Why I self-host my passwords with Vaultwarden

Your password manager has the keys to your entire digital life. Every account, every credential, every sensitive note. Trusting a third party with that data is a calculated risk. I decided the math works better when I control the server.

What Vaultwarden is

Vaultwarden is an unofficial, lightweight implementation of the Bitwarden server API. It is compatible with all official Bitwarden clients (browser extensions, mobile apps, desktop apps) but uses a fraction of the resources. A full Bitwarden server requires multiple services and significant RAM. Vaultwarden runs in a single Docker container with under 50MB of memory.

Why not just use Bitwarden's cloud?

Bitwarden's cloud service is well-run and trustworthy. I am not saying it is insecure. But there are practical reasons to self-host:

Data sovereignty. My encrypted vault is on my hardware. If Bitwarden gets breached (it has happened to competitors), my data is not in the blast radius.

No subscription for premium features. Vaultwarden includes all premium features for free: TOTP generation, file attachments, emergency access, and organization support.

Offline resilience. My password server is on my local network. If my internet goes down, I can still access my vault. Cloud-hosted password managers can and do have outages.

No vendor lock-in. If Bitwarden changes their pricing, gets acquired, or shuts down, I am unaffected. My data is in a standard format that I can export at any time.

Setting it up

Vaultwarden runs as a single Docker container:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - "8080:80"
    volumes:
      - ./vw-data:/data
    environment:
      SIGNUPS_ALLOWED: "false"
      DOMAIN: "https://vault.example.com"

Set SIGNUPS_ALLOWED to true for initial setup, create your account, then set it back to false. Point a reverse proxy (Caddy works great) at port 8080 with HTTPS, and you are done.

Using the Bitwarden clients

This is the best part: you use the official Bitwarden apps. Install the browser extension, mobile app, or desktop app. In the settings, change the server URL from bitwarden.com to your self-hosted domain. Log in with your credentials and everything works exactly like the cloud version.

Auto-fill, password generation, TOTP codes, secure notes. All of it works through the official clients. Most people would not know you are running a self-hosted server.

Backups

Your password database is a single SQLite file at ./vw-data/db.sqlite3. Back it up regularly. I have a cron job that copies it to my NAS every night and an offsite backup weekly.

If your server dies, restore the data directory to a new Vaultwarden instance and everything is back. I have tested this and it takes about 2 minutes.

The tradeoffs

You are responsible for uptime. If your server goes down, you need to fix it. The Bitwarden mobile app caches your vault offline, so you are not locked out, but new entries will not sync until the server is back.

You are responsible for security. Keep the container updated, use HTTPS, restrict signups, and use a strong master password. The attack surface is small (one container, one port), but it is your responsibility.

You are responsible for backups. If you lose the data directory without a backup, your passwords are gone. This is the one thing you absolutely cannot skip.

For me, these tradeoffs are worth it. My passwords are on my hardware, accessible from all my devices, and I pay nothing for premium features. The setup took 15 minutes and maintenance is essentially zero.

Sources

• Vaultwarden on GitHub
• Vaultwarden Wiki