Why Run Your Own Password Manager?
Bitwarden is widely respected as a secure, open-source password manager – but even open-source tools involve trusting a third-party server with your encrypted vault. Vaultwarden changes that equation entirely. It is an unofficial, lightweight server implementation of the Bitwarden API, written in Rust, that you can run on your own hardware. Your passwords never leave a machine you control.
The appeal goes beyond privacy. Vaultwarden unlocks Bitwarden’s premium features – TOTP authenticator codes, encrypted file attachments, emergency access – without a subscription fee. All you need is a server, a domain, and about thirty minutes.
This guide walks through a complete Vaultwarden setup using Docker Compose, with HTTPS via a reverse proxy.

What You Need Before You Start
Vaultwarden runs on almost anything – a Raspberry Pi, an old desktop, a VPS, or a home server already running other services. The minimum requirements are genuinely modest: Docker and Docker Compose installed, a domain name or subdomain you control, and the ability to open ports 80 and 443 on your router or firewall. If you are already running self-hosted services like a Komga comic server, the infrastructure is already in place.
You will also need a valid SSL certificate. Vaultwarden requires HTTPS – the Bitwarden clients refuse to connect over plain HTTP. The cleanest approach is to use a reverse proxy like Nginx Proxy Manager or Caddy, both of which handle Let’s Encrypt certificate issuance automatically. Caddy is the simpler option for new setups because its configuration is a single readable file and it renews certificates without any cron jobs or manual steps.
Before writing a single config file, point your subdomain – something like vault.yourdomain.com – at your server’s public IP address. DNS propagation can take anywhere from a few minutes to a few hours depending on your registrar, so doing this first saves waiting time later.
Setting Up Vaultwarden with Docker Compose
Create a directory for your Vaultwarden files – /opt/vaultwarden works well on Linux. Inside it, create a docker-compose.yml file. The service definition is straightforward: use the vaultwarden/server:latest image, mount a local directory to /data for persistent storage, and set a handful of environment variables. The most important variable is SIGNUPS_ALLOWED. Set it to true for initial setup so you can create your admin account, then flip it to false immediately after. Leaving open registration on a publicly accessible Vaultwarden instance is a serious security risk.

The ADMIN_TOKEN variable enables the Vaultwarden admin panel at /admin. Generate a strong random string using openssl rand -base64 48 in your terminal and paste it as the token value. Store this token somewhere safe – a password manager is the obvious choice, though there is an obvious irony in needing a password manager to set up your password manager. Also set DOMAIN to your full HTTPS URL, including the https:// prefix. Vaultwarden uses this value internally when generating invitation links and WebAuthn responses.
With the compose file ready, run docker compose up -d to pull the image and start the container. Vaultwarden listens on port 80 inside the container by default, so your reverse proxy should forward external HTTPS traffic to that internal port. In Caddy, the entire configuration for this is four lines: your domain name as the site address, a reverse_proxy directive pointing at the container name and port, and nothing else – Caddy handles the certificate automatically. Once the proxy is running, navigate to your subdomain in a browser. You should see the Bitwarden login screen.
Connecting Clients and Hardening the Instance
Every official Bitwarden client – browser extensions for Chrome and Firefox, desktop apps for Windows, macOS, and Linux, and the iOS and Android mobile apps – supports custom server URLs. In the app, look for a gear icon or “Self-hosted” option on the login screen before entering any credentials. Enter your full domain URL, save it, and the client will connect to your Vaultwarden instance instead of Bitwarden’s cloud servers. Create your account through the web vault at your domain first, then log in through the client.
After creating your account, return to the docker-compose.yml and set SIGNUPS_ALLOWED=false, then run docker compose up -d again to apply the change. If you want to invite specific users later, you can do so through the admin panel without reopening public registration. Also worth enabling: WEBSOCKET_ENABLED=true, which allows real-time vault sync across devices. Without it, clients rely on polling and changes can take minutes to appear on other devices.
Backups deserve more attention than most self-hosting guides give them. Vaultwarden stores everything – vault data, attachments, configuration – in a single SQLite database file at /data/db.sqlite3. Copy that file off the server regularly. A simple cron job that compresses and uploads it to a remote location every night is enough. Losing your password vault because of a failed drive with no backup is the kind of problem that justifies the extra ten minutes it takes to automate.

Two-factor authentication for your Vaultwarden account itself is non-negotiable – enable it immediately after setup using the security settings inside the web vault. Vaultwarden supports TOTP apps, email codes, and hardware keys like YubiKey. Since your vault is now publicly accessible at your domain, the login page is exposed to the internet, and a strong master password alone is a thinner line of defense than most people are comfortable with once they think about it seriously.
Frequently Asked Questions
Is Vaultwarden safe to use?
Vaultwarden is widely used and regularly maintained, but it is an unofficial Bitwarden API implementation. Security depends heavily on your server configuration, strong passwords, and keeping the software updated.
Do I need a paid Bitwarden subscription to use Vaultwarden?
No. Vaultwarden unlocks most Bitwarden premium features for free, including TOTP codes and encrypted file attachments, because it runs on your own server.
Can I use official Bitwarden apps with Vaultwarden?
Yes. All official Bitwarden clients support custom server URLs, so you can point any browser extension, desktop app, or mobile app at your Vaultwarden instance.
What happens if my Vaultwarden server goes down?
You lose access to your vault until the server is restored. Keeping regular backups of the SQLite database file and having a recovery plan is essential for any self-hosted password manager.





