How to Self-Host Vaultwarden: Free Bitwarden for Your Family

Password managers have become essential — yet most people either pay monthly subscriptions for cloud services like 1Password or LastPass, or worse, reuse the same weak passwords everywhere. But there's a third option: self-host your own password manager that's just as good as the paid alternatives, completely free, and under your total control.

Enter Vaultwarden — a lightweight, open-source server compatible with all official Bitwarden clients. It gives you the full Bitwarden experience (browser extensions, mobile apps, desktop apps, CLI) while storing your encrypted passwords on your own hardware. No subscriptions, no cloud dependency, no trust issues.

In this guide, we'll set up Vaultwarden from scratch using Docker Compose. By the end, you'll have a family-ready password manager that costs nothing to run and keeps your most sensitive data exactly where it belongs — with you.

Why Vaultwarden?

Before diving into the setup, let's understand why Vaultwarden is the go-to choice for self-hosted password management:

The key insight: Vaultwarden implements the same API as Bitwarden's official server, so you get the exact same client experience — polished apps, seamless autofill, secure sharing — without paying for cloud hosting. The official Bitwarden server requires substantial resources (multiple containers, SQL Server), while Vaultwarden runs happily on a Raspberry Pi.

What You'll Need

The requirements are minimal:

• A server — Any Linux machine, VPS, NAS, or even a Raspberry Pi. Vaultwarden uses about 50MB of RAM.
• Docker and Docker Compose — the recommended installation method.
• A domain name (recommended) — for HTTPS access. You can use a free subdomain from services like DuckDNS if needed.
• About 10 minutes — seriously, it's that fast.

Step 1: Install Docker

If Docker isn't already installed, set it up with the official convenience script:

# Install Docker
curl -fsSL https://get.docker.com | sh

# Add your user to the docker group
sudo usermod -aG docker clawdbot

# Log out and back in, then verify
docker --version
docker compose version

Step 2: Create the Vaultwarden Directory

Create a dedicated directory for your password manager:

# Create and enter the directory
mkdir ~/vaultwarden
cd ~/vaultwarden

Step 3: Create the Docker Compose File

Create a docker-compose.yml file:

# Create the compose file
nano docker-compose.yml

Paste this configuration:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.yourdomain.com"
      SIGNUPS_ALLOWED: "true"
      ADMIN_TOKEN: "your-secure-admin-token-here"
      SMTP_HOST: "smtp.gmail.com"
      SMTP_FROM: "[email protected]"
      SMTP_PORT: "587"
      SMTP_SECURITY: "starttls"
      SMTP_USERNAME: "[email protected]"
      SMTP_PASSWORD: "your-app-password"
    volumes:
      - ./vw-data:/data
    ports:
      - "127.0.0.1:8080:80"

Let's break down the key settings:

• DOMAIN: Your full URL with HTTPS. This is required for the web vault to work properly.
• SIGNUPS_ALLOWED: Set to "true" initially to create your account, then change to "false" after setup.
• ADMIN_TOKEN: A secure token for accessing the admin panel. Generate one with: openssl rand -base64 48
• SMTP_*: Email settings for password reset and notifications. Optional but recommended.
• Port binding: We bind to 127.0.0.1 only — a reverse proxy will handle external access with HTTPS.

# Generate a secure token
openssl rand -base64 48

# Example output: kR9h2s8K...long-random-string...
# Use this as your ADMIN_TOKEN

Step 4: Set Up HTTPS with Caddy (Recommended)

The Bitwarden clients require HTTPS. The easiest way to set this up is with Caddy, which handles SSL certificates automatically.

Add Caddy to your docker-compose.yml:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.yourdomain.com"
      SIGNUPS_ALLOWED: "true"
      ADMIN_TOKEN: "your-secure-admin-token-here"
    volumes:
      - ./vw-data:/data
    networks:
      - vaultwarden

  caddy:
    image: caddy:latest
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-data:/data
      - ./caddy-config:/config
    networks:
      - vaultwarden

networks:
  vaultwarden:
    driver: bridge

Create the Caddyfile:

# Create the Caddyfile
nano Caddyfile

Add this configuration:

vault.yourdomain.com {
    reverse_proxy vaultwarden:80
}

Replace vault.yourdomain.com with your actual domain. Caddy will automatically obtain and renew Let's Encrypt certificates.

Step 5: Launch Vaultwarden

Start everything:

# Pull images and start
docker compose up -d

# Check the logs
docker compose logs -f

Give Caddy a minute to obtain your SSL certificate. You should see something like:

caddy  | successfully obtained certificate for vault.yourdomain.com

Step 6: Create Your Account

Navigate to https://vault.yourdomain.com in your browser. You'll see the Bitwarden web vault interface. Click "Create Account" and set up your master password.

Step 7: Disable Public Signups

Once your account is created, disable public registration:

# Edit your docker-compose.yml
nano docker-compose.yml

# Change:
SIGNUPS_ALLOWED: "false"

# Restart
docker compose up -d

New users can now only be invited through the admin panel or created by existing users with organization privileges.

Step 8: Set Up the Bitwarden Clients

This is where self-hosting shines — you use the official Bitwarden apps, just pointed at your server.

Browser Extensions

Install the Bitwarden extension for your browser (Chrome, Firefox, Safari).

1. Click the extension icon and select "Self-hosted"
2. Enter your server URL: https://vault.yourdomain.com
3. Log in with your account

Mobile Apps

Install Bitwarden from the App Store or Google Play.

1. Tap the region selector (shows "bitwarden.com" by default)
2. Select "Self-hosted"
3. Enter your server URL and log in

Enable biometric unlock (Face ID, fingerprint) for quick access without typing your master password every time.

Desktop Apps

Download from bitwarden.com/download — available for Windows, macOS, and Linux. Same setup: Settings → Self-hosted → enter your URL.

Setting Up Family Sharing

One of Vaultwarden's best features is unlimited organizations — perfect for sharing passwords with family members.

Create a Family Organization

1. Log in to your web vault
2. Click "New Organization"
3. Name it (e.g., "Family Passwords")
4. Choose "Free" plan (all features are available)

Invite Family Members

1. Go to your organization → Members
2. Click "Invite User"
3. Enter their email address
4. Choose their role (Member, Admin, or Owner)

If signups are disabled, use the admin panel (https://vault.yourdomain.com/admin) to create accounts directly.

Create Shared Collections

Collections are like folders that can be shared with specific members:

• Streaming Services — Netflix, Disney+, etc. (share with everyone)
• WiFi Passwords — home network, relatives' houses
• Shared Subscriptions — family accounts that everyone uses
• Emergency Info — bank accounts, insurance (restrict to trusted members)

Essential Security Hardening

Your password vault is a high-value target. Here's how to lock it down:

Enable Two-Factor Authentication

Log in to your web vault → Account Settings → Two-step Login. Options include:

• Authenticator App (Google Authenticator, Authy, etc.) — recommended
• YubiKey — hardware key for maximum security
• Email — sends a code to your email (requires SMTP setup)

Set Up Fail2Ban

Protect against brute-force attacks by banning IPs after failed login attempts. Create /etc/fail2ban/filter.d/vaultwarden.conf:

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

And /etc/fail2ban/jail.d/vaultwarden.local:

[vaultwarden]
enabled = true
port = 80,443
filter = vaultwarden
logpath = /path/to/vw-data/vaultwarden.log
maxretry = 5
bantime = 1h
findtime = 15m

Regular Backups

Your vault data is in the ./vw-data directory. Back it up regularly:

# Simple backup script
#!/bin/bash
BACKUP_DIR="/backup/vaultwarden"
DATE=20260210

# Stop the container for consistency
docker compose -f ~/vaultwarden/docker-compose.yml stop

# Create encrypted backup
tar -czf - ~/vaultwarden/vw-data | gpg --symmetric --cipher-algo AES256 > "/vaultwarden-.tar.gz.gpg"

# Restart
docker compose -f ~/vaultwarden/docker-compose.yml up -d

Store backups off-site — a different server, cloud storage with client-side encryption, or even a USB drive in a safe.

Advanced Features

Bitwarden Send

Send lets you securely share text or files with anyone — even people without a Bitwarden account. Perfect for sharing WiFi passwords with guests or sending sensitive documents.

1. In any Bitwarden client, go to Send
2. Create a new Send (text or file)
3. Set expiration, max access count, and optional password
4. Share the generated link

Emergency Access

Designate trusted contacts who can request access to your vault if something happens to you:

1. Go to Settings → Emergency Access
2. Add trusted contacts (they need Vaultwarden accounts)
3. Set a wait period (e.g., 7 days)
4. If they request access and you don't deny within the wait period, they get read-only access to your vault

Admin Panel

Access the admin panel at https://vault.yourdomain.com/admin using your ADMIN_TOKEN. Here you can:

• View all users and organizations
• Invite new users or delete accounts
• See server configuration and diagnostics
• Perform database maintenance

Importing Existing Passwords

Moving from another password manager? Bitwarden imports from virtually everything:

From Chrome/Firefox

1. Export passwords from your browser (usually CSV format)
2. In Bitwarden web vault: Tools → Import Data
3. Select your browser as the source format
4. Upload the file

From 1Password, LastPass, Dashlane, etc.

1. Export from your current manager (check their docs for export options)
2. In Bitwarden: Tools → Import Data
3. Select the source application from the dropdown
4. Upload your export file

After importing: Delete the export file securely — it contains all your passwords in plain text!

Keeping Vaultwarden Updated

Updates bring security fixes and new features. Update regularly:

# Navigate to your Vaultwarden directory
cd ~/vaultwarden

# Pull the latest image
docker compose pull

# Restart with the new version
docker compose up -d

# Clean up old images
docker image prune -f

Check the Vaultwarden releases page for changelogs and breaking changes before major updates.

Troubleshooting

Can't Access the Web Vault

• Check that your DOMAIN environment variable matches your actual URL exactly
• Verify SSL certificate: curl -I https://vault.yourdomain.com
• Check Caddy logs: docker compose logs caddy

Email Notifications Not Working

• If using Gmail, you need an App Password (not your regular password)
• Check SMTP settings in admin panel → Diagnostics
• Try sending a test email from the admin panel

Mobile App Can't Connect

• Ensure you're using HTTPS (not HTTP)
• Check that the SSL certificate is valid (not self-signed, unless you've installed it on your device)
• Try accessing the web vault URL in your phone's browser first

FAQ

Is Vaultwarden as secure as Bitwarden?

Yes. Vaultwarden implements the same encryption scheme (AES-256-CBC with PBKDF2-SHA256 or Argon2id). Your vault is encrypted locally with your master password before any data touches the server. Even if someone compromises your server, they can't read your passwords without your master password.

What happens if my server goes down?

Bitwarden clients cache your vault locally. You can still access and autofill passwords offline. You just can't sync new changes until the server is back online.

Can I use this with multiple devices?

Absolutely. Log in on as many devices as you want — phones, tablets, computers, browsers. Changes sync automatically.

Is there a limit on passwords or users?

No artificial limits. Store as many passwords as you want, create as many user accounts and organizations as you need. The only limit is your server's storage space.

Can I migrate back to Bitwarden cloud later?

Yes. Export your vault from Vaultwarden (Tools → Export Vault), then import into a Bitwarden cloud account. Your data is portable.

What's Next?

You now have a professional-grade password manager running on your own infrastructure. Here's how to get the most out of it:

• Import all your passwords from browsers and other managers
• Install the browser extension on every device — autofill is a game-changer
• Set up family sharing for shared subscriptions and accounts
• Enable 2FA everywhere — Vaultwarden can store your TOTP codes too
• Explore more self-hosted apps on Hostly's directory — maybe a photo backup solution next?

Password security isn't optional anymore — it's essential. With Vaultwarden, you get the best of both worlds: the polished experience of commercial password managers, with the privacy and control of self-hosting. Your passwords stay yours, encrypted on your hardware, accessible only with your master password.

No monthly fees. No data mining. No trust required. Just secure, private password management for you and your family.