Self-Hosting Vaultwarden: Secure Password Management Guide (2025)

In an era of frequent data breaches, trusting a third-party cloud provider with your passwords is becoming harder. Self-hosting your password manager gives you complete control over your data.

Vaultwarden is the community's favorite choice. It's a lightweight implementation of the Bitwarden server API written in Rust. It runs perfectly on low-power hardware like the Raspberry Pi or Intel N100 mini PCs.

Why Vaultwarden?

• Compatible: Works with all official Bitwarden apps (iOS, Android, Browser Extensions).
• Lightweight: Uses a fraction of the RAM compared to the official Bitwarden server (which requires MSSQL).
• Feature-Rich: Includes premium Bitwarden features (like TOTP generation) for free.

Prerequisites

• A home server with Docker and Docker Compose installed.
• A domain name (optional but recommended for SSL).
• Port forwarding capability (if accessing remotely).

Step 1: The Docker Compose File

Create a folder for your project:

mkdir vaultwarden
cd vaultwarden
nano docker-compose.yml

Paste the following configuration:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true  # Required for instant sync
      - SIGNUPS_ALLOWED=true    # Set to false after creating your account!
    volumes:
      - ./vw-data:/data
    ports:
      - 8080:80

volumes:
  vw-data:

Step 2: Start the Server

Run the container:

docker compose up -d

You can now access it at http://your-server-ip:8080. However, Bitwarden clients require HTTPS to work. You cannot create an account or log in over plain HTTP (except on localhost).

Step 3: Enabling HTTPS (The Easy Way)

The best way to handle HTTPS is using a reverse proxy like Caddy or Nginx Proxy Manager.

Using Caddy (Automatic SSL)

Add Caddy to your docker-compose.yml:

services:
  vaultwarden:
    # ... previous config ...
    
  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    environment:
      - ACME_AGREE=true

volumes:
  vw-data:
  caddy_data:
  caddy_config:

Create a Caddyfile:

yourdomain.com {
  reverse_proxy vaultwarden:80
}

Now, Caddy will automatically get an SSL certificate from Let's Encrypt for your domain.

Step 4: Security Best Practices

1. Disable Signups: Once you have created your account, stop the container, change SIGNUPS_ALLOWED=true to false in your docker-compose file, and restart. This prevents strangers from creating accounts on your server.
2. Enable 2FA: Log in to your new vault and set up Two-Factor Authentication immediately.
3. Backups: Your passwords live in the ./vw-data folder. Back this up regularly! If you lose this folder, you lose your passwords. Use a tool like Restic or a simple cron job to copy it to another drive or cloud storage.

Conclusion

Self-hosting Vaultwarden is one of the most rewarding home server projects. You get a premium password management experience, complete data sovereignty, and it runs on practically zero resources.