Setup Vaultwarden with Docker Compose

TL;DR — Quick Summary

A comprehensive guide to self-hosting your own secure Bitwarden-compatible password manager using Docker Compose and Nginx.

Taking control of your own cybersecurity is the ultimate homelab achievement. By self-hosting Vaultwarden, you get the absolute premium power of a world-class password manager (Bitwarden) entirely within your own private perimeter.

In this guide, we will deploy Vaultwarden using Docker Compose and secure it for production use.

Step 1: Prepare the Host Environment

You need a Linux host with Docker and Docker Compose installed. First, create a secure directory so we don’t accidentally lose our SQLite database.

mkdir -p /opt/vaultwarden
cd /opt/vaultwarden

Step 2: The Docker Compose Configuration

Create a file named docker-compose.yml in your new directory. Paste the following optimal production configuration:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true
    volumes:
      - ./vw-data:/data
    ports:
      - 8080:80

Notice the line SIGNUPS_ALLOWED=true. This allows anyone who accesses your URL to create an account. We will change this to false later after you register your main account!

Step 3: Launch the Container

Deploy the container in detached mode:

docker-compose up -d

Verify that it started successfully without throwing exit codes:

docker-compose logs -f

Step 4: Reverse Proxy and SSL (Crucial)

Vaultwarden relies heavily on the browser’s Web Crypto API to decrypt your passwords locally. This API completely disables itself if the site is not served over strict HTTPS.

You must hide your local 8080 port behind a reverse proxy (like Nginx Proxy Manager).

Open Nginx Proxy Manager.
Create a Proxy Host mapping vault.yourdomain.com to your server’s IP and port 8080.
Enable “Request a new SSL Certificate” and enforce “Force SSL”.

Step 5: Disable Signups

Once your SSL is working, navigate to your domain, create your master account, and verify you can log in.

After you have registered your family members, aggressively lock down your instance by returning to your docker-compose.yml and modifying the environment block:

    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=false

Restart the container to apply the lockdown:

docker-compose down && docker-compose up -d

Your passwords are now locally encrypted, self-hosted, and utterly impenetrable!

Guide & Instructions

Estimated Time: 15m

Tools Needed:

Docker
Docker Compose
Nginx Proxy Manager
Linux Terminal

Prepare the Directory Structure

Create a dedicated folder for your Vaultwarden instance by running `mkdir -p /opt/vaultwarden` and navigate into it using `cd /opt/vaultwarden`.

Create the docker-compose.yml file

Create a `docker-compose.yml` file and define the `vaultwarden/server:latest` image inside it. Ensure you map port 80 to a local port (e.g., `8080:80`) and define a volume like `./vw-data:/data`.

Configure the Environment Variables

Set `SIGNUPS_ALLOWED=true` initially so you can create your admin account, and configure `DOMAIN=https://vault.yourdomain.com` for proper routing constraints.

Start the Vaultwarden Container

Deploy the stack by executing `docker-compose up -d`. Verify the container is running smoothly by checking the logs with `docker-compose logs -f`.

Secure with SSL via Reverse Proxy

Point your Reverse Proxy (like Nginx Proxy Manager or Traefik) to your Vaultwarden container's internal IP and Port, and issue an automatic Let's Encrypt SSL certificate.

Frequently Asked Questions

What is the difference between Vaultwarden and Bitwarden?

Vaultwarden is an unofficial, lightweight Rust rewrite of the official Bitwarden server. It provides all the premium Bitwarden features (like organizations and 2FA) absolutely free, and consumes vastly less RAM, making it perfect for homelabs.

Can I use the official Bitwarden apps with Vaultwarden?

Yes! Because Vaultwarden strictly adheres to the official Bitwarden API, you can perfectly log in using the official Bitwarden iOS, Android, and Desktop apps by simply changing the 'Self-Hosted Environment URL' in the app settings.

Does Vaultwarden require an SSL certificate?

Absolutely. Browsers explicitly block the cryptographic Web Crypto API on non-HTTPS connections. If you don't use SSL (HTTPS), the Vaultwarden web interface will essentially fail to load or let you log in.

How do I backup my Vaultwarden passwords?

You must backup the `vw-data` folder mapped in your Docker Compose file. This folder contains your SQLite database (`db.sqlite3`) and your RSA encryption keys. If you lose this folder, your passwords are unrecoverable.