Self-Hosting Your Password Manager: A Vaultwarden Deep-Dive
Vaultwarden is a self-hosted Bitwarden server that runs on almost nothing. Here's how to set it up, back it up, and actually trust it with your passwords.
Running your own password manager sounds like the kind of thing that only makes sense if you’re also building your own operating system. It’s not. Vaultwarden takes about 20 minutes to set up, runs on almost nothing, and gives you the full Bitwarden client experience — browser extensions, mobile apps, autofill — with your data on your own server.
The trade-off: you’re responsible for backups and uptime. If you can handle that (and it’s not hard), this is one of the best self-hosting projects you can run.
What Vaultwarden Is
Vaultwarden is an unofficial, open-source implementation of the Bitwarden server API written in Rust. It’s significantly lighter than the official Bitwarden server (which requires multiple services and real resources) and it works with all the official Bitwarden clients — the browser extension, iOS app, Android app, and desktop app all connect to it without modification.
The official Bitwarden cloud charges $10/year for premium features like TOTP. Vaultwarden includes all of those for free, since you’re running the server.
Prerequisites
- A server running Docker (anything with 256MB free RAM will do)
- A domain name with DNS pointing to your server, or a local hostname via Tailscale
- HTTPS configured — password managers refuse HTTP; you need a valid certificate
If you’re using Nginx Proxy Manager or Caddy, HTTPS setup takes 5 minutes. If you don’t have a reverse proxy yet, Caddy is the simplest option for a first setup.
Docker Compose Setup
version: "3.8"
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
volumes:
- ./vw-data:/data
environment:
- DOMAIN=https://vault.yourdomain.com
- SIGNUPS_ALLOWED=true
- WEBSOCKET_ENABLED=true
ports:
- "8080:80"
- "3012:3012"A few notes on the environment variables:
DOMAIN — Set this to your actual domain. Vaultwarden uses this for generating invitation links and emergency access URLs. It has to match what your users will actually type.
SIGNUPS_ALLOWED=true — Set this to true only long enough to create your account. Once you have accounts set up, set it to false and restart. You don’t want open registration on a password manager.
WEBSOCKET_ENABLED=true — Enables real-time sync across devices. Worth having.
Reverse Proxy Configuration (Nginx Proxy Manager)
If you’re using Nginx Proxy Manager:
- Create a new proxy host
- Domain:
vault.yourdomain.com - Forward hostname:
vaultwarden - Forward port:
80 - Enable “Websockets Support” in the Advanced tab
- Request a Let’s Encrypt certificate under the SSL tab
That’s it. Vaultwarden will be available over HTTPS at your domain.
First Login
Navigate to your domain. You’ll see the Bitwarden web vault UI. Create an account using your email — this is your admin account. Then immediately:
- Go to
https://vault.yourdomain.com/admin— Vaultwarden has an admin panel at this path (setADMIN_TOKENin your environment variables to protect it) - Set
SIGNUPS_ALLOWED=falsein your compose file and restart
In your Bitwarden mobile app or browser extension, go to Settings and change the server URL to your domain before logging in.
Backups — This Is the Important Part
Your Vaultwarden data lives in ./vw-data/db.sqlite3. That’s the whole database. If you lose it, you lose your passwords.
Back this up. Every day. To somewhere off the server.
A simple cron-based approach:
# Run daily at 2am
0 2 * * * cp /path/to/vw-data/db.sqlite3 /path/to/backups/vaultwarden-$(date +%Y%m%d).sqlite3
# Keep 30 days of backups
0 3 * * * find /path/to/backups -name "vaultwarden-*.sqlite3" -mtime +30 -deleteBetter: copy those backups to a second location — a different machine, a cloud storage bucket via rclone, or an external drive. The database file is small (usually under a few MB) and compresses well.
Bitwarden also has a built-in export feature in the web vault. Periodically export an encrypted backup and store it somewhere safe — encrypted export includes your vault data in a format you can import anywhere.
Enabling TOTP (Two-Factor Authentication)
In the web vault, go to Account Settings > Security > Two-step Login. You can enable TOTP-based 2FA — scan the QR code with an authenticator app. Do this before you move your passwords in.
You can also use Bitwarden as your TOTP generator. Premium features (which are free on Vaultwarden) let you store TOTP seeds alongside login credentials. Some people find this convenient; others prefer a separate authenticator app for security segmentation.
Mobile and Desktop Clients
Download the official Bitwarden apps from the App Store, Google Play, or your desktop package manager. In the login screen, tap the region selector and choose “Self-hosted.” Enter your domain URL. Then log in with your account credentials.
The browser extension works the same way — look for the server region setting in the extension’s settings panel.
What You’re Actually Getting
Switching from a paid password manager to Vaultwarden means:
- No subscription fees
- All premium features (TOTP, encrypted exports, emergency access)
- Your data on your hardware, not synced to a third-party server
- Full Bitwarden client compatibility across all platforms
What you’re giving up: the commercial support and uptime guarantees that come with a paid service. If your server goes down, you don’t have access to your vault. This is why backups and reliable uptime matter — keep your server running on a UPS if password access is critical infrastructure for you.
For most homelab users, Vaultwarden is one of those self-hosting projects where the trade-off is obviously worth it. It’s lightweight, the clients are polished, and you stop paying $10/year for something you can run yourself on hardware you already own.