A password manager is one of the most important security tools you can use. Running your own self-hosted password manager means your encrypted vault never touches a third-party server. Vaultwarden and Bitwarden are the two main options for self-hosting. Here is everything you need to know.
Why Self-Host Your Password Manager?
- Your password vault stays on your hardware, not someone else’s server
- No subscription fees (Bitwarden charges $10-40 per year for premium features)
- Complete control over your data and backups
- Works even if the service company shuts down
Bitwarden (Official Self-Host)
Bitwarden is the leading open-source password manager with a full self-hosted option. The official server requires Docker and runs multiple containers (API, web, notifications, database). It is the complete, officially supported version of Bitwarden with all features including enterprise options.
Requirements: ~2GB RAM minimum, Docker, a decent server. More resource-intensive than Vaultwarden.
Pros: Official support, all features, enterprise capabilities, regular updates
Cons: Heavy resource usage, complex setup with many containers
Vaultwarden (Community Alternative)
Vaultwarden is a community-built, Bitwarden-compatible server written in Rust. It is dramatically lighter (runs happily on a Raspberry Pi with 512MB RAM), uses a single Docker container, and is compatible with all official Bitwarden client apps (browser extensions, desktop apps, mobile apps).
Requirements: 512MB RAM, single Docker container. Runs on anything.
Pros: Extremely lightweight, simple setup, free all premium features, compatible with Bitwarden apps
Cons: Not officially supported by Bitwarden, community maintained
Feature Comparison
Vaultwarden unlocks all Bitwarden premium features for free, including:
- TOTP authenticator codes (two-factor authentication)
- Emergency access
- Organization and sharing features
- Encrypted attachments
- Admin panel for user management
Setting Up Vaultwarden (Recommended)
Hardware: Any always-on Linux machine works. A Raspberry Pi 5 is more than sufficient, as is a mini PC if you are running other services too.
Docker Compose Install
version: "3"
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
ports:
- "8080:80"
volumes:
- ./vw-data:/data
environment:
DOMAIN: "https://vault.yourdomain.com"
SIGNUPS_ALLOWED: "false"
ADMIN_TOKEN: "your-secure-admin-token"Run docker compose up -d and visit port 8080 to complete setup. Create your account before disabling signups. Takes under 10 minutes.
Remote Access
Vaultwarden requires HTTPS for browser extensions to work properly. The easiest options:
- Cloudflare Tunnel: Free, puts your Vaultwarden behind Cloudflare with automatic HTTPS, no port forwarding needed
- Caddy reverse proxy: Automatic Let’s Encrypt SSL certificates if you have a domain and open port 443
- Tailscale: Access your Vaultwarden locally from anywhere without exposing it to the internet
Using the Bitwarden Apps
All official Bitwarden clients work with Vaultwarden. In the app settings, change the server URL to your Vaultwarden instance. Browser extensions, the Windows/Mac desktop app, and iOS/Android apps all work seamlessly.
Backups
Back up the vw-data directory regularly. This contains your encrypted vault database. You can script automatic backups to a NAS or encrypted cloud storage. Since the vault is end-to-end encrypted, even an unencrypted backup of the database file is safe.
Security Considerations
- Use a strong master password (the encryption key for your vault)
- Enable two-factor authentication for your Vaultwarden account
- Keep your Vaultwarden container updated regularly
- Consider keeping it on Tailscale rather than publicly exposed for maximum security
- Back up your vault regularly
Our Recommendation
Vaultwarden wins for home use in almost every scenario. It is lighter, simpler to set up, and unlocks all premium features for free. The community maintenance has been reliable for years. Use official Bitwarden only if you need enterprise features or official support for compliance reasons.
Bottom Line
Self-hosting your password manager with Vaultwarden is one of the highest-value homelab projects available. 10 minutes to set up, eliminates subscription fees, and keeps your most sensitive data under your control. Pair it with a YubiKey for hardware two-factor authentication and you have a more secure setup than most commercial password managers offer.
Leave a Reply