Vaultwarden is a lightweight, self-hosted password manager server compatible with all official Bitwarden client apps, as outlined in the Docker documentation. It stores your passwords, credit cards, secure notes, and identity information in an encrypted vault on your own server instead of Bitwarden’s cloud. You get all of Bitwarden’s premium features (TOTP authenticator, file attachments, emergency access, organization support) for free, because Vaultwarden is an independent open-source reimplementation of the Bitwarden server API.
Self-hosting your password manager means your encrypted vault never touches a third-party server. Your master password never travels across the internet to someone else’s infrastructure. If Bitwarden’s cloud service experiences a breach, outage, or policy change, your passwords remain accessible on your own hardware. The tradeoff is that you are responsible for server uptime and backups. With a proper Docker Compose setup and automated backups, this responsibility amounts to about 15 minutes of initial configuration and zero ongoing maintenance.
Vaultwarden vs Bitwarden: Key Differences
Vaultwarden (formerly bitwarden_rs) is not a fork of Bitwarden. It is a clean-room reimplementation of the Bitwarden server API written in Rust, while Bitwarden’s official server is written in C#/.NET. Vaultwarden consumes 10 to 50MB of RAM versus Bitwarden’s official self-hosted server, which requires 2GB+ RAM and multiple Docker containers (MSSQL database, API server, web vault, multiple worker services).
| Feature | Vaultwarden | Bitwarden Cloud (Free) | Bitwarden Cloud (Premium $10/yr) |
|---|---|---|---|
| Password storage | Unlimited | Unlimited | Unlimited |
| TOTP authenticator | Included free | Not included | Included |
| File attachments | Included free | Not included | Included (1GB) |
| Emergency access | Included free | Not included | Included |
| Organization support | Included free | 2 users max | 2 users max |
| Send (secure sharing) | Included free | Text only | Text + files |
| RAM usage | 10-50MB | N/A (cloud) | N/A (cloud) |
| Data location | Your server | Bitwarden cloud (US/EU) | Bitwarden cloud |
| Cost | Free (+ your hardware) | Free | $10/year |
| Client apps | All official Bitwarden apps | All official apps | All official apps |
Vaultwarden uses the exact same Bitwarden client applications (browser extensions, mobile apps, desktop apps, CLI). You install the standard Bitwarden app from the App Store, Play Store, or browser extension store and point it to your Vaultwarden server URL instead of bitwarden.com. The user experience is identical because Vaultwarden implements the same API that Bitwarden clients expect.
Installing Vaultwarden With Docker Compose
Vaultwarden runs as a single Docker container with an embedded SQLite database. No external database, no Redis, no multiple services. This simplicity makes it one of the easiest self-hosted applications to deploy and maintain.
Create a directory for Vaultwarden on your server. Inside it, create a Docker Compose file defining the Vaultwarden service. Map port 443 (HTTPS) from the container to your host, and mount a data volume for persistent storage of the encrypted vault database, attachments, and configuration.
Essential environment variables: set the domain to your server’s URL (required for WebSocket notifications and email links), configure SMTP settings for email notifications (password reset, new device login alerts), and set the admin token for accessing the /admin panel. The admin panel lets you manage users, organizations, and server settings through a web interface.
For secure access, Vaultwarden must run behind HTTPS. You have three options: use a reverse proxy like Caddy (which handles SSL automatically via Let’s Encrypt), use Tailscale’s HTTPS certificates for private network access, or enable Vaultwarden’s built-in Rocket TLS with your own certificate. Caddy with automatic HTTPS is the simplest approach for publicly accessible instances. Tailscale is simplest for personal/family use without public internet exposure.
Migrating From Bitwarden Cloud to Vaultwarden
Bitwarden’s export function generates an encrypted or unencrypted JSON file containing your entire vault: passwords, secure notes, cards, and identities. Log into your Bitwarden web vault (vault.bitwarden.com), go to Tools, Export Vault, and choose the encrypted JSON format. The encrypted export protects your passwords with your master password during transit.
Log into your new Vaultwarden web vault (your server’s URL), go to Tools, Import Data, and select “Bitwarden (json)” as the format. Upload the exported file. Vaultwarden imports all entries, preserving folder structure, favorites, and custom fields. The import typically takes a few seconds even for vaults with thousands of entries.
After importing, update your Bitwarden client apps to point to your Vaultwarden server. In the Bitwarden app, tap the settings icon on the login screen, find “Self-hosted Environment,” and enter your Vaultwarden server URL. Log in with your existing master password (Vaultwarden uses the same encryption scheme as Bitwarden, so your master password works unchanged).
Configuring User Registration and Security
By default, Vaultwarden allows open registration, meaning anyone who knows your server URL can create an account. For personal and family use, disable open registration after creating your accounts by setting the signups_allowed environment variable to false.
Alternatively, use invitation-only registration: disable open signups and invite specific email addresses through the admin panel. Invited users receive an email link to create their account. This approach lets you add family members without opening registration to the public.
Enable two-factor authentication (2FA) for every account. Vaultwarden supports TOTP authenticators (Google Authenticator, Authy, Aegis), FIDO2 WebAuthn security keys (YubiKey, Google Titan), and Duo Security. For the strongest protection, combine a strong master password with a hardware security key for 2FA.
Backup Strategy for Your Password Vault
Losing your Vaultwarden database means losing all your passwords. This is the single most important service to back up on your entire server. Implement multiple backup layers.
The primary data to back up is the Vaultwarden data directory, which contains: db.sqlite3 (the encrypted vault database), attachments/ (any file attachments), sends/ (Bitwarden Send files), and config.json (server configuration). Copy this entire directory to a second location daily.
Automated backup approach: create a cron job or Docker container that copies the Vaultwarden data directory to a second drive nightly. For offsite backup, encrypt the backup with GPG and upload to a cloud storage provider (Backblaze B2 at $6/TB/month or any S3-compatible storage). The encrypted vault data is already encrypted with your master password, and the GPG layer adds protection for the server configuration and attachment files.
Emergency access plan: Bitwarden’s Emergency Access feature (available in Vaultwarden for free) lets you designate a trusted contact who can request access to your vault after a configurable waiting period (1 to 30 days). If you become incapacitated, your designated contact initiates an access request, waits the specified period, and gains read access to your vault. This feature is critical for family password management.
Accessing Vaultwarden From Anywhere
A password manager is only useful if it is accessible from every device, everywhere. For Vaultwarden, remote access requires either exposing the server to the internet or using a VPN.
Tailscale (recommended for personal use) creates an encrypted mesh VPN connecting all your devices. Install Tailscale on your server and every device that needs vault access. Access Vaultwarden via the Tailscale IP address or MagicDNS hostname. Tailscale provides HTTPS certificates through its built-in Let’s Encrypt integration, solving the SSL requirement. No port forwarding, no public internet exposure, no firewall changes.
Cloudflare Tunnel (recommended for shared/family use) exposes Vaultwarden on a custom domain with HTTPS, DDoS protection, and Cloudflare’s WAF. Family members access the vault at a normal URL (like vault.yourdomain.com) without installing any VPN software. This approach requires owning a domain name but provides the most seamless access experience for non-technical family members.
Is Vaultwarden safe to use for passwords?
Yes. Vaultwarden uses the same end-to-end encryption as Bitwarden: AES-256 encryption, PBKDF2-SHA256 key derivation (or Argon2id), and zero-knowledge architecture. Your passwords are encrypted before leaving your device and can only be decrypted with your master password. The server stores only encrypted data it cannot read.
What happens if my Vaultwarden server goes down?
Bitwarden client apps cache your vault locally on every device. If the server is temporarily unreachable, you can still access, copy, and autofill all your passwords from the local cache. New passwords created offline sync to the server when connectivity restores. Server downtime only prevents cross-device sync and new device logins.
Can I use Vaultwarden with browser autofill?
Yes. Install the official Bitwarden browser extension for Chrome, Firefox, Safari, or Edge. Point it to your Vaultwarden server URL. The extension autofills passwords on web forms, generates strong passwords, and saves new credentials exactly like the cloud Bitwarden experience.
How do I update Vaultwarden?
Pull the latest Docker image and restart the container. With Docker Compose, run the pull command followed by up in detached mode. Vaultwarden handles database migrations automatically on startup. The update process takes under 30 seconds with less than 10 seconds of downtime. Your vault data persists in the mounted volume.
Is Vaultwarden legal to use?
Yes. Vaultwarden is licensed under AGPL-3.0, making it fully legal to use, modify, and self-host. It is a clean-room reimplementation, not a copy of Bitwarden’s code. Bitwarden, Inc. has acknowledged Vaultwarden’s existence without legal challenge. The Bitwarden client apps are licensed under GPL-3.0, also permitting self-hosted server use.
