Vaultwarden: Free Self-Hosted Bitwarden Password Manager

Vaultwarden is a lightweight, unofficial, open-source implementation of the Bitwarden server API — written in Rust. It lets you run a fully functional Bitwarden-compatible password manager on your own hardware, giving you complete ownership of your vault data without monthly subscription fees. If you’ve been paying for Bitwarden Premium or considering self-hosting your credentials, Vaultwarden is the most popular and trusted way to do it.

Originally called bitwarden_rs, the project was renamed Vaultwarden in 2021 to avoid trademark confusion with the official Bitwarden product. It is not affiliated with Bitwarden Inc., but it implements the same API — meaning every official Bitwarden client (browser extensions, mobile apps, desktop apps, CLI) works with it out of the box.

What is Vaultwarden?

Vaultwarden is a server-side replacement for the official Bitwarden self-hosted package. Where the official self-hosted Bitwarden requires Docker with ~10 containers, significant RAM (4+ GB), and a Microsoft SQL Server dependency, Vaultwarden runs as a single lightweight container using SQLite (or MySQL/PostgreSQL optionally), consumes under 100 MB of RAM, and runs comfortably on a Raspberry Pi.

The appeal is straightforward: you get the world-class Bitwarden user interface and client ecosystem — widely regarded as the best open-source password manager — while hosting your encrypted vault data on infrastructure you control. No cloud provider has access to your passwords. No subscription fees. No data retention concerns.

Key Features

• Full Bitwarden client compatibility — Works with all official Bitwarden apps: Chrome/Firefox/Edge/Safari extensions, Android and iOS apps, Windows/Mac/Linux desktop apps, and the bw CLI tool
• Premium features included free — Vaultwarden includes TOTP authenticator, password health reports, encrypted file attachments, emergency access, and the Bitwarden Send feature — features that require a $10/year Bitwarden Premium subscription on the cloud service
• Organizations and sharing — Share passwords and secure notes with family members or team members using the Organizations feature, which requires a paid plan on Bitwarden.com but is free on Vaultwarden
• Two-Factor Authentication — Supports TOTP, email, Duo, WebAuthn (FIDO2/hardware keys like YubiKey), and push notifications
• Admin panel — A web-based admin interface at /admin lets you manage users, invitations, and server settings without touching config files
• Lightweight footprint — Single binary or Docker container, SQLite default database, runs on as little as 512 MB RAM and 1 CPU core
• HTTPS support — Built-in Rocket web server with optional TLS, or easily placed behind Nginx/Caddy/Traefik reverse proxy for SSL termination
• Database flexibility — Default SQLite is perfect for personal use; optional MySQL/MariaDB or PostgreSQL for multi-user/high-availability deployments

System Requirements

Component	Minimum	Recommended
CPU	Single core (ARM or x86)	2 cores
RAM	256 MB	512 MB – 1 GB
Storage	1 GB	10 GB (for attachments)
OS	Any Linux, Docker on Windows/Mac	Linux with Docker
Network	Internal access only	Public HTTPS for external access

Vaultwarden runs on virtually any hardware. It’s a popular choice for Raspberry Pi 4 homelab setups, cheap VPS instances ($3-5/month), and existing home servers as a lightweight LXC container or Docker service alongside other applications.

Installation Methods

Method 1: Docker (Recommended)

The easiest and most maintainable way to run Vaultwarden is via Docker. A single command starts the server:

docker run -d \
  --name vaultwarden \
  -e ADMIN_TOKEN=$(openssl rand -base64 48) \
  -v /vw-data/:/data/ \
  -p 80:80 \
  --restart unless-stopped \
  vaultwarden/server:latest

For production use, a Docker Compose file is cleaner and easier to manage:

version: '3'
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      ADMIN_TOKEN: "your-secure-random-token-here"
      SIGNUPS_ALLOWED: "false"     # Disable after creating your account
      WEBSOCKET_ENABLED: "true"    # For live sync across devices
      SMTP_HOST: "smtp.gmail.com"  # Optional: for email invites/2FA
      SMTP_PORT: "587"
      SMTP_FROM: "vault@yourdomain.com"
    volumes:
      - ./vw-data:/data
    ports:
      - "8080:80"
      - "3012:3012"   # WebSocket port

Method 2: Behind a Reverse Proxy with SSL

Bitwarden clients require HTTPS to connect (for security — you don’t want passwords transmitted over plain HTTP). The standard setup is to place Vaultwarden behind Nginx Proxy Manager or Caddy, which automatically handles Let’s Encrypt SSL certificates.

With Caddy (the simplest SSL option), your Caddyfile entry is just:

vault.yourdomain.com {
  reverse_proxy vaultwarden:80
  reverse_proxy /notifications/hub vaultwarden:3012
}

Caddy automatically obtains and renews the Let’s Encrypt certificate. No manual certificate management required.

Method 3: Proxmox LXC via Helper Script

If you run Proxmox VE, the community helper scripts project provides a one-liner that creates a fully configured Vaultwarden LXC container:

bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/vaultwarden.sh)"

Method 4: Pre-built Binaries (No Docker)

For systems without Docker, pre-compiled Vaultwarden binaries are available for Linux (x86_64 and ARM), FreeBSD, and other platforms. Download the binary, create a systemd service file, and run it directly on the host.

Initial Setup and Configuration

Creating Your First Account

After starting Vaultwarden, navigate to https://your-server/ in a browser. You’ll see the standard Bitwarden web vault interface. Click “Create Account”, set up your email and master password. Your master password is the only secret you need to remember — everything else is encrypted with it. Choose a strong, memorable passphrase.

After creating your account, immediately disable new signups (unless you want others to register) via the admin panel or by setting SIGNUPS_ALLOWED=false in your environment configuration and restarting the container.

Admin Panel

The admin panel at https://your-server/admin lets you manage the instance without touching config files. You can invite users by email, revoke access, view diagnostics, manage organizations, and configure SMTP settings for email delivery.

Configuring Bitwarden Clients

To connect official Bitwarden clients to your self-hosted server instead of Bitwarden.com, look for the “Self-hosted environment” or “Server URL” option during login. In the browser extension, click the settings gear, then enter your server URL. In mobile apps, tap “Self-hosted environment” on the login screen.

Security Considerations

Self-hosting your password manager is a significant responsibility. Losing access to your Vaultwarden instance (disk failure, server crash, misconfiguration) could mean losing access to all your passwords. Follow these essential practices:

• Regular automated backups — Back up the /data directory (contains your SQLite database and attachments) to at least one offsite location. Daily backups to an S3 bucket or Backblaze B2 are straightforward with rclone
• Enable 2FA on your account — Use a hardware key (YubiKey) or TOTP authenticator. If someone gets your master password, 2FA is your last line of defense
• Keep Vaultwarden updated — Pull new Docker images regularly. Security patches are released frequently
• Use a strong ADMIN_TOKEN — The admin panel has no rate limiting by default. A long random token (48+ bytes base64) is essential
• Restrict access — If you don’t need external access, keep Vaultwarden behind a VPN (WireGuard, Tailscale) rather than exposing it directly to the internet
• Export vault periodically — Bitwarden’s encrypted export (.json) gives you a backup you can import into Bitwarden.com as a last resort if self-hosting fails

Vaultwarden vs Official Bitwarden Self-Hosted

Feature	Vaultwarden	Official Bitwarden Self-Hosted
Resource usage	~100 MB RAM, SQLite	4+ GB RAM, MSSQL/PostgreSQL
Containers	1 Docker container	~10 Docker containers
Setup complexity	Simple	Complex (official installer)
Premium features	All free	Requires license
Organizations	Free, unlimited	Paid license required
Official support	Community only	Bitwarden Inc. support
Audit status	Unofficial (community vetted)	Third-party security audits
License	AGPL-3.0	Mixed (AGPL + proprietary)

For personal and family use, Vaultwarden is the clear winner. For enterprise deployments where official support and audits are required, the official Bitwarden self-hosted package (or Bitwarden.com) is more appropriate.

Vaultwarden vs Bitwarden.com (Cloud)

Why would you self-host when Bitwarden.com offers a free tier?

• Data ownership — Your encrypted vault never leaves your hardware. Bitwarden.com stores your encrypted data on US servers; Vaultwarden keeps it wherever you put it
• Premium features for free — TOTP, file attachments, health reports, emergency access, and Bitwarden Send all require $10/year on Bitwarden.com. On Vaultwarden they’re free
• Family/organization sharing — Bitwarden’s families plan is $40/year. Vaultwarden’s organizations feature is free
• No rate limiting — Bitwarden.com has API rate limits. Your own server doesn’t

The trade-off is maintenance responsibility. Bitwarden.com manages uptime, backups, and updates for you. With Vaultwarden, that’s your job.

Use Cases

• Personal password manager — Replace LastPass or 1Password with a self-hosted solution. One-time setup effort, permanent cost savings
• Family password sharing — Share family Wi-Fi passwords, streaming service logins, and emergency contacts securely. Organizations feature makes this seamless
• Small team credential management — Self-hosted Vaultwarden for a small team avoids paying $3-5/user/month for commercial solutions
• Developer secrets management — Store API keys, SSH key passphrases, and deployment credentials. The Bitwarden CLI enables scripted access to vault items
• Air-gapped environments — Organizations with strict data residency requirements can run Vaultwarden on internal networks with no internet exposure

Pros and Cons

Pros

• Complete data ownership — your passwords never leave your infrastructure
• All premium Bitwarden features included at no cost
• Extremely lightweight — runs on a Raspberry Pi or cheap VPS
• Works with all official Bitwarden clients (best-in-class UX)
• Active, mature project with a large community
• AGPL license — truly open source
• Written in Rust — fast, memory-safe, minimal dependencies

Cons

• Self-hosting responsibility — you manage backups, updates, and uptime
• Requires HTTPS — setting up SSL/domain adds complexity for beginners
• No official security audit (relies on community review)
• Not officially supported by Bitwarden Inc. — if something breaks, community forums are your resource
• Single point of failure if server goes down without redundancy

Getting Started: Quick Checklist

1. Choose your hosting: Raspberry Pi, VPS, Proxmox LXC, or existing server
2. Install Docker and Docker Compose
3. Get a domain name and point it to your server (even a free subdomain from DuckDNS works)
4. Set up Caddy or Nginx Proxy Manager for automatic HTTPS
5. Deploy Vaultwarden with docker-compose
6. Create your account, disable new signups
7. Configure Bitwarden clients to point to your server URL
8. Set up automated daily backups of /data
9. Enable 2FA on your account
10. Export your vault from any existing password manager and import into Vaultwarden

Community and Support

Vaultwarden has an active community across GitHub (where the project is maintained), Reddit’s r/selfhosted and r/Vaultwarden communities, and the r/homelab forums. The project’s GitHub wiki contains comprehensive documentation covering installation, configuration options (exhaustive environment variable reference), backup strategies, and migration guides.

The project has been active since 2018 and has accumulated over 40,000 GitHub stars — one of the most starred self-hosted projects in existence. This community size means almost every question you’ll have has already been answered somewhere.

Conclusion

Vaultwarden is one of the best self-hosted software projects available in 2026. It solves a real problem (password management privacy and cost), runs on minimal hardware, uses best-in-class client apps, and has years of community battle-testing behind it. If you’re comfortable managing a simple Docker container, there’s no better way to handle passwords than a self-hosted Vaultwarden instance backed up to the cloud.

For anyone tired of subscription fees, concerned about corporate password manager breaches (and there have been many), or simply wanting full control of their credentials — Vaultwarden is the answer.

Download / Source: Vaultwarden is available on GitHub at github.com/dani-garcia/vaultwarden. Docker images are published to Docker Hub as vaultwarden/server.