Vaultwarden: The Lightweight Self-Hosted Password Manager

Security 2026-03-04 · 4 min read vaultwarden bitwarden password manager self-hosted docker rust open-source
By Selfhosted Guides Editorial Team — Self-hosting practitioners covering open source software, home lab infrastructure, and data sovereignty.

Password managers solve the only real password problem: you can't remember 200 unique passwords. Cloud-hosted options like 1Password and Bitwarden work well, but if you'd rather not store credentials with a third party, self-hosting is a reasonable alternative.

Photo by Juanma Muñoz on Unsplash

Vaultwarden is the most practical path to that. It's an unofficial Bitwarden-compatible server, written in Rust, that runs in about 60MB of RAM. It supports the full Bitwarden client ecosystem — browser extensions, desktop apps, and mobile apps — without running the official server stack, which requires multiple services and considerably more resources.

Why Vaultwarden Instead of the Official Bitwarden Server

The official Bitwarden server is open source and self-hostable, but it was built to run at scale. In practice, that means:

Multiple containers (API, identity, web, notifications, database)
Minimum ~2GB RAM in practice
SQL Server as the default database (though PostgreSQL and MySQL are supported)

Vaultwarden reimplements the Bitwarden API in a single Rust binary. It uses SQLite by default (with PostgreSQL and MySQL support), runs fine with 64MB of RAM, and starts in under a second. It supports everything a personal or small-team deployment needs: organizations, collections, TOTP, emergency access, and send.

The tradeoff: Vaultwarden is a third-party implementation. It's well-maintained and has a large community, but it's not developed by Bitwarden Inc. For most self-hosters, this is acceptable. For regulated environments, the official server is the right choice.

Docker Deployment

The simplest deployment uses Docker Compose with a persistent volume:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      WEBSOCKET_ENABLED: "true"
      SIGNUPS_ALLOWED: "true"
      DOMAIN: "https://vault.example.com"
    volumes:
      - vw-data:/data
    ports:
      - "80:80"
      - "3012:3012"

volumes:
  vw-data:

Port 3012 is used for WebSocket connections, which power real-time sync across devices. If you're putting Vaultwarden behind a reverse proxy (which you should), you'll need to forward both HTTP and WebSocket traffic.

HTTPS is Required

Vaultwarden will work over plain HTTP for testing, but Bitwarden clients — browser extensions especially — require HTTPS before they'll connect to a custom server URL. You need a valid certificate.

Option 1: Reverse proxy with Let's Encrypt

If Vaultwarden is on a domain you control, Nginx Proxy Manager or Caddy can handle certificate provisioning automatically:

# Caddyfile
vault.example.com {
  reverse_proxy vaultwarden:80
  reverse_proxy /notifications/hub vaultwarden:3012
}

Caddy handles certificate renewal automatically. The /notifications/hub path routes WebSocket traffic to the correct port.

Option 2: Cloudflare Tunnel

For homelabs behind a CGNAT or without a public IP, Cloudflare Tunnel is a clean alternative. Run cloudflared alongside Vaultwarden, configure a tunnel to your local service, and Cloudflare handles TLS. No port forwarding required.

Like what you're reading? Subscribe to Self-Hosted Weekly — free weekly guides in your inbox.

Initial Setup

On first run, navigate to your Vaultwarden URL and create an account. Since you control the server, you should immediately restrict signups after creating your account:

environment:
  SIGNUPS_ALLOWED: "false"

Restart the container. Now only users you explicitly invite can create accounts — or you can use the admin panel to manage users directly.

To enable the admin panel, set a token:

environment:
  ADMIN_TOKEN: "a-long-random-string-you-generate"

Access it at /admin. From there you can invite users, view server health, configure email, and manage organizations.

Email Configuration

Email is optional but recommended. Vaultwarden uses it for account verification, password reset, 2FA codes, and emergency access notifications.

For a personal deployment, an app password from Gmail or a transactional service like Mailgun works well:

environment:
  SMTP_HOST: "smtp.gmail.com"
  SMTP_FROM: "[email protected]"
  SMTP_PORT: "587"
  SMTP_SECURITY: "starttls"
  SMTP_USERNAME: "[email protected]"
  SMTP_PASSWORD: "your-app-password"

Organizations and Sharing

Vaultwarden supports Bitwarden's Organizations feature, which lets you share credentials with other users. This works for households or small teams who all have accounts on the same Vaultwarden instance.

To share a credential, move it into a Collection inside an Organization. All organization members with access to that Collection can see and use the credential. Permissions are set per-collection: read-only or full access.

Shared TOTP codes work the same way — one person manages the TOTP secret, and everyone in the collection can see the rotating code. Useful for shared service accounts.

Emergency Access

Vaultwarden supports Bitwarden's Emergency Access feature. A designated trusted contact can request access to your vault after a configurable waiting period (between 1 and 90 days). You'll receive a notification and can deny the request at any time during that window.

This is a practical solution to the "what happens to my passwords if I'm incapacitated" problem, with a dead man's switch built in.

Backups

Vaultwarden stores everything in a SQLite database at /data/db.sqlite3 inside the container. Back this up regularly.

A simple cron job or Docker volume backup to your NAS or a remote location is sufficient:

# Daily backup to a local path
docker exec vaultwarden sqlite3 /data/db.sqlite3 ".backup /data/db-backup.sqlite3"
cp /path/to/vw-data/db-backup.sqlite3 /your/backup/location/vw-$(date +%Y%m%d).sqlite3

If you use PostgreSQL instead of SQLite (recommended for multi-user setups with concurrent access), use pg_dump.

Connecting Bitwarden Clients

All official Bitwarden clients support custom server URLs. In the browser extension, click the region dropdown and choose "Self-hosted". Enter your Vaultwarden URL. Log in with your account credentials.

The same process works for iOS and Android (Settings → Server URL) and desktop apps.

Comparison to Official Bitwarden

Feature	Vaultwarden	Bitwarden Official
RAM usage	~60MB	~2GB+
Storage	SQLite/Postgres/MySQL	SQL Server + others
Deployment	Single container	Multi-container
Organizations	✓	✓
TOTP	✓	✓
Emergency access	✓	✓
Send	✓	✓
Bitwarden client support	Full (unofficial API)	Full (official API)
Enterprise features	No	Yes
Official support	Community	Bitwarden Inc.

For personal use or small teams, Vaultwarden covers every practical need at a fraction of the resource cost. For larger organizations or compliance requirements, the official server is the right choice.

Final Notes

Vaultwarden is a reliable, well-maintained project with years of active development. The GitHub repository is dani-garcia/vaultwarden and the issue tracker is active.

Before going all-in on any self-hosted password manager, export your vault periodically as a backup. Bitwarden's encrypted export format means your passwords are safe even if you lose access to your server — you can import them into any Bitwarden-compatible service or the official app.