A password manager is the one app that knows everything — every login, every recovery code, every secret you have. Most people hand that to a third-party cloud and hope. You can instead run it yourself, on a box you control. Vaultwarden is a lightweight, Bitwarden-compatible server that does exactly that. Here's the honest version of doing it right — including the part where you become the security team.
What Vaultwarden is
It's a small, self-hosted server that speaks the Bitwarden protocol. You keep using the official Bitwarden apps and browser extensions — you just point them at your server instead of the public cloud. It's written to be light: it runs comfortably on a 1 GB box and barely notices you.
Why self-host it
Your vault lives on your infrastructure. No third party holds your encrypted data, no one else's breach is your problem, and you set the backup and access policy. For a privacy-minded person, that control is the point. In exchange, the uptime and the backups are now yours to own — which we'll get to honestly.
The setup
A small box. 1 GB of RAM is enough. Disk needs are tiny — a vault is text.
Docker, with a persistent volume. Run the Vaultwarden container and mount a volume for its data. That volume is your entire vault; it must survive restarts, updates, and reboots.
services:
vaultwarden:
image: vaultwarden/server:latest
restart: unless-stopped
volumes:
- ./vw-data:/data
environment:
- SIGNUPS_ALLOWED=true # turn this off after you register
ports:
- "127.0.0.1:8080:80"
HTTPS is non-negotiable for anything holding secrets. Put a reverse proxy in front to terminate TLS on your domain. Caddy fetches a free certificate automatically:
vault.yourdomain.com {
reverse_proxy 127.0.0.1:8080
}
Point vault.yourdomain.com at your VPS. Because a secrets server needs its own public HTTPS endpoint, this wants a dedicated-IP plan — a NAT box, with only one forwarded SSH port, can't serve it.
Back it up like it's irreplaceable — because it is
The data volume is your vault. If the disk dies and you have no copy, every password is gone with it. This is the single most important step here, more than any tuning: automate a regular backup of that volume to somewhere off the box — another machine, object storage, your own laptop. Do this before you trust the server with anything real.
Lock it down hard
This box holds all your passwords, so treat it that way:
- Close signups after you register. Set
SIGNUPS_ALLOWED=falseand restart, so no one else can create an account on your server. - Keys-only SSH, firewall to 443 and your SSH port. (The ten-minute checklist.)
- Keep it patched. Pull new images regularly — a secrets server is a worthwhile target.
The honest limits
- You are now the security team for the thing holding all your passwords. That's real responsibility, not a slogan — take it seriously or don't self-host this one.
- No backup means one disk failure from losing everything. There is no undo. This is non-negotiable.
- It's a target once it's public. Auth, patching, and closed signups are what keep it boring.
- If you'd rather not own this, a reputable managed manager is a completely legitimate choice. Self-hosting buys control, and control has a maintenance cost — go in knowing that.
Paying for it
Sign up with an email and pay in USDC or USDT — no card, no ID. Fitting, for the box that keeps the keys to everything else off any identity trail.