SKIP TO CONTENT
FL1GHT5 Network

Oct 10, 2024 · Privacy & Self-Hosting / Intermediate · ~2 MIN READ

Host Your Own Password Manager with Vaultwarden

Deploy a Bitwarden-compatible password manager securely, with MFA, HTTPS, and a backup plan before trusting it with credentials.

Who This Is For

Intermediate.

Think of it like a home safe instead of sticky notes on the monitor. Just make sure you remember the combination, because there’s no landlord down the hall with a spare key.

What You’ll Build

A working password manager with MFA enabled, public registration disabled, and a tested restore.

Prerequisites

  • HTTPS via a reverse proxy
  • A strong admin credential
  • A backup destination
  • Reliable local DNS

Important Distinction

Vaultwarden is an unofficial Bitwarden-compatible server. It should not be deployed casually or exposed without care, this is the one service on this list where sloppy setup has real consequences.

Deploy with Docker Compose

$ services:
$   vaultwarden:
$     image: vaultwarden/server:latest
$     environment:
$       - DOMAIN=https://vault.example.com
$     volumes:
$       - ./data:/data
$     restart: unless-stopped

Put It Behind a Reverse Proxy With HTTPS

See the Nginx Proxy Manager article, Vaultwarden must be served over HTTPS for browser extensions and mobile apps to work correctly.

Create the First Account, Then Disable Registration

$ SIGNUPS_ALLOWED=false

Enable MFA

Turn on multi-factor authentication for every account, starting with your own.

Back Up the Data Directory

  • Vaultwarden’s SQLite database (or external DB if configured)
  • The Compose file and .env
  • A tested restore, not a hypothetical one

Prefer VPN Access Over Public Exposure

For a small personal setup, keeping Vaultwarden behind WireGuard or Tailscale rather than public HTTPS removes an entire class of risk.

Security & Backup Notes

  • This is an unofficial Bitwarden-compatible server, treat exposure decisions accordingly
  • MFA, HTTPS, and disabled public registration are non-negotiable, not optional hardening
  • Have a real plan for what happens if the master password is lost, there is generally no recovery path

Troubleshooting

  • Mobile app can’t connect, double-check the exact DOMAIN value matches what’s in the app
  • Reverse proxy WebSocket issue, Vaultwarden needs WebSocket support enabled on the proxy host for live sync
  • Browser extension fails, usually an HTTPS/certificate trust issue
  • Database backup inconsistency, stop the container briefly before copying the SQLite file, or use its built-in backup mechanism

Lab Finish Line

A working password manager, MFA enabled, public registration disabled, and restore tested.

What to Build Next

NEXT STEP

Want this running in your business?

Everything in the Lab is a service we deliver. If this guide describes your problem, skip the DIY weekend — send the brief.

FIVE MINUTES TO WRITE · A WRITTEN PLAN BACK · NO SALES CALL UNLESS YOU WANT ONE