How to Self-Host Vaultwarden: The Ultimate Bitwarden Alternative

If you’re tired of paying $40/year for Bitwarden Premium or worried about trusting a third party with your passwords, self-hosting Vaultwarden is the perfect solution. Vaultwarden (formerly Bitwarden_RS) is a lightweight, unofficial Bitwarden server implementation written in Rust that’s perfect for personal use.

In this guide, you’ll learn how to deploy Vaultwarden on your own server with Docker, secure it with SSL, and connect all your devices. No prior Docker experience required — we’ll walk through everything step by step.

Why Self-Host Vaultwarden?

Before we dive into the technical setup, let’s talk about why you’d want to self-host your password manager:

Cost savings: Bitwarden Premium costs $10/year (or $40/year for families). While that’s affordable, self-hosting is essentially free after your VPS costs — which you might already be paying for other services.

Privacy & control: Your passwords never leave your server. You’re not trusting a third party to secure your most sensitive data. Even though Bitwarden uses end-to-end encryption, having complete control is reassuring.

Premium features for free: Vaultwarden includes all premium features like TOTP authentication, emergency access, file attachments, and password health reports — without paying anything.

Learning opportunity: Setting up Vaultwarden teaches you Docker, reverse proxies, SSL certificates, and general server administration. Skills that transfer to other self-hosting projects.

Faster sync: With your server nearby (or on your local network), password sync can be faster than routing through Bitwarden’s cloud servers.

What You’ll Need

Before starting, gather these requirements:

A VPS or server: Minimum 512MB RAM (1GB recommended). Vaultwarden is incredibly lightweight — it typically uses under 50MB of RAM. Any provider works, but Hetzner (€4.15/month for 2GB RAM) or DigitalOcean ($6/month for 1GB) are excellent choices for beginners.
A domain name: You’ll need a domain pointing to your server (e.g., vault.yourdomain.com). SSL is mandatory for Bitwarden clients to work properly.
SSH access: You should be comfortable connecting to your server via SSH.
Docker installed: We’ll show you how to install it if you haven’t already.

Security note: Because you’re hosting passwords, security is critical. Make sure your server is hardened with SSH keys, firewall rules, and automatic updates. Check our VPS hardening guide if you haven’t done this yet.

Step 1: Prepare Your Server

First, connect to your server via SSH:

ssh root@your-server-ip

Install Docker

If you don’t have Docker installed yet, here’s the quick installation:

# Update package list
apt update

# Install prerequisites
apt install -y apt-transport-https ca-certificates curl software-properties-common

# Add Docker's official GPG key and repository
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

# Install Docker
apt update
apt install -y docker-ce docker-ce-cli containerd.io

# Install Docker Compose
apt install -y docker-compose-plugin

# Verify installation
docker --version
docker compose version

Create a Directory for Vaultwarden

Organize your Docker projects in a dedicated directory:

mkdir -p /opt/vaultwarden
cd /opt/vaultwarden

Step 2: Configure DNS

Before deploying Vaultwarden, set up your domain’s DNS:

Log in to your domain registrar or DNS provider
Create an A record pointing to your server’s IP address
Example: vault.yourdomain.com → 123.45.67.89

Wait 5-10 minutes for DNS propagation. You can verify it’s working:

dig vault.yourdomain.com +short
# Should return your server IP

Step 3: Set Up Vaultwarden with Docker Compose

Create a docker-compose.yml file:

nano docker-compose.yml

Paste this configuration:

version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=https://vault.yourdomain.com  # Change this!
      - SIGNUPS_ALLOWED=true  # Set to false after creating your account
      - INVITATIONS_ALLOWED=true
      - SHOW_PASSWORD_HINT=false
      - SMTP_HOST=smtp.gmail.com
      - [email protected]
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - [email protected]
      - SMTP_PASSWORD=your-app-password  # Use app-specific password
      - LOG_LEVEL=info
    volumes:
      - ./vw-data:/data
    ports:
      - "8080:80"

  caddy:
    image: caddy:latest
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./caddy-data:/data
      - ./caddy-config:/config

networks:
  default:
    name: vaultwarden-network

Important configuration notes:

DOMAIN: Must match your DNS record exactly, including https://
SIGNUPS_ALLOWED: Set to true initially so you can create your account. Change to false after signing up to prevent unauthorized accounts.
SMTP settings: Optional but recommended for password reset emails. You can skip this initially and add it later.

Create the Caddyfile

Caddy will handle SSL certificates automatically via Let’s Encrypt:

nano Caddyfile

Paste this:

vault.yourdomain.com {
    reverse_proxy vaultwarden:80
    
    encode gzip
    
    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Referrer-Policy "same-origin"
    }
}

Change vault.yourdomain.com to your actual domain.

Step 4: Launch Vaultwarden

Start everything with Docker Compose:

docker compose up -d

Check that containers are running:

docker compose ps

You should see both vaultwarden and caddy with status Up.

View logs to ensure everything started correctly:

# Vaultwarden logs
docker compose logs vaultwarden

# Caddy logs (SSL certificate generation)
docker compose logs caddy

Caddy will automatically obtain an SSL certificate from Let’s Encrypt. This usually takes 10-30 seconds.

Step 5: Create Your Account

Open your browser and navigate to https://vault.yourdomain.com
You should see the Vaultwarden login page
Click Create Account
Enter your email and a strong master password (this is the only password you’ll need to remember — make it strong!)
Log in with your new credentials

Critical security step: After creating your account, immediately disable public signups:

nano docker-compose.yml
# Change: SIGNUPS_ALLOWED=true
# To: SIGNUPS_ALLOWED=false

Restart Vaultwarden:

docker compose down
docker compose up -d

Step 6: Connect Your Devices

Now that your Vaultwarden server is running, connect your devices.

Browser Extensions

Install the Bitwarden extension for your browser (Chrome/Edge, Firefox, Safari)
Before logging in, click the Settings icon (⚙️) at the top
Enter your server URL: https://vault.yourdomain.com
Click Save
Now log in with your email and master password

Mobile Apps

iOS:

Install Bitwarden from the App Store
Tap the Settings icon before logging in
Enter your server URL: https://vault.yourdomain.com
Log in

Android:

Install Bitwarden from Google Play
Tap the gear icon at the login screen
Enter your server URL: https://vault.yourdomain.com
Log in

Desktop Apps

Download the Bitwarden desktop app for your OS:

Windows/Mac/Linux downloads

Before logging in, go to File → Settings (or Preferences) and set your server URL.

Step 7: Import Your Existing Passwords

If you’re migrating from another password manager:

Export your passwords from your old manager (usually as CSV)
Log in to your Vaultwarden web vault
Go to Tools → Import Data
Select your source format
Upload your CSV file
Click Import Data

Supported import formats include LastPass, 1Password, Dashlane, Chrome, Firefox, and many others.

Step 8: Security Hardening

Now that Vaultwarden is running, let’s add extra security layers.

Enable Two-Factor Authentication (2FA)

Log in to your web vault
Go to Settings → Two-step Login
Choose a 2FA method:
- Authenticator app (recommended): Use Authy, Google Authenticator, or similar
- Email: Requires SMTP configuration
- YubiKey: If you have a hardware security key

Set up at least one 2FA method and save your recovery code securely.

Set Up Automatic Backups

Your Vaultwarden data lives in /opt/vaultwarden/vw-data. Back it up regularly:

# Create a backup script
nano /opt/vaultwarden/backup.sh

Paste this:

#!/bin/bash
BACKUP_DIR="/opt/backups/vaultwarden"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR

# Stop Vaultwarden temporarily to ensure consistent backup
cd /opt/vaultwarden
docker compose stop vaultwarden

# Create backup
tar -czf "$BACKUP_DIR/vaultwarden_$TIMESTAMP.tar.gz" vw-data/

# Restart Vaultwarden
docker compose start vaultwarden

# Keep only last 30 days of backups
find $BACKUP_DIR -name "vaultwarden_*.tar.gz" -mtime +30 -delete

echo "Backup completed: vaultwarden_$TIMESTAMP.tar.gz"

Make it executable:

chmod +x /opt/vaultwarden/backup.sh

Schedule daily backups with cron:

crontab -e

Add this line (runs daily at 3 AM):

0 3 * * * /opt/vaultwarden/backup.sh >> /var/log/vaultwarden-backup.log 2>&1

Configure Firewall

Ensure only necessary ports are open:

# Install UFW if not present
apt install -y ufw

# Allow SSH (be careful not to lock yourself out!)
ufw allow 22/tcp

# Allow HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp

# Enable firewall
ufw enable

# Check status
ufw status

Fail2Ban Protection

Protect against brute-force attacks:

apt install -y fail2ban

# Create a filter for Vaultwarden
nano /etc/fail2ban/filter.d/vaultwarden.conf

Paste:

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
ignoreregex =

Create a jail:

nano /etc/fail2ban/jail.d/vaultwarden.local

Paste:

[vaultwarden]
enabled = true
port = 80,443
filter = vaultwarden
logpath = /opt/vaultwarden/vw-data/vaultwarden.log
maxretry = 3
bantime = 86400
findtime = 600

Restart Fail2Ban:

systemctl restart fail2ban
systemctl status fail2ban

Step 9: Maintenance and Updates

Vaultwarden is low-maintenance, but you should update periodically.

Update Vaultwarden

cd /opt/vaultwarden

# Pull latest image
docker compose pull

# Restart with new image
docker compose down
docker compose up -d

# Check logs
docker compose logs -f

Monitor Resource Usage

Check how much RAM/CPU Vaultwarden uses:

docker stats vaultwarden

You’ll typically see under 50MB RAM usage — impressively efficient!

Check Logs

If you encounter issues:

# Recent logs
docker compose logs --tail=50 vaultwarden

# Follow live logs
docker compose logs -f vaultwarden

Troubleshooting Common Issues

”Invalid SSL certificate” errors

Solution: Check that your DNS is correctly configured and that Caddy obtained an SSL certificate. View Caddy logs:

docker compose logs caddy | grep -i certificate

If Caddy couldn’t get a certificate, ensure:

DNS A record points to your server
Ports 80 and 443 are accessible (firewall rules)
Your domain is correctly spelled in the Caddyfile

Can’t log in from mobile/browser extension

Solution: Ensure you entered your server URL in the app settings before logging in. The URL must exactly match your DOMAIN environment variable.

Email invitations not working

Solution: Check your SMTP configuration. Test with:

docker compose logs vaultwarden | grep -i smtp

For Gmail, use an app-specific password instead of your regular password.

Forgot master password

Unfortunately, if you forget your master password, your data is unrecoverable. This is by design — end-to-end encryption means nobody (not even you) can decrypt your vault without the master password.

Prevention:

Write down your master password in a safe physical location
Set up password hints (though disable showing hints publicly)
Configure emergency access for a trusted contact

Advanced: Enable Admin Panel

Vaultwarden includes an admin panel for server management. Enable it by generating an admin token:

# Generate a secure random token
openssl rand -base64 48

Add it to your docker-compose.yml under environment variables:

- ADMIN_TOKEN=your-generated-token-here

Restart Vaultwarden:

docker compose down && docker compose up -d

Access the admin panel at https://vault.yourdomain.com/admin using your admin token.

From here you can:

View registered users
Delete user accounts
Disable user accounts temporarily
View server diagnostics
Configure additional settings

Security warning: Keep your admin token extremely secure. Anyone with this token has complete control over your Vaultwarden server.

Cost Analysis: Self-Hosting vs. Cloud

Let’s compare costs:

Bitwarden Premium:

Individual: $10/year
Family (6 users): $40/year

Self-Hosted Vaultwarden:

VPS (Hetzner CX11): €4.15/month = €49.80/year (~$54/year)
Domain name: ~$12/year
Total: ~$66/year

At first glance, Bitwarden Premium seems cheaper. However:

You can use your VPS for other services too (Nextcloud, Immich, etc.), spreading the cost
You get all premium features for unlimited users
Complete privacy and control
Learning experience has value
Family plan comparison: Self-hosting saves money vs. $40/year for only 6 users

If you’re already self-hosting other services, the marginal cost of adding Vaultwarden is essentially zero (just a few MB of RAM).

Conclusion

You now have a fully functional, self-hosted password manager with all premium features. Your passwords are encrypted, stored on your own server, and synchronized across all your devices.

Key takeaways:

Vaultwarden is remarkably lightweight and stable
Maintenance is minimal (update every few months)
Backups are critical — automate them
Security hardening (2FA, Fail2Ban, firewall) is non-negotiable for a password manager

Next steps:

Import all your passwords from your old password manager
Set up 2FA on your Vaultwarden account
Install Bitwarden on all your devices
Share your Vaultwarden server with family members (if desired)
Explore other self-hosted apps to run alongside Vaultwarden

Have questions or run into issues? Drop a comment below or join our Discord community where we discuss all things self-hosting.

Resources: