Vaultwarden: secure password management made easy

Estimated reading time: 12 minutes

🚀 Why Vaultwarden is the perfect solution for self-hosting? I can tell you that.

Are you looking for a secure and resource-saving password manager? Then Vaultwarden is just right for you. Vaultwarden is an unofficial, lean server implementation of Bitwarden - ideal for your own server or NAS. You retain full data control, require little hardware power and can use all official Bitwarden apps and browser extensions.

For detailed instructions and explanations of all configuration options, I recommend watching the YouTube video linked below. This video goes into detail about each individual setting, providing you with comprehensive instructions on how to set everything up correctly. Any code from the video can be found in this article, so you can use it directly without having to type it out.

This blog post, including video, is part of a series in which we build and set up our own home server. We start with the basics, such as installing Ubuntu VM with Docker, and then move on to configuring our own domain, security measures, and, above all, lots of cool and useful self-hosted services. Whether it's media servers like Plex or Jellyfin or document management like Paperless-NGX, we'll work together to build the setup you want to see. We'll even tackle topics like single sign-on (SSO) together.

What is Bitwarden? - short & understandable

Bitwarden is a widely used password manager that works as an open source project and offers apps/extensions for browsers, desktops and mobile devices. It stores your passwords end-to-end encrypted (zero-knowledge), meaning that only you can see your data in plain text. Bitwarden offers both a hosted cloud version and the option of self-hosting.

What is Vaultwarden? - the lean self-host alternative

Vaultwarden is an unofficial, lightweight server implementation of the Bitwarden API, written in Rust. The aim is to provide the same client compatibility as Bitwarden (i.e. the official Bitwarden apps and browser extensions), but to run much more resource-efficiently - perfect for Raspberry Pi, NAS or small VPS. Vaultwarden is open source and very popular with self-hosters.

Vaultwarden has all the functions you would expect from a modern password manager - and more. You can Link logins exactly to domains, so that Autofill only becomes active on the correct web pages and does not randomly fill in fields. Passkeys (FIDO2/WebAuthn) are supported, so you can log in to compatible websites without a classic password - more secure and future-proof. Vaultwarden also stores TOTP codes (2FA) directly in the entry, so you don't need a separate authenticator app.

In addition to passwords, you can also Secure notes, credit card details and identity information (name, address, telephone number, form autofill) and fill it in automatically using the browser extension. You can Organizations and shared safes for families or teams and assign fine-grained authorizations. For power users there are Hotkeys, offline access via browser caches and desktop app, and a Emergency access (Emergency Access), where trusted contacts can request access if you are unavailable.

About the Bitwarden CLI you can even use Vaultwarden in Scripts, deployment processes or secrets management for developers integrate. In combination with browser extensions, mobile app, desktop client and API, this opens up an extremely flexible ecosystem - completely self-managed, open source and under your control.

What can Bitwarden and Vaultwarden do?

• Password management (logins, secure notes, credit cards, identities)
• Password generator and autofill in the browser
• Organizational safes (Collections / Organizations)
• TOTP (2-factor codes) within the vault
• CLI access and integration in automations
• Full compatibility with Bitwarden clients (for Vaultwarden)

🆚 Vaultwarden vs. Bitwarden - What's the difference?

Vaultwarden shines above all through its efficiency: even a small Raspberry Pi is completely sufficient for operation.

Why self-hosting (Vaultwarden) instead of a cloud password manager?

Short answer: Control, data protection, costs and flexibility.

More detailed:

• High level of data control: With self-hosting, the encrypted data is stored on your server - no third-party provider has physical access to the backups or the infrastructure.
• Costs: Vaultwarden is free of charge; only hosting costs are incurred (e.g. electricity or VPS).
• Resources: Vaultwarden runs lightweight - even on weaker hardware.
• Independence: You can manage backups, access controls and updates yourself - ideal for security-conscious individuals and small teams.
• Transparency: Open source code means: community audits are possible (even if self-hosting does not automatically mean „more secure“ - you are responsible).

Important: Self-hosting also means more responsibility - you have to ensure updates, backups, HTTPS and access protection yourself.

Intel NUC 13 PRO NUC13ANHi5 Arena Canyon, 16 GB RAM 512 GB SSD, Intel Core i5-1340P, Win 11 Pro Mini Desktop Computer, 8K/4K UHD, Gigabit Ethernet/WiFi-6/VESA for business/office/home*

by Intel Corporation

Price: € 759.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

ASUS NUC 15 Pro Tall Kit RNUC15CRHI300002 (Intel Core i3 processor, Arc graphics, WiFi 7, Bluetooth 5.4, without operating system, with EU power cable)*

by Asus

Price: € 295.58 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

ASUS NUC 15 Pro Slim Kit RNUC15CRKU500002 (Intel Core i5 Ultra processor, Arc graphics, WiFi 7, Bluetooth 5.4, without operating system, with EU power cable)*

by Asus

Price: € 429.99 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

What the difference to cloud services (e.g. LastPass, 1Password) means in practice

Cloud providers offer convenience: automatic backups, managed infrastructure, support. The disadvantage is the Concentration of riskIf a large provider is hacked or makes mistakes, many users can be affected. Even if the data is encrypted, additional risks arise from stolen backups, stolen keys or other secondary channels - as well as transparency and compliance issues. Self-hosting shifts some of these risks, but introduces others (e.g. misconfiguration).

The LastPass data leak case (compact)

LastPass reported several security incidents in 2022/2023, which together led to a major loss of trust. In the core timeline:

• August - October 2022: First compromising activities - attackers gained access to certain development environments and internal data via an employee laptop.
• December 2022 - March 2023: LastPass reported further findings: Attackers had reached archived backups in a third-party cloud storage and extracted encrypted password data. LastPass published several updates with recommended measures for users.

In short, the attackers combined targeted compromise (e.g. of an employee system) with the theft of backups. LastPass emphasized that many records were encrypted, but the incidents showed the Danger from central storage sensitive data and the risks if attackers gain access to certain internal resources. For a detailed timeline and analysis, an independent overview from specialist press (e.g. Cybersecurity Dive) is also recommended.

What you should learn from it (practical):

• Use strong master passwords and MFA.
• Export and secure your data locally (encrypted).
• Don't blindly trust a central cloud - consider self-hosting if you want to take responsibility.

Vaultwarden security - how secure is it really?

Good news: Vaultwarden uses the same encryption model like Bitwarden clients - encryption takes place on the client side. This means that your plain text data never leaves your device; only encrypted blobs are stored on the server. Nevertheless:

• Server security: If your server is configured incorrectly (no HTTPS, open ports, outdated software), the risk increases.
• Backups: Automated and encrypted secure backups.
• Updates: Keep Vaultwarden and the host system up to date.
• Access control: Limit admin access and use strong SSH/MFA for server access.

In short: Vaultwarden is a solid self-hosting tool - but your security depends on your infrastructure hygiene.

Installing Vaultwarden with Docker - step by step

Here are detailed, practical instructions so that you can get started right away. You can find more tips, features and ideas on the official Vaultwarden Wiki.

Requirements

• A server / VPS / NAS or Raspberry Pi with Linux (Debian/Ubuntu recommended)
• Docker & Docker Compose installed
• Domain (recommended) or at least static IP
• Basic shell knowledge

Docker Compose file (docker-compose.yml)

Save the following file as docker-compose-vaultwarden.yml:

services:
    vaultwarden:
        image: vaultwarden/server
        container_name: vaultwarden
        environment:
            - SIGNUPS_ALLOWED=true
            - INVITATIONS_ALLOWED=true
            - ENABLE_WEBSOCKET=true
            - ADMIN_TOKEN=TODO
            - PUSH_ENABLED=false
            - PUSH_INSTALLATION_ID=
            - PUSH_INSTALLATION_KEY=
            - LOG_FILE=/data/access.log
            - LOG_LEVEL=warn
            - EXTENDED_LOGGING=true
            - TZ=Europe/Berlin
        ports:
            - 4743:80/tcp
        volumes:
            - /mnt/cache/appdata/vaultwarden:/data:rw
        networks:
            - sascha

networks:
    sascha:
        name: sascha
        external: true

networks:
  sascha:
    external: true

Generate Admin Token

If you use Vaultwarden, you can avoid the admin page (/admin) can hardly be avoided. It is the control center for managing users, sending invitations or adjusting system settings during operation. As this area is extremely critical, it is protected by the ADMIN_TOKEN protected. In the past, a simple password in plain text was sufficient, but this is now a security risk. To prevent brute force attacks and store the token securely in configuration files, Vaultwarden now uses the Argon2 hashing. Find out more directly in the documentation.

How to create a secure token: The easiest way to generate the token is directly via your host system, i.e. directly via a console in Linux / Ubuntu or whatever. Below is the command to hash your own password. You have to memorize this password urgent save away. The command already ensures that dollar signs ($) are directly provided with another dollar sign. You just have to copy it. You then enter this hash as an environment variable ADMIN_TOKEN in your configuration. Important for Docker Compose users: If you have entered the hash directly in the docker-compose.yml you have to write every dollar sign twice ($$) so that Docker does not misinterpret it as a variable. Once set up, your password remains secret, while Vaultwarden only knows the secure hash.

echo -n "yoursecurePassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4 | sed 's#\$#\$\$#g'

Now start the Docker container: docker compose -f "docker-compose-vaultwarden.yml" up -d

The service then runs under http://deine-ip:4743 (or http://localhost:4743).

🌍 Declaration of the environment: Variables

HTTPS with reverse proxy (Nginx/Traefik recommended)

HTTPS must be set up for productive operation. Popular are:

• Traefik (automatic Let's Encrypt certificates)
• Nginx + Certbot
• Nginx Proxy Manager (UI for simple administration)
• Caddy

Important: Lead / to Vaultwarden, activate HSTS, and protect Admin-URL with a strong token (ENV ADMIN_TOKEN).

Automate backups

A simple cronjob script:

#!/bin/bash
tar -czf /backups/vw-$(date +%F).tgz ~/vaultwarden/vw-data
# Encryption with gpg recommended

Ideally, you should simply use another tool such as Vaultwarden Backup, which already takes care of everything. This can also be run as a Docker container.

Configuration recommendations & best practices

• SIGNUPS_ALLOWED=falseDisable user registration if you only want to manage yourself or your team.
• ADMIN_TOKENsecure, random token for admin interface.
• WebSocket: (ENABLE_WEBSOCKET) for better sync performance.
• Firewall: restrict SSH and other management services to admin IPs.
• Monitoring: Check logs regularly; use Fail2ban/ufw.

Which apps & extensions work with Vaultwarden?

Because Vaultwarden emulates the Bitwarden API, you use the official Bitwarden clients:

• Browser extensions: Chrome, Firefox, Edge, Safari, Brave, Vivaldi -> see Bitwarden Docs
• Desktop: Windows, macOS, Linux (official Bitwarden apps)
• Mobile: Android (Play Store & F-Droid -> Keyguard), iOS/iPadOS (App Store -> Bitwarden)
• CLI: bw (Bitwarden CLI) - useful for scripts and CI/CD
• Other: Many password managers/tools support Bitwarden export/import

How to connect the clients: In the app under Settings → Server address enter your Vaultwarden URL (e.g. https://vault.example.com).

Concrete practical example: Family & small team

Situation: You want to share passwords with your family, but not in the cloud.

Procedure:

1. Set up Vaultwarden privately on a small VPS or Raspberry Pi.
2. Create an account for each family member (or invite them by invitation).
3. Create an organization/collection for shared passwords (streaming, router, banking) and set permissions.
4. Activate MFA for all accounts and regular backups.

Result: Shared passwords are managed centrally, you have control over access - without monthly subscription costs.

Frequently asked questions (FAQ)

Is Vaultwarden as safe as Bitwarden?
Vaultwarden uses the same client encryption principles; security is highly dependent on your server configuration and operation.

Can I check Vaultwarden open-source?
Yes - the code is on GitHub (repository of dani-garcia). Have a look at Releases and Discussions.

What happens if my server is compromised?
Attackers only see encrypted data - but an attacker can still steal backups or misuse admin tokens, for example. System hygiene is therefore crucial.

YouTube video implementation

Conclusion - Vaultwarden is the best self-hosting solution for your passwords

Vaultwarden combined Maximum data sovereignty, Extreme efficiency and Full compatibility with all Bitwarden tools. You install the system in a few minutes via Docker, use apps on all your devices and retain complete control - without a subscription, without third-party servers, without compromises.

Vaultwarden is an excellent choice if you:

• want full control over your encrypted data,
• has limited hardware resources (Raspberry Pi / NAS),
• do not want to pay ongoing subscription costs, and
• are prepared to take responsibility for updates, backups and HTTPS.

Bitwarden (official), on the other hand, offers a very convenient, supported cloud service with professional support - ideal for companies that do not want to operate their own infrastructure. Both systems use strong end-to-end encryption; the difference lies mainly in operation, responsibility and resource requirements.

The LastPass case has shown: Centralization brings convenience, but also risks. Even encrypted data is not automatically secure if attackers find ways to compromise keys, backups or employee systems. Self-hosting shifts the risk into your hands - and by keeping those hands safe, you gain significant control and privacy.

🔗 Useful links at a glance

• 🐙 GitHub project: https://github.com/dani-garcia/vaultwarden
• 📦 Docker Hub Image: https://hub.docker.com/r/vaultwarden/server
• 🌐 Bitwarden Apps & Extensions: https://bitwarden.com/download
• 🔐 Reverse proxy recommendation: https://nginxproxymanager.com
• 📱 Android app (Keyguard): https://play.google.com/store/apps/details?id=com.artemchep.keyguard&hl=de

Interested, but lack time or knowledge?

No problem. Contact me and we will discuss your requirements. No matter if business or private.