Why Vaultwarden?

Password management is the backbone of your digital security. While services like 1Password ($35+/year) and LastPass have their merits, storing your most sensitive data on third-party servers — or paying a premium for the privilege — isn’t for everyone.

Vaultwarden is an unofficial lightweight Bitwarden server rewrite written in Rust. Compared to the official Bitwarden implementation (which requires SQL Server and 1GB+ RAM), Vaultwarden is incredibly resource-efficient and perfect for running on a low-cost VPS.

Core Advantages

• 🔒 End-to-End Encryption: Your passwords are encrypted before they leave your device
• 📱 Cross-Platform Clients: iOS, Android, Chrome/Firefox/Edge extensions, desktop apps
• 🔑 Full Feature Set: Passwords, secure notes, identities, credit cards, TOTP 2FA
• 🚀 Ultra-Lightweight: Runs smoothly on a VPS with just 512MB RAM
• 🔐 Full Data Control: Your passwords never touch third-party servers

Prerequisites

• A VPS (minimum 512MB RAM, 1GB recommended)
• Docker and Docker Compose installed
• A domain name (for HTTPS — e.g., vault.yourdomain.com)
• Basic Linux command-line skills

Step 1: Install Docker & Docker Compose

# Install Docker
curl -fsSL https://get.docker.com | sh

# Enable Docker on boot
sudo systemctl enable docker
sudo systemctl start docker

# Install Docker Compose plugin
sudo apt-get install docker-compose-plugin -y

# Verify installation
docker --version && docker compose version

Step 2: Prepare Directory Structure

mkdir -p ~/vaultwarden
cd ~/vaultwarden
mkdir -p ./data ./nginx/conf.d ./nginx/ssl

Step 3: Configure Docker Compose

Create docker-compose.yml:

version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - ./data:/data
    environment:
      # IMPORTANT: Set your domain
      - DOMAIN=https://vault.yourdomain.com
      # Admin panel password (change immediately after deploy)
      - ADMIN_TOKEN=your-strong-admin-token-here
      # Allow new registrations (disable after setup)
      - SIGNUPS_ALLOWED=true
      - INVITATIONS_ALLOWED=true
      - LOG_LEVEL=warn
      - PUSH_INTERVAL=60
      - DISABLE_ADMIN_TOKEN=false
    ports:
      - "127.0.0.1:8080:80"
    networks:
      - vaultwarden_network

  nginx:
    image: nginx:alpine
    container_name: vaultwarden-nginx
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/ssl:/etc/nginx/ssl
      - ./data:/data:ro
    depends_on:
      - vaultwarden
    networks:
      - vaultwarden_network

networks:
  vaultwarden_network:
    driver: bridge

⚠️ Security Note: Generate a strong ADMIN_TOKEN with openssl rand -base64 48. Never use a weak or default token.

Step 4: Configure Nginx Reverse Proxy with SSL

Create nginx/conf.d/vaultwarden.conf:

server {
    listen 80;
    server_name vault.yourdomain.com;
    
    # Let's Encrypt verification
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name vault.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    # WebSocket support (required for Vaultwarden)
    location /notifications/hub {
        proxy_pass http://vaultwarden:80;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub/negotiate {
        proxy_pass http://vaultwarden:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location / {
        proxy_pass http://vaultwarden:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 128M;
    }
}

Step 5: Get SSL Certificate with Let’s Encrypt

# Install Certbot
sudo apt-get install certbot -y

# Get certificate (make sure DNS points to your server IP first)
sudo certbot certonly --standalone -d vault.yourdomain.com

# Copy certs to Nginx SSL directory
sudo cp /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem ~/vaultwarden/nginx/ssl/
sudo cp /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem ~/vaultwarden/nginx/ssl/
sudo chown -R $USER:$USER ~/vaultwarden/nginx/ssl/

💡 Auto-Renewal: Add a cron job for automatic certificate renewal:

sudo crontab -e
# Add:
0 3 * * * certbot renew --quiet && cp /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem ~/vaultwarden/nginx/ssl/ && cp /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem ~/vaultwarden/nginx/ssl/ && docker restart vaultwarden-nginx

Step 6: Start the Services

cd ~/vaultwarden
docker compose up -d

# Check status
docker compose ps

# View logs
docker compose logs -f vaultwarden

If everything is configured correctly, Vaultwarden should be running at https://vault.yourdomain.com within seconds.

Step 7: Initial Configuration

1. Open https://vault.yourdomain.com in your browser
2. Click “Create Account” to register your first account
3. Visit https://vault.yourdomain.com/admin (use your ADMIN_TOKEN)
4. In the admin panel:
   • Disable public registration: Set SIGNUPS_ALLOWED to false
   • Configure SMTP: Set up email so users can recover passwords
   • Review system info: Confirm everything is running smoothly

Step 8: Import Your Existing Passwords

Vaultwarden supports importing from virtually any password manager:

# Upload a CSV export to your server
scp ~/Downloads/chrome_passwords.csv user@your-vps:~/vaultwarden/data/

# Then import via Web UI:
# Click avatar (top-right) → Tools → Import Data → Select format

Supported import formats:

• Bitwarden (native JSON)
• 1Password (1pif/CSV)
• LastPass (CSV)
• Chrome (CSV)
• Firefox (CSV)
• KeePass (CSV/XML)
• Dashlane (CSV)
• ProtonPass (CSV)

Step 9: Configure Bitwarden Clients

Vaultwarden is 100% compatible with official Bitwarden apps. You only need to change the server URL.

Example: Bitwarden Browser Extension

1. Install the Bitwarden browser extension
2. Click the extension icon → Settings (gear icon)
3. Find “Self-hosted environment” option
4. Enter your server URL: https://vault.yourdomain.com
5. Click “Save” and log in with your credentials

Supported Client Platforms

Step 10: Automated Backup Strategy

Your passwords are irreplaceable — set up automated backups:

#!/bin/bash
# ~/vaultwarden/backup.sh - Daily backup script

BACKUP_DIR=~/vaultwarden/backups
DATE=$(date +%Y%m%d_%H%M%S)
DB_FILE=~/vaultwarden/data/db.sqlite3

mkdir -p $BACKUP_DIR

# Stop container for data consistency
docker stop vaultwarden

# Backup database and attachments
tar czf $BACKUP_DIR/vaultwarden-backup-$DATE.tar.gz \
  -C ~/vaultwarden data/

# Restart
docker start vaultwarden

# Keep 30 days of backups
find $BACKUP_DIR -name "vaultwarden-backup-*.tar.gz" -mtime +30 -delete

echo "Backup completed: vaultwarden-backup-$DATE.tar.gz"

Schedule daily execution via cron:

chmod +x ~/vaultwarden/backup.sh
crontab -e
# Add (runs at 2 AM daily):
0 2 * * * ~/vaultwarden/backup.sh

💡 Offsite Backup: Sync to S3-compatible storage or Google Drive:

# Using rclone
rclone copy $BACKUP_DIR remote:vaultwarden-backups/

Performance Benchmarks

Test results on a $6/month VPS (1 vCPU, 1GB RAM, NVMe SSD):

Troubleshooting

Q: Clients don’t sync in real-time?

A: WebSocket isn’t configured properly. Double-check your Nginx config — the proxy_set_header Upgrade and Connection directives are essential for /notifications/hub.

Q: Lost admin token (ADMIN_TOKEN)?

A: Edit docker-compose.yml, set a new ADMIN_TOKEN, then restart:

docker compose up -d vaultwarden

Q: How to enable 2FA?

A: Web UI → Settings → Security → Two-step Login → Enable TOTP. Use with Google Authenticator, Authy, or any TOTP-compatible app.

Q: How to update Vaultwarden?

cd ~/vaultwarden
docker compose pull vaultwarden
docker compose up -d vaultwarden
docker compose logs vaultwarden | grep "Version"

Cost Analysis: Vaultwarden vs Alternatives

Yearly savings with Vaultwarden: On a $3/month VPS, you pay $36/year instead of $90+/year for 1Password. For a family of 5, the savings multiply.

Conclusion

Vaultwarden is arguably the best self-hosted password manager available today. It cuts resource requirements by over 95% compared to Bitwarden’s official server, runs on the cheapest VPS you can find, and yet remains fully compatible with Bitwarden’s polished, well-maintained client apps across every platform.

In about 15 minutes, you can go from zero to a fully functional, HTTPS-secured, WebSocket-enabled password management system — completely under your control, with end-to-end encryption, and zero recurring subscription costs.

Next Steps

• 🔗 Configure SMTP for password recovery emails
• 🛡️ Enable two-factor authentication (2FA)
• 📦 Set up automated local + offsite backups
• 👨‍👩‍👧‍👦 Create an organization and invite family members
• 🔄 Check for updates monthly (docker compose pull && docker compose up -d)