Why Vaultwarden?
Cloud password managers are convenient but you’re trusting a third party with your most sensitive data. Vaultwarden keeps it under your control:
- Full Bitwarden compatibility — All official clients work out of the box.
- 50 MB RAM — Runs on a Raspberry Pi or any tiny VPS.
- End-to-end encryption — AES-256 client-side; server never sees decrypted data.
- Organizations & sharing — Share passwords securely with family or team.
- Free premium features — TOTP, file attachments, emergency access.
Prerequisites
- Docker on any Linux server.
- A domain with HTTPS (required for browser extensions).
- A reverse proxy (Nginx, Caddy, or Traefik).
Step 1: Deploy with Docker
docker run -d \
--name vaultwarden \
--restart=always \
-v /vw-data/:/data/ \
-p 8080:80 \
-e DOMAIN=https://vault.example.com \
-e SIGNUPS_ALLOWED=true \
-e SMTP_HOST=smtp.gmail.com \
-e SMTP_PORT=587 \
-e SMTP_SECURITY=starttls \
-e SMTP_USERNAME=your@gmail.com \
-e SMTP_PASSWORD=app-password \
-e SMTP_FROM=your@gmail.com \
vaultwarden/server:latestStep 2: Essential Environment Variables
| Variable | Purpose |
|---|---|
DOMAIN | Your full HTTPS URL (required for clients) |
SIGNUPS_ALLOWED | Set to false after creating your accounts |
SMTP_* | Email config for password resets and 2FA |
ADMIN_TOKEN | Secret token to access /admin panel |
WEBSOCKET_ENABLED | Set to true for real-time sync |
Step 3: Secure the Admin Panel
Generate a secure admin token:
openssl rand -base64 48Add to your Docker env:
-e ADMIN_TOKEN=your-generated-tokenAccess at https://vault.example.com/admin. From here you can manage users, view diagnostics, and configure settings.
Step 4: Backup Strategy
#!/bin/bash
# /usr/local/bin/backup-vaultwarden.sh
BACKUP_DIR=/backup/vaultwarden/$(date +%Y-%m-%d)
mkdir -p $BACKUP_DIR
sqlite3 /vw-data/db.sqlite3 ".backup '$BACKUP_DIR/db.sqlite3'"
cp -r /vw-data/attachments $BACKUP_DIR/
cp /vw-data/rsa_key* $BACKUP_DIR/Schedule daily: 0 3 * * * /usr/local/bin/backup-vaultwarden.sh
Vaultwarden vs Bitwarden Official
| Feature | Vaultwarden | Bitwarden (self-hosted) |
|---|---|---|
| RAM usage | 50-100 MB | 2+ GB |
| Database | SQLite | MSSQL |
| Docker images | 1 container | 10+ containers |
| Premium features | All free | $10/year or self-hosted |
| Maintenance | Minimal | Complex |
| Best for | Homelabs, small teams | Enterprise |
Troubleshooting
| Problem | Solution |
|---|---|
| Browser extension can’t connect | HTTPS is required; configure a reverse proxy with SSL |
| ”Invalid credentials” after migration | Clear browser extension cache; re-enter server URL |
| 2FA codes not sending via email | Verify SMTP_* environment variables; test with /admin diagnostics |
| Mobile app not syncing | Check server URL includes https://; verify port is accessible |
| Admin panel shows blank page | Regenerate ADMIN_TOKEN; clear browser cookies for the domain |
Summary
- One Docker container replaces a cloud subscription.
- All Bitwarden clients work natively — browser, mobile, desktop, CLI.
- End-to-end encrypted — server never sees your passwords.
- Disable
SIGNUPS_ALLOWEDafter setup and back up daily.