← All Guides
beginner

Vaultwarden (Bitwarden) Setup on Docker

Self-host your own Bitwarden-compatible password manager with Vaultwarden on Docker. Full setup with HTTPS, mobile access, and backups.

Budget Homelab ·
dockersecurityself-hosting

Vaultwarden is a lightweight, self-hosted Bitwarden-compatible server. You get the full Bitwarden ecosystem — browser extensions, mobile apps, desktop clients — pointing at your own server instead of Bitwarden’s cloud. Your passwords never leave your network.

The Bitwarden official server is open source but resource-heavy. Vaultwarden is a community-built compatible implementation that runs in about 10MB of RAM. For personal and family use, it’s the right choice.

This guide assumes Docker and Docker Compose are already installed. You also need a domain name and a working reverse proxy for HTTPS — Bitwarden clients require HTTPS to function. If you’re not there yet, start with Nginx Proxy Manager and Tailscale.

Why HTTPS Is Required

Bitwarden clients (browser extensions, mobile apps) refuse to connect to a server over plain HTTP. This is intentional — you don’t want your vault traffic unencrypted. HTTPS is not optional.

Two paths:

  1. Tailscale + local HTTPS — use your Tailscale domain with MagicDNS. Simple, works on all your devices.
  2. Public domain + Nginx Proxy Manager — use a real domain and Let’s Encrypt cert. Necessary if family members outside your tailnet need access.

This guide covers the Docker setup. Plug in whichever HTTPS method you’re using.

Directory Setup

mkdir -p /opt/vaultwarden/data

Docker Compose

Create /opt/vaultwarden/docker-compose.yml:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    volumes:
      - /opt/vaultwarden/data:/data
    environment:
      - DOMAIN=https://vault.yourdomain.com
      - SIGNUPS_ALLOWED=true
      - ADMIN_TOKEN=
    ports:
      - "8080:80"
    restart: unless-stopped

DOMAIN — Set this to the HTTPS URL where you’ll access Vaultwarden. Must match the URL clients use to connect.

SIGNUPS_ALLOWED=true — Allows anyone who reaches your server to create an account. Once you’ve created your account (and any family accounts), set this to false and redeploy. You don’t want an open registration endpoint sitting around.

ADMIN_TOKEN — The admin panel password. Generate a strong random string and put it here. Access the admin panel at /admin. Leave it empty to disable the admin panel entirely (fine for simple setups).

Generate a token:

openssl rand -base64 48

Start Vaultwarden

cd /opt/vaultwarden
docker compose up -d

Vaultwarden starts in a few seconds and serves on port 8080. Set up your reverse proxy to forward your domain to port 8080 with HTTPS termination.

Configure Your Reverse Proxy

In Nginx Proxy Manager, add a new proxy host:

That’s it. Vaultwarden will be reachable at https://vault.yourdomain.com.

Create Your Account

Open https://vault.yourdomain.com in a browser. Click Create Account. Use a strong master password — this is the one password that protects everything else. Write it down and store it somewhere physically safe. If you lose it, your vault is gone.

After creating the account, open the Admin panel at https://vault.yourdomain.com/admin (use your ADMIN_TOKEN). You can verify users are registered there.

Once you’ve created all the accounts you need, update your compose file:

      - SIGNUPS_ALLOWED=false
docker compose up -d

Browser Extension Setup

Install the Bitwarden browser extension (Firefox, Chrome, Edge — all supported). Click the extension icon, then the gear/settings icon. Under Self-hosted environment, enter your server URL: https://vault.yourdomain.com.

Log in with your email and master password. The extension will sync your vault from your server.

Mobile App Setup

Same process on mobile. Install the Bitwarden app (iOS or Android — free). Tap the region selector on the login screen and choose Self-hosted. Enter your server URL.

On iOS, you can enable Bitwarden as an autofill provider under Settings > Passwords > AutoFill Passwords. On Android, it integrates with the autofill service.

Emergency Access

Vaultwarden supports Bitwarden’s Emergency Access feature — you can designate a trusted contact who can request access to your vault in an emergency. This is worth setting up if you’re the only person in your household managing passwords.

Go to Settings > Emergency Access in the web vault.

Backups

Back up /opt/vaultwarden/data. This directory contains your entire vault — all passwords, attachments, and organizational data.

tar -czf /backup/vaultwarden-$(date +%Y%m%d).tar.gz /opt/vaultwarden/data

Run this daily. The data directory is small (usually under 100MB unless you’re storing a lot of attachments), so daily backups are cheap. Keep at least two weeks of backups in case you don’t notice a problem immediately.

The vault is encrypted client-side before it ever reaches your server — Vaultwarden stores encrypted blobs, not plaintext passwords. Even if someone got your backup file, they’d need your master password to decrypt it. That said, treat the backup as sensitive and store it somewhere access-controlled.

Two-Factor Authentication

Enable 2FA on your Vaultwarden account. Go to Settings > Two-step Login. TOTP (authenticator app) is the easiest option — use Bitwarden itself to store the TOTP secret (yes, storing your vault’s 2FA inside your vault is fine for most setups; if you’re paranoid, use a separate authenticator app).

Updating

cd /opt/vaultwarden
docker compose pull
docker compose up -d

Check the Vaultwarden releases page before updating. Updates are generally safe but occasionally have migration notes worth reading.

What About Bitwarden’s Paid Features?

Vaultwarden implements most of Bitwarden’s premium features for free — TOTP storage, file attachments, emergency access, organization features. The main thing you lose is Bitwarden’s official support and the hardware key (FIDO2/WebAuthn) support, which requires the official server. For personal and family use, Vaultwarden covers everything.