Oct 10, 2024 · Privacy & Self-Hosting / Intermediate · ~2 MIN READ
Host Your Own Password Manager with Vaultwarden
Deploy a Bitwarden-compatible password manager securely, with MFA, HTTPS, and a backup plan before trusting it with credentials.
Who This Is For
Intermediate.
Think of it like a home safe instead of sticky notes on the monitor. Just make sure you remember the combination, because there’s no landlord down the hall with a spare key.
What You’ll Build
A working password manager with MFA enabled, public registration disabled, and a tested restore.
Prerequisites
- HTTPS via a reverse proxy
- A strong admin credential
- A backup destination
- Reliable local DNS
Important Distinction
Vaultwarden is an unofficial Bitwarden-compatible server. It should not be deployed casually or exposed without care, this is the one service on this list where sloppy setup has real consequences.
Deploy with Docker Compose
$ services:
$ vaultwarden:
$ image: vaultwarden/server:latest
$ environment:
$ - DOMAIN=https://vault.example.com
$ volumes:
$ - ./data:/data
$ restart: unless-stopped
Put It Behind a Reverse Proxy With HTTPS
See the Nginx Proxy Manager article, Vaultwarden must be served over HTTPS for browser extensions and mobile apps to work correctly.
Create the First Account, Then Disable Registration
$ SIGNUPS_ALLOWED=false
Enable MFA
Turn on multi-factor authentication for every account, starting with your own.
Back Up the Data Directory
- Vaultwarden’s SQLite database (or external DB if configured)
- The Compose file and
.env - A tested restore, not a hypothetical one
Prefer VPN Access Over Public Exposure
For a small personal setup, keeping Vaultwarden behind WireGuard or Tailscale rather than public HTTPS removes an entire class of risk.
Security & Backup Notes
- This is an unofficial Bitwarden-compatible server, treat exposure decisions accordingly
- MFA, HTTPS, and disabled public registration are non-negotiable, not optional hardening
- Have a real plan for what happens if the master password is lost, there is generally no recovery path
Troubleshooting
- Mobile app can’t connect, double-check the exact DOMAIN value matches what’s in the app
- Reverse proxy WebSocket issue, Vaultwarden needs WebSocket support enabled on the proxy host for live sync
- Browser extension fails, usually an HTTPS/certificate trust issue
- Database backup inconsistency, stop the container briefly before copying the SQLite file, or use its built-in backup mechanism
Lab Finish Line
A working password manager, MFA enabled, public registration disabled, and restore tested.