← Back to Use Cases
Self-Hosting Vaultwarden: Secure Password Management Guide (2025)
Take control of your passwords by self-hosting Vaultwarden. A complete guide using Docker Compose, HTTPS, and best practices.
DockerSecuritySelf-HostingUse CasesVaultwarden
Self-Hosting Vaultwarden: Secure Password Management Guide (2025)
In an era of frequent data breaches, trusting a third-party cloud provider with your passwords is becoming harder. Self-hosting your password manager gives you complete control over your data.
Vaultwarden is the community's favorite choice. It's a lightweight implementation of the Bitwarden server API written in Rust. It runs perfectly on low-power hardware like the Raspberry Pi or Intel N100 mini PCs.
Why Vaultwarden?
- Compatible: Works with all official Bitwarden apps (iOS, Android, Browser Extensions).
- Lightweight: Uses a fraction of the RAM compared to the official Bitwarden server (which requires MSSQL).
- Feature-Rich: Includes premium Bitwarden features (like TOTP generation) for free.
Prerequisites
- A home server with Docker and Docker Compose installed.
- A domain name (optional but recommended for SSL).
- Port forwarding capability (if accessing remotely).
Step 1: The Docker Compose File
Create a folder for your project:
mkdir vaultwarden
cd vaultwarden
nano docker-compose.yml
Paste the following configuration:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
- WEBSOCKET_ENABLED=true # Required for instant sync
- SIGNUPS_ALLOWED=true # Set to false after creating your account!
volumes:
- ./vw-data:/data
ports:
- 8080:80
volumes:
vw-data:
Step 2: Start the Server
Run the container:
docker compose up -d
You can now access it at http://your-server-ip:8080. However, Bitwarden clients require HTTPS to work. You cannot create an account or log in over plain HTTP (except on localhost).
Step 3: Enabling HTTPS (The Easy Way)
The best way to handle HTTPS is using a reverse proxy like Caddy or Nginx Proxy Manager.
Using Caddy (Automatic SSL)
Add Caddy to your docker-compose.yml:
services:
vaultwarden:
# ... previous config ...
caddy:
image: caddy:2
container_name: caddy
restart: always
ports:
- 80:80
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
environment:
- ACME_AGREE=true
volumes:
vw-data:
caddy_data:
caddy_config:
Create a Caddyfile:
yourdomain.com {
reverse_proxy vaultwarden:80
}
Now, Caddy will automatically get an SSL certificate from Let's Encrypt for your domain.
Step 4: Security Best Practices
- Disable Signups: Once you have created your account, stop the container, change
SIGNUPS_ALLOWED=truetofalsein your docker-compose file, and restart. This prevents strangers from creating accounts on your server. - Enable 2FA: Log in to your new vault and set up Two-Factor Authentication immediately.
- Backups: Your passwords live in the
./vw-datafolder. Back this up regularly! If you lose this folder, you lose your passwords. Use a tool like Restic or a simple cron job to copy it to another drive or cloud storage.
Conclusion
Self-hosting Vaultwarden is one of the most rewarding home server projects. You get a premium password management experience, complete data sovereignty, and it runs on practically zero resources.
Ready to set up your server?
Check out our build guides to get started with hardware.
View Build Guides