🔑 Setup Vaultwarden — Self-Hosted Password Manager
Deploy Vaultwarden, a lightweight Bitwarden-compatible server. Store all your passwords, secrets, and secure notes on your own infrastructure with full Bitwarden client support.
📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/vaultwarden/vaultwarden-ubuntu.sh
chmod +x vaultwarden-ubuntu.sh
sudo bash vaultwarden-ubuntu.shTutorial Steps
1 Download & Run the Script
The script installs Docker, pulls the Vaultwarden image, and starts the server. Signups are enabled by default for initial setup.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/vaultwarden/vaultwarden-ubuntu.sh
chmod +x vaultwarden-ubuntu.sh
sudo bash vaultwarden-ubuntu.sh2 Create Your Account
Open your browser and navigate to Vaultwarden. Create your admin account, then disable signups in the admin panel to prevent unauthorized registrations:
http://YOUR-SERVER-IP:80863 Connect Bitwarden Clients
Install the official Bitwarden app or browser extension. In the app settings, set the Server URL to your Vaultwarden address. Log in with your account credentials.
4 Import and Organize Passwords
Import passwords from your browser or previous password manager via the web vault. Organize items into collections and folders. Enable 2FA for extra security.
Ports Used
| Port | Protocol | Purpose |
|---|---|---|
| 8086 | TCP | Web Vault & API |
Files Location
/root/docker/vaultwarden/docker-compose.ymlOverview
Vaultwarden is an unofficial, lightweight Bitwarden-compatible server implementation written in Rust. It stores all your passwords, secure notes, and credit card details in a self-hosted vault. All official Bitwarden clients (browser extensions, mobile apps, desktop apps) work seamlessly with Vaultwarden. Your passwords never leave your server.
Why Use It
Vaultwarden is the self-hosted alternative to commercial password managers, giving your team or organization a Bitwarden-compatible vault at zero subscription cost. Because you control the server, passwords and secure notes never leave your infrastructure — critical for organizations that cannot trust third-party cloud services with credentials. All official Bitwarden clients work natively with Vaultwarden: browser extensions, mobile apps, and desktop apps, so users get the same polished experience without cloud dependency.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
Vaultwarden listens on port 80 by default inside Docker. This must be reverse-proxied to HTTPS on port 443 — Bitwarden clients will not connect without HTTPS. The /admin panel is on the same domain under the /admin path. No additional ports are needed. Restrict /admin to your VPN or IP range using Nginx's location-based access control while keeping the main vault accessible from anywhere.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
Bitwarden's official cloud service is the easiest alternative — same client apps, free tier for individuals, no server management. 1Password and LastPass are commercial managers with extensive enterprise features. KeePass and KeePassXC are fully offline, file-based managers — no server needed, but no sync without a separate file sync tool. Passbolt is another self-hosted team password manager focused on GPG-based encryption. If you're an individual without a server, Bitwarden's free cloud account requires no server management at all.
When Not to Use It
Vaultwarden requires HTTPS and ongoing server maintenance — it's not suitable for users who want a no-technical-responsibility setup. For enterprises with SOC 2 or ISO 27001 requirements, Bitwarden's official cloud (with formal audits) may be preferable to self-hosting. If your team already uses 1Password Business with Active Directory sync, custom roles, or Travel Mode, self-hosting Vaultwarden won't replicate all those enterprise features. Individuals without an existing server have little incentive to run one just for password management.
Need Help Setting Up Vaultwarden?
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
Is Vaultwarden officially supported by Bitwarden?
No. Vaultwarden is an unofficial community-maintained reimplementation of the Bitwarden API written in Rust. It is not affiliated with Bitwarden, Inc. However, it is mature, widely used, and actively maintained. All official Bitwarden clients are compatible because they communicate with the same API that Vaultwarden implements.
Can I use the official Bitwarden mobile apps with Vaultwarden?
Yes. The official Bitwarden apps for iOS and Android work with Vaultwarden. In the app, go to server settings and set the Self-hosted environment URL to your Vaultwarden domain with HTTPS. The browser extensions work the same way. You do not need unofficial or modified apps.
Is it safe to expose Vaultwarden to the internet?
Yes, with proper setup. HTTPS is mandatory and enforced by the clients themselves. Enable 2FA on all accounts. Disable new user registration. Restrict /admin by IP if possible. Vault data is encrypted with your master password — even if someone accessed the database, they could not decrypt it without your password. The security model is equivalent to Bitwarden's cloud service.
What happens if the Vaultwarden server goes down?
Bitwarden clients cache an encrypted copy of the vault locally. If the server is unreachable, you can still read all existing passwords from the local cache using your master password. You cannot add or sync new passwords until the server is back online. Regular backups and uptime monitoring are essential.
How do I share passwords with my team using Vaultwarden?
Create an Organization in the web vault. Invite team members by email — requires SMTP to be configured. Create Collections within the organization and assign passwords to collections. Grant members access to specific collections with view-only or edit permissions. This works identically to Bitwarden Organizations on the cloud.
Can Vaultwarden store TOTP authenticator codes?
Yes. You can add a TOTP secret to any vault item and Vaultwarden generates the time-based codes. This lets you use the Bitwarden browser extension as a combined password and TOTP authenticator. However, for security, consider keeping TOTP codes in a separate app so a compromised vault doesn't expose both authentication factors simultaneously.
How do I migrate from LastPass or 1Password to Vaultwarden?
Export your passwords from LastPass or 1Password in their export formats. In the Bitwarden web vault, go to Tools > Import Data and select your source. Upload the export file — Vaultwarden imports all entries including folders and secure notes. After import, delete the unencrypted export file immediately from all devices.
Does Vaultwarden support WebAuthn and hardware security keys?
Yes. Vaultwarden supports WebAuthn for 2FA, including YubiKey, Google Titan, and other FIDO2-compliant hardware keys. Configure this under Account Settings > Two-step Login in the web vault. WebAuthn is the strongest 2FA option — recommended for high-security accounts that manage sensitive organizational credentials.