EQVPS

Self-host your passwords: Vaultwarden on a VPS

Jul 5, 2026 · 3 min read · EQVPS Team

A password manager is the one app that knows everything — every login, every recovery code, every secret you have. Most people hand that to a third-party cloud and hope. You can instead run it yourself, on a box you control. Vaultwarden is a lightweight, Bitwarden-compatible server that does exactly that. Here's the honest version of doing it right — including the part where you become the security team.

What Vaultwarden is

It's a small, self-hosted server that speaks the Bitwarden protocol. You keep using the official Bitwarden apps and browser extensions — you just point them at your server instead of the public cloud. It's written to be light: it runs comfortably on a 1 GB box and barely notices you.

Why self-host it

Your vault lives on your infrastructure. No third party holds your encrypted data, no one else's breach is your problem, and you set the backup and access policy. For a privacy-minded person, that control is the point. In exchange, the uptime and the backups are now yours to own — which we'll get to honestly.

The setup

A small box. 1 GB of RAM is enough. Disk needs are tiny — a vault is text.

Docker, with a persistent volume. Run the Vaultwarden container and mount a volume for its data. That volume is your entire vault; it must survive restarts, updates, and reboots.

services:
  vaultwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - ./vw-data:/data
    environment:
      - SIGNUPS_ALLOWED=true   # turn this off after you register
    ports:
      - "127.0.0.1:8080:80"

HTTPS is non-negotiable for anything holding secrets. Put a reverse proxy in front to terminate TLS on your domain. Caddy fetches a free certificate automatically:

vault.yourdomain.com {
    reverse_proxy 127.0.0.1:8080
}

Point vault.yourdomain.com at your VPS. Because a secrets server needs its own public HTTPS endpoint, this wants a dedicated-IP plan — a NAT box, with only one forwarded SSH port, can't serve it.

Back it up like it's irreplaceable — because it is

The data volume is your vault. If the disk dies and you have no copy, every password is gone with it. This is the single most important step here, more than any tuning: automate a regular backup of that volume to somewhere off the box — another machine, object storage, your own laptop. Do this before you trust the server with anything real.

Lock it down hard

This box holds all your passwords, so treat it that way:

The honest limits

Paying for it

Sign up with an email and pay in USDC or USDT — no card, no ID. Fitting, for the box that keeps the keys to everything else off any identity trail.

FAQ

How much VPS do I need for Vaultwarden?

Very little — 1 GB of RAM is plenty; it's a light server. What matters more than specs is a dedicated IP and a domain, because a secrets server needs its own HTTPS endpoint.

Is self-hosting my passwords actually safe?

It can be as safe as you make it: HTTPS, keys-only SSH, signups closed after setup, kept patched, and backed up off the box. The real risk is operational — skip backups and one disk failure loses the vault.

Can I use the normal Bitwarden apps?

Yes. Vaultwarden is compatible with the official Bitwarden apps and browser extensions — you just point them at your own server URL instead of the public cloud.

What happens if the server dies?

With an off-box backup you restore and carry on. Without one, the vault is gone — which is exactly why backups are the first thing to set up, not the last.

← Back to blogSee plans & pricing →