Vaultwarden: Self-Hosted Bitwarden for Free
Deploy Vaultwarden, a lightweight Bitwarden-compatible password manager. Get all premium features free while keeping your passwords under your control.
Posted by
Related reading
Homelab Documentation: Wiki.js vs BookStack for Self-Hosted Wikis
Document your homelab setup with self-hosted wikis. Compare Wiki.js and BookStack for creating searchable documentation of your infrastructure and procedures.
Docker Security Scanning: Trivy and Dockle for Safe Containers
Scan your Docker images for vulnerabilities before deploying. Learn to use Trivy and Dockle to secure your self-hosted homelab container infrastructure.
Docker Compose Reverse Proxy: Traefik vs Nginx Proxy Manager
Set up a reverse proxy for your homelab. Compare Traefik and Nginx Proxy Manager for automatic SSL, domain routing, and secure access to self-hosted services.

Your Passwords, Your Server
Password managers are essential for digital security, but storing all your passwords on someone else's server feels risky. What if they get breached? What if they change their pricing? With Vaultwarden, you get the full Bitwarden experience on your own infrastructure.
Vaultwarden is a lightweight, open-source implementation of the Bitwarden API. It's fully compatible with all official Bitwarden clients and includes premium features for free.
Why Vaultwarden Over Bitwarden?
- Lightweight: Uses minimal RAM (under 50MB vs 2GB+ for official Bitwarden)
- Premium features free: TOTP, file attachments, emergency access
- Self-contained: Single Docker container, SQLite database
- Active development: Regular updates and security patches
- Full compatibility: Works with all Bitwarden apps and extensions
Docker Compose Setup
Vaultwarden is one of the simplest services to deploy:
version: "3.8"
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
ports:
- "8080:80"
environment:
- DOMAIN=https://vault.yourdomain.com
- SIGNUPS_ALLOWED=true
- ADMIN_TOKEN=${ADMIN_TOKEN}
- WEBSOCKET_ENABLED=true
- LOG_LEVEL=info
volumes:
- ./data:/data
restart: unless-stoppedCreate a .env file with a secure admin token:
# Generate with: openssl rand -base64 48 ADMIN_TOKEN=your_very_long_random_token_here
Critical: HTTPS is Required
Vaultwarden and Bitwarden clients require HTTPS for security. You have several options:
- Cloudflare Tunnel: Free, easy, handles SSL automatically
- Traefik: Reverse proxy with automatic Let's Encrypt certificates
- Nginx Proxy Manager: GUI-based reverse proxy with SSL
- Caddy: Automatic HTTPS with minimal configuration
Never expose Vaultwarden over plain HTTP - your passwords would be transmitted unencrypted!
Initial Configuration
1. Access the Admin Panel
Navigate to https://your-vault/admin and enter your admin token.
2. Create Your Account
Go to the main URL and create your first account. After creating accounts for your family, disable signups:
environment: - SIGNUPS_ALLOWED=false
3. Configure Email (Optional but Recommended)
environment: - SMTP_HOST=smtp.gmail.com - SMTP_PORT=587 - SMTP_SECURITY=starttls - [email protected] - SMTP_PASSWORD=your_app_password - [email protected]
Connecting Clients
Bitwarden clients need to be configured to use your self-hosted server:
Browser Extensions:
- Click the gear icon on the login screen
- Enter your Vaultwarden URL in "Self-hosted environment"
- Log in with your credentials
Mobile Apps:
- Tap the gear icon before logging in
- Select "Self-hosted"
- Enter your server URL
Premium Features You Get Free
- TOTP Authentication: Built-in 2FA code generator
- File Attachments: Store secure documents with passwords
- Emergency Access: Grant trusted contacts access
- Vault Health Reports: Identify weak or reused passwords
- Organizations: Share passwords with family members
Backup Strategy
Your password vault is critical data. Implement proper backups:
# Simple backup script #!/bin/bash DATE=$(date +%Y%m%d) BACKUP_DIR=/backups/vaultwarden # Stop container for consistent backup docker stop vaultwarden # Backup the data directory tar -czf $BACKUP_DIR/vaultwarden-$DATE.tar.gz ./data # Restart container docker start vaultwarden # Keep only last 30 days find $BACKUP_DIR -type f -mtime +30 -delete
Also export your vault periodically through the web interface as an additional backup.
Security Hardening
- Disable admin panel after initial setup:
ADMIN_TOKEN= - Enable Fail2ban to prevent brute-force attacks
- Use strong master passwords (30+ characters)
- Enable 2FA for all accounts
- Keep Vaultwarden updated regularly
Password Security, Your Way
With Vaultwarden, you get world-class password management without trusting a third party with your most sensitive data. Your encrypted vault stays on your server, accessible from anywhere but controlled only by you.
