Vaultwarden: Self-hosted Password Manager
Install Vaultwarden (Bitwarden self-hosted) on your VPS. Manage passwords, secure notes and 2FA privately with official Bitwarden clients.
Vaultwarden is an unofficial but compatible implementation of the Bitwarden server, written in Rust. It uses the same API as Bitwarden, so it works with all official clients (browser extension, mobile app, desktop, CLI). Ultra-lightweight: runs with less than 50 MB RAM.
Prerequisites
- Docker installed
- A domain with SSL (Vaultwarden requires HTTPS)
- Nginx as reverse proxy
Installation with Docker
mkdir -p /opt/vaultwarden/data
docker run -d \
--name vaultwarden \
--restart always \
-v /opt/vaultwarden/data:/data \
-e DOMAIN="https://vault.yourdomain.com" \
-e SIGNUPS_ALLOWED=true \
-e ADMIN_TOKEN=$(openssl rand -base64 48) \
-p 127.0.0.1:8080:80 \
vaultwarden/server:latestSave the ADMIN_TOKEN
The token generated with openssl rand is shown only once. Save it: you'll need it to access /admin. You can also set it manually in the environment variable.
With docker-compose (recommended)
# /opt/vaultwarden/docker-compose.yml
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
volumes:
- ./data:/data
environment:
DOMAIN: "https://vault.yourdomain.com"
SIGNUPS_ALLOWED: "false" # disable after creating your account
ADMIN_TOKEN: "secure_token" # generate with: openssl rand -base64 48
SMTP_HOST: "smtp.gmail.com" # optional for invitation emails
SMTP_PORT: "587"
SMTP_FROM: "vault@yourdomain.com"
ports:
- "127.0.0.1:8080:80"cd /opt/vaultwarden
docker compose up -dNginx reverse proxy with SSL
certbot certonly --nginx -d vault.yourdomain.comserver {
listen 443 ssl;
server_name vault.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem;
# Security headers
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# WebSocket for real-time notifications
location /notifications/hub {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 80;
server_name vault.yourdomain.com;
return 301 https://$host$request_uri;
}nginx -t && systemctl reload nginxFirst access and configuration
- Go to
https://vault.yourdomain.com - Create the first account (admin)
- Go to
https://vault.yourdomain.com/adminwith your ADMIN_TOKEN - Disable registrations: set
SIGNUPS_ALLOWED=falsein docker-compose or from admin panel
Bitwarden clients
Vaultwarden is compatible with all official Bitwarden clients. On login, change the "Server URL" to your domain:
- Browser extension: Chrome, Firefox, Safari, Edge
- Mobile app: iOS and Android
- Desktop app: Windows, Mac, Linux
- CLI:
bw config server https://vault.yourdomain.com
Backup
# Data is in /opt/vaultwarden/data/
# Backup the database
cp /opt/vaultwarden/data/db.sqlite3 /root/vaultwarden-backup-$(date +%Y%m%d).sqlite3
# Complete backup
tar -czf /root/vaultwarden-$(date +%Y%m%d).tar.gz /opt/vaultwarden/data/Add to cron for automatic backups:
echo "0 3 * * * tar -czf /root/backups/vaultwarden-\$(date +\%Y\%m\%d).tar.gz /opt/vaultwarden/data/ 2>/dev/null" | crontab -Coolify: Self-hosted Heroku / Vercel
Install Coolify to deploy Node.js, PHP, Python, Docker and static site applications directly from Git with automatic SSL. Free alternative to Heroku and Vercel.
BorgBackup: Incremental and Deduplicated Backup
Configure BorgBackup for automatic, incremental and compressed backups of your server. Much more efficient than rsync for frequent backups.