If you want to self-host Vaultwarden — the lightweight, Bitwarden-compatible password manager — on your own VPS, this guide walks through the complete setup. Vaultwarden is a Rust reimplementation of the Bitwarden server that runs in a single Docker container, works with all official Bitwarden clients, and includes Premium features (TOTP, file attachments, emergency access) for free. A VPS with 512MB RAM is enough.
Why self-host your password manager?
Bitwarden’s cloud service is excellent and free for personal use. The reason to self-host Vaultwarden is control: your vault lives on your server, in your jurisdiction, with no third party able to access it.
Prerequisites
- A VPS with a public IP (512MB RAM is sufficient)
- Docker and Docker Compose installed
- A domain name pointing to your server’s IP (e.g.,
vault.yourdomain.com) - Ports 80 and 443 open on your firewall
HTTPS is mandatory — the Bitwarden clients refuse to connect to an HTTP server.
Self-host Vaultwarden with Docker Compose and Caddy
mkdir -p ~/vaultwarden && cd ~/vaultwardenCreate docker-compose.yml:
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
DOMAIN: "https://vault.yourdomain.com"
SIGNUPS_ALLOWED: "false"
ADMIN_TOKEN: "your-secure-admin-token-here"
volumes:
- ./vw-data:/data
caddy:
image: caddy:latest
container_name: caddy
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
depends_on:
- vaultwarden
volumes:
caddy_data:
caddy_config:Create the Caddyfile:
vault.yourdomain.com {
reverse_proxy vaultwarden:80
}Generate a secure admin token
openssl rand -base64 48Start the stack
docker compose up -d
docker compose logs -fCreate your account
With SIGNUPS_ALLOWED: "false", public registration is disabled. Create your account through the admin panel at https://vault.yourdomain.com/admin — log in with your admin token, then under Users click Invite User.
Connect the Bitwarden clients
In any official Bitwarden client, tap the region selector, choose Self-hosted, and enter your server URL:
https://vault.yourdomain.comBackups
Everything lives in ./vw-data. Back it up regularly:
tar -czf ~/backups/vaultwarden-$(date +%Y%m%d).tar.gz ~/vaultwarden/vw-data
# Automate with cron (daily at 2am)
0 2 * * * tar -czf ~/backups/vaultwarden-$(date +\%Y\%m\%d).tar.gz ~/vaultwarden/vw-dataUpdates
docker compose pull
docker compose up -dRelated posts
To access your self-hosted Vaultwarden securely from anywhere, combine it with a WireGuard VPN. You can also harden access to the server itself with passwordless SSH authentication, and run the whole stack using Docker on a Raspberry Pi if you prefer a home server over a VPS.