1. Home
2. web
3. Vaultwarden: Self-Hosted Password Manager Installation Guide

What is Vaultwarden?

Vaultwarden is an open-source, self-hosted implementation of the Bitwarden server API, written in Rust. It is designed to be lightweight and resource-efficient compared to the official Bitwarden server, which requires a Microsoft SQL Server database and substantial system resources. Vaultwarden supports all official Bitwarden clients — desktop, browser extensions, mobile apps, and CLI — without any modification.

By self-hosting Vaultwarden, you retain full control over your password data. No third-party service ever touches your encrypted vault. The project is mature, actively maintained, and suitable for both single-user deployments and small teams.

Docker Deployment with docker-compose

The recommended way to run Vaultwarden is via Docker. Below is a production-ready docker-compose.yml that includes Vaultwarden itself, a PostgreSQL database (optional but recommended for larger deployments), and an admin token for accessing the admin panel.

version: "3.8"

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.yourdomain.com"
      ADMIN_TOKEN: "${VAULTWARDEN_ADMIN_TOKEN}"
      DATABASE_URL: "postgresql://vaultwarden:${DB_PASSWORD}@db:5432/vaultwarden"
      SIGNUPS_ALLOWED: "false"
      INVITATIONS_ALLOWED: "true"
    volumes:
      - ./vw-data:/data
    ports:
      - "127.0.0.1:8080:80"
    depends_on:
      - db

  db:
    image: postgres:16-alpine
    container_name: vaultwarden-db
    restart: unless-stopped
    environment:
      POSTGRES_DB: vaultwarden
      POSTGRES_USER: vaultwarden
      POSTGRES_PASSWORD: "${DB_PASSWORD}"
    volumes:
      - ./pg-data:/var/lib/postgresql/data

Place a .env file alongside the compose file with your secrets:

VAULTWARDEN_ADMIN_TOKEN=your-random-admin-token-here
DB_PASSWORD=your-strong-db-password-here

Run the stack:

docker compose up -d

Why PostgreSQL?

Vaultwarden defaults to SQLite, which is fine for single users. PostgreSQL offers better concurrency and reliability for multi-user scenarios and integrates more naturally into existing backup workflows. If you only need a personal instance, drop the db service and remove the DATABASE_URL env var — Vaultwarden will use SQLite automatically.

Admin Token

The ADMIN_TOKEN environment variable enables the admin panel at /admin. Generate a strong random token:

openssl rand -base64 48

Set SIGNUPS_ALLOWED to false after creating your account to prevent open registration.

SSL via Caddy

Caddy is the simplest reverse proxy for automatic Let’s Encrypt certificates. Create a Caddyfile:

vault.yourdomain.com {
    reverse_proxy 127.0.0.1:8080
}

Run Caddy with Docker:

docker run -d \
  --name caddy \
  -p 80:80 -p 443:443 \
  -v $PWD/Caddyfile:/etc/caddy/Caddyfile \
  -v caddy-data:/data \
  caddy:latest

Caddy automatically provisions and renews TLS certificates. If you prefer Nginx, use the following config snippet with Certbot:

server {
    listen 443 ssl;
    server_name vault.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

First Admin Setup

1. Visit https://vault.yourdomain.com and create your first account (if SIGNUPS_ALLOWED is true).
2. Navigate to https://vault.yourdomain.com/admin and log in with the ADMIN_TOKEN.
3. From the admin panel you can manage users, disable new signups, configure SMTP for email invites, and view diagnostics.
4. Install the Bitwarden browser extension or mobile app, and set your server URL to your Vaultwarden domain.

Backup Strategy

Backups are essential. The following script creates a consistent backup of the SQLite database and attached files:

#!/bin/bash
BACKUP_DIR="/path/to/backups"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)

docker exec vaultwarden sqlite3 /data/db.sqlite3 ".backup '/tmp/backup.db'"
docker cp vaultwarden:/tmp/backup.db "$BACKUP_DIR/vaultwarden-$TIMESTAMP.db"
docker cp vaultwarden:/data/attachments "$BACKUP_DIR/attachments-$TIMESTAMP"

If using PostgreSQL, use pg_dump instead:

docker exec vaultwarden-db pg_dump -U vaultwarden vaultwarden > "$BACKUP_DIR/vw-pg-$TIMESTAMP.sql"

Schedule daily backups via cron and copy them off-site (e.g., to S3, Borg backup, or rsync to a remote server). Test restoration periodically — a backup you never restore is a backup you cannot trust.

Importing from Other Managers

Vaultwarden supports Bitwarden’s data import format. Most password managers can export to CSV or JSON:

1. Export your data from the source manager (e.g., LastPass, Dashlane, 1Password, KeePass).
2. In the Vaultwarden web vault, go to Tools → Import Data.
3. Select the source format and upload the file.

Supported formats include Bitwarden JSON, CSV, 1Password CSV, Dashlane CSV, KeePass XML, and many more. Always delete the export file after importing, as it contains plaintext data.

Vaultwarden vs Bitwarden

Choose Vaultwarden for personal or small-team use where simplicity and low resource usage matter. Choose the official Bitwarden server if you need enterprise compliance, AD/LDAP integration, or large-scale multi-tenant deployments.

Daily Usage

Once deployed, use Vaultwarden exactly as you would Bitwarden. The server is compatible with every official Bitwarden client — set the Server URL in your client preferences to your self-hosted domain. All encryption happens client-side; the server never sees your master password or vault contents.

Features like TOTP authenticator codes, secure notes, credit card storage, and identity profiles all work as expected. Organizations and collections are supported for shared vaults. For mobile access, the Bitwarden mobile app connects seamlessly to your Vaultwarden instance.