12 "" YourStrongAdminPassword | tr -d ':\n' | sed 's/$2y/$2a/'
Set the output as ADMIN_TOKEN in your compose file. Admin access is then at https://vault.yourdomain.com/admin.
HTTPS Configuration (Required)
Vaultwarden requires HTTPS for all browser extension and mobile app connections. Two options:
Option 1: Reverse proxy (recommended) Use Nginx Proxy Manager or Traefik in front of Vaultwarden:
server {
listen 443 ssl;
server_name vault.yourdomain.com;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support (needed for real-time sync)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Option 2: Cloudflare Tunnel Expose Vaultwarden through a Cloudflare Tunnel for HTTPS without port forwarding or a certificate to manage.
Initial Setup
- Navigate to
https://vault.yourdomain.com - Create your admin account (first account if signups are enabled)
- Immediately disable public signups in the admin panel or via
SIGNUPS_ALLOWED: "false" - Enable 2FA on your account (TOTP via any authenticator app)
- Add family members via invitation links
Connecting Bitwarden Clients
Browser extension:
- Install the Bitwarden extension in Chrome/Firefox/Edge
- Click the extension → Settings
- Under "Self-hosted environment", enter your server URL
- Save and log in
Mobile app (iOS/Android):
- Install the official Bitwarden app
- On the login screen, tap "Self-hosted" (gear icon)
- Enter your server URL
- Log in normally
Desktop app: Same process as the browser extension.
Premium Features (Free in Vaultwarden)
Bitwarden charges $10/year for Premium. Vaultwarden includes these features for free:
- TOTP authenticator codes — store and generate 2FA codes alongside passwords
- File attachments — attach documents to vault entries
- Emergency access — grant trusted contacts access in an emergency
- Vault health reports — identify weak, reused, or compromised passwords
- Bitwarden Send — encrypted file/text sharing
To enable in Vaultwarden: Admin panel → Users → set your account to premium_forever: true.
Backup Strategy
Your vault data lives in /data. Back it up religiously:
What to back up:
/data/db.sqlite3— the vault database/data/config.json— server configuration/data/attachments/— file attachments
Example: nightly backup with cron:
#!/bin/bash
BACKUP_DIR="/backups/vaultwarden"
DATE=$(date +%Y-%m-%d)
mkdir -p "$BACKUP_DIR"
cp /path/to/vaultwarden-data/db.sqlite3 "$BACKUP_DIR/vault-$DATE.db"
# Keep 30 days
find "$BACKUP_DIR" -name "*.db" -mtime +30 -delete
Export a local backup from the web vault (Settings → Export Vault) periodically as an additional safety net — this gives you a plaintext JSON or encrypted file you can import into any Bitwarden-compatible manager if your server ever fails.
Updating Vaultwarden
docker compose pull
docker compose up -d
Check Vaultwarden releases for breaking changes before updating. Updates are generally safe and have not required manual database migrations.
Monitoring
Set up uptime monitoring (Uptime Kuma or similar) to alert you if Vaultwarden goes down. An unavailable password manager at the wrong time is genuinely disruptive — you want to know immediately if it's offline.
Is Self-Hosting Right for You?
Self-hosting a password manager is higher responsibility than using Bitwarden's cloud. Consider:
- Do you have reliable uptime? An offline Vaultwarden during a long trip means no password access on new devices (though existing devices can use cached vaults)
- Will you maintain it? Security updates matter more here than for most services
- Do you have good backups? Losing your vault without a backup means rebuilding from scratch
For tech-confident homelabbers who already self-host other services: Vaultwarden is a natural addition. For less technical family members who rely on your server: a cloud option like Bitwarden's cloud (which also has end-to-end encryption) may be more reliable.