Why Run Your Own Password Manager?
Cloud-based password managers are convenient, but they come with a trade-off: your credentials live on someone else’s server, behind someone else’s security decisions. Bitwarden is the gold standard for open-source password management, and Vaultwarden is its lightweight, self-hostable backend – written in Rust, compatible with all official Bitwarden clients, and small enough to run comfortably on a Raspberry Pi. The result is a fully functional password vault that never phones home.
This guide walks through setting up Vaultwarden on a Raspberry Pi using Docker, securing it with a self-signed SSL certificate, and connecting it to the Bitwarden mobile and desktop apps. You will need a Raspberry Pi 3 or newer, a microSD card with at least 16GB of space, and a basic comfort level with the Linux terminal. No cloud account required.
Preparing the Raspberry Pi
Start with a fresh installation of Raspberry Pi OS Lite, the headless version without a desktop environment. Flash it to your microSD card using the Raspberry Pi Imager, and before you boot, open the advanced settings in the Imager to enable SSH and set a hostname – something like vaultpi makes it easy to find on your network. Set a strong password for the default user or, better yet, configure SSH key authentication from the start.
Once the Pi is running and you are connected over SSH, update the system with sudo apt update && sudo apt upgrade -y, then install Docker using the official convenience script: curl -fsSL https://get.docker.com | sh. After installation, add your user to the Docker group with sudo usermod -aG docker $USER, then log out and back in so the change takes effect. You will also want to install Docker Compose: sudo apt install docker-compose -y. Give the Pi a static IP address through your router’s DHCP reservation settings – this keeps the server reachable at a predictable address every time.
Installing and Configuring Vaultwarden
Create a working directory for the project: mkdir ~/vaultwarden && cd ~/vaultwarden. Inside that folder, create a file called docker-compose.yml using a text editor like nano. The configuration below pulls the official Vaultwarden image and maps the necessary ports and storage volumes.
Paste this into the file:
- image: vaultwarden/server:latest
- container_name: vaultwarden
- restart: always
- ports: “80:80” and “443:443”
- volumes: ./data:/data
- environment: SIGNUPS_ALLOWED=true, WEBSOCKET_ENABLED=true
Once the file is saved, the most important environment variable to understand is SIGNUPS_ALLOWED. Set it to true for the first run so you can create your admin account, but change it to false immediately after – you do not want an open registration endpoint sitting on your home network. The ADMIN_TOKEN variable is equally worth setting: generate a secure random string with openssl rand -base64 48 and assign it, which unlocks the Vaultwarden admin panel at /admin.
Run docker-compose up -d to start the container. Check that it is running with docker ps – you should see the vaultwarden container listed with status “Up.” If it fails to start, docker logs vaultwarden will show exactly what went wrong. The data directory Vaultwarden creates inside your project folder stores the SQLite database and all attachments, so back that folder up regularly.
Setting Up SSL for Local Access
Bitwarden clients require HTTPS to connect to any server, which means you need a valid SSL certificate even for a local deployment. The straightforward solution for a home network is a self-signed certificate generated with OpenSSL. Run the following to create a certificate and key pair: openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout vaultwarden.key -out vaultwarden.crt. When prompted for a Common Name, enter the static IP address of your Raspberry Pi.
Update your docker-compose.yml to mount the certificate files into the container and point Vaultwarden at them using the ROCKET_TLS environment variable. The exact syntax is ROCKET_TLS={certs=”/ssl/vaultwarden.crt”,key=”/ssl/vaultwarden.key”}, with the SSL folder mapped as a volume. After restarting the container with docker-compose down && docker-compose up -d, you will be able to reach the Vaultwarden web interface at https://[your-pi-ip]. The browser will warn about an untrusted certificate – that is expected with a self-signed cert, and you can safely add a permanent exception.
Connecting the Bitwarden Clients
Open the official Bitwarden app on your phone or desktop. On the login screen, tap the region selector – it usually shows “bitwarden.com” by default – and choose Self-hosted. Enter your Raspberry Pi’s HTTPS address as the server URL. On mobile, you may need to manually trust the self-signed certificate in your device’s settings, or install the certificate as a trusted root authority. The process varies by platform: Android requires installing it through Security settings, while iOS uses a profile installation flow followed by a manual trust toggle in Certificate Trust Settings.
Create your account through the Vaultwarden web interface first, then log in through the app using the same credentials. Once connected, the app behaves exactly like the standard Bitwarden cloud version – autofill, browser extensions, secure notes, and shared organization vaults all work. The only functional difference is that sync only happens when your device is on the same network as the Pi, or connected through a VPN if you have one set up.
For desktop users, the Bitwarden browser extension supports the same self-hosted server setting. Navigate to the extension settings, switch to self-hosted mode, and enter the Pi’s address. If you run other self-hosted services on the same Pi, consider putting Vaultwarden behind a reverse proxy like Nginx Proxy Manager so multiple services can share port 443 under different subdomains – that scales better than running each service on a separate port.
Keeping It Running and Backed Up
Vaultwarden’s data lives entirely in that ./data folder – a single SQLite file plus an attachments directory. The simplest backup strategy is a daily cron job that copies the folder to a USB drive or a second machine. Open the crontab with crontab -e and add a line like 0 2 * cp -r /home/pi/vaultwarden/data /mnt/backup/vaultwarden-$(date +\%F). That runs a timestamped copy every night at 2am without any manual effort.
To keep Vaultwarden itself updated, pull the latest image periodically with docker pull vaultwarden/server:latest followed by a container restart. Updates are usually minor and backward compatible, but checking the Vaultwarden GitHub release notes before upgrading takes thirty seconds and avoids surprises. Docker makes rollback straightforward too – if something breaks, you can pin the image to the previous version tag in your compose file and bring it back up immediately.
One detail worth getting right early: set the DOMAIN environment variable in your compose file to match the exact URL you use to access Vaultwarden. Without it, certain features like WebAuthn hardware key support and email invites will not work correctly because the server generates links using the wrong base URL. It is a small config line that saves a frustrating debugging session later.
