Self-Hosting Guide: Deploy Bitwarden for Password Management

Bitwarden is the most popular open source password manager. Self-hosting with Vaultwarden (a lightweight, community-maintained Bitwarden-compatible server) gives you all premium features for free — TOTP, file attachments, organizations, and Bitwarden Send — using a fraction of the resources.

Why Vaultwarden?

Requirements

• VPS with 512 MB RAM minimum
• Docker
• Domain name (e.g., vault.yourdomain.com)
• HTTPS required (Bitwarden clients refuse HTTP)
• 5+ GB disk

Step 1: Deploy with Docker

docker run -d \
  --name vaultwarden \
  --restart unless-stopped \
  -p 8080:80 \
  -v vw-data:/data \
  -e DOMAIN=https://vault.yourdomain.com \
  -e SIGNUPS_ALLOWED=true \
  -e ADMIN_TOKEN=your-long-random-admin-token \
  vaultwarden/server:latest

Generate admin token:

openssl rand -hex 32

Step 2: Reverse Proxy (Caddy) — HTTPS Required

# /etc/caddy/Caddyfile
vault.yourdomain.com {
    reverse_proxy localhost:8080
}

sudo systemctl restart caddy

HTTPS is mandatory. Bitwarden clients will not connect over HTTP.

Step 3: DNS

Add an A record: vault.yourdomain.com → your server IP

Step 4: Create Your Account

1. Open https://vault.yourdomain.com
2. Click Create Account
3. Set a strong master password (this is the only password you need to remember)

Important: After creating your account, disable sign-ups:

docker stop vaultwarden
docker rm vaultwarden
docker run -d \
  --name vaultwarden \
  --restart unless-stopped \
  -p 8080:80 \
  -v vw-data:/data \
  -e DOMAIN=https://vault.yourdomain.com \
  -e SIGNUPS_ALLOWED=false \
  -e ADMIN_TOKEN=your-long-random-admin-token \
  vaultwarden/server:latest

Or use the admin panel to invite specific users.

Step 5: Install Clients

All official Bitwarden clients work with Vaultwarden:

Step 6: Configure SMTP (For Invitations)

docker run -d \
  --name vaultwarden \
  --restart unless-stopped \
  -p 8080:80 \
  -v vw-data:/data \
  -e DOMAIN=https://vault.yourdomain.com \
  -e SIGNUPS_ALLOWED=false \
  -e ADMIN_TOKEN=your-admin-token \
  -e SMTP_HOST=smtp.resend.com \
  -e SMTP_PORT=587 \
  -e SMTP_SECURITY=starttls \
  -e SMTP_USERNAME=resend \
  -e SMTP_PASSWORD=re_your_api_key \
  -e SMTP_FROM=vault@yourdomain.com \
  vaultwarden/server:latest

Step 7: Admin Panel

Access at https://vault.yourdomain.com/admin

Admin capabilities:

• Invite users (bypasses sign-up restriction)
• View all users and their status
• Delete users
• View organization details
• Configure server settings
• Check diagnostics

Step 8: Set Up Organizations (Team Sharing)

1. Login to web vault
2. Settings → Organizations → New Organization
3. Invite team members
4. Create Collections (shared folders):
   • Engineering passwords
   • Infrastructure secrets
   • Marketing accounts
   • Shared company logins

Permissions:

• Owner → full control
• Admin → manage collections and members
• User → access assigned collections
• Custom → granular permissions per collection

Step 9: Enable 2FA

In your vault → Settings → Two-step Login:

Always set up 2FA. Your master password protects all other passwords.

Step 10: Import Existing Passwords

1. Export from your current password manager:

   • 1Password → .1pux or CSV
   • LastPass → CSV
   • Chrome → CSV (chrome://settings/passwords → Export)
   • KeePass → .kdbx or CSV

2. In Bitwarden web vault → Tools → Import data

3. Select format and upload

4. Verify imported entries

Production Hardening

Docker Compose (recommended):

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - "8080:80"
    volumes:
      - vw-data:/data
    environment:
      - DOMAIN=https://vault.yourdomain.com
      - SIGNUPS_ALLOWED=false
      - ADMIN_TOKEN=your-admin-token
      - SMTP_HOST=smtp.resend.com
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - SMTP_USERNAME=resend
      - SMTP_PASSWORD=re_your_api_key
      - SMTP_FROM=vault@yourdomain.com
      - LOG_LEVEL=warn
      - WEBSOCKET_ENABLED=true

volumes:
  vw-data:

Backups (CRITICAL — this is your password vault):

# Daily backup of the data directory
docker run --rm -v vw-data:/data -v /backups:/backup alpine \
  tar czf /backup/vaultwarden-$(date +%Y%m%d).tar.gz /data

# Copy backup off-server (S3, another VPS, or local)
rclone copy /backups/vaultwarden-$(date +%Y%m%d).tar.gz remote:backups/

Set up multiple backup locations. If you lose this data, you lose all passwords.

Updates:

docker pull vaultwarden/server:latest
docker stop vaultwarden
docker rm vaultwarden
# Re-run docker run command (data persists in volume)

Security:

• Strong admin token (64+ characters)
• Disable sign-ups after creating accounts
• Enable 2FA for all users
• Regular backups to off-site locations
• Monitor for unauthorized access in admin panel
• Keep Vaultwarden updated

Resource Usage

Vaultwarden is incredibly lightweight — it can easily share a VPS with other services.

VPS Recommendations

vs Bitwarden Teams ($4/user/month): A 20-person team saves $960/year with self-hosted Vaultwarden.

Compare password managers on OSSAlt — features, security, and pricing side by side.