self hosted password vault

Don’t Trust Anyone with Your Passwords: The Ultimate Guide to Self-Hosting Vaultwarden with Docker

Hosting Management, Self Hosted Applications, Server Management, Server Security, Web Security

In an era defined by massive data breaches and cloud leaks, the question isn’t if a major service will be hacked, but when. We entrust our entire digital lives—banking credentials, social media logins, and sensitive work data—to third-party password managers. But as recent history has shown (looking at you, LastPass), even the giants aren’t invincible.

Security is about control. And the ultimate form of control is self-hosting.

Today, we are going to take back that control. We will guide you through setting up Vaultwarden, a lightweight, self-hosted alternative to Bitwarden, using Docker. Best of all, this software is so efficient that it runs perfectly on the most affordable VPS Hosting plans provided by VPSPioneer.

What is Vaultwarden and Why Not Just Use Bitwarden?

Bitwarden is fantastic. It is open-source and arguably the most trusted password manager today. However, the official Bitwarden server backend is built with heavy enterprise requirements in mind (using MSSQL), requiring significant RAM and CPU resources to run.

Vaultwarden is an unofficial port of the Bitwarden server backend written in Rust.

  • It is compatible with all official Bitwarden apps (iOS, Android, Browser Extensions, Desktop).
  • It is incredibly lightweight. It can run on a server with as little as 512MB or 1GB of RAM.
  • It unlocks premium features. Features that usually require a paid subscription on the official cloud (like TOTP generation and emergency access) are free when you host Vaultwarden yourself.

The Hardware: Low Cost, High Security

Because Vaultwarden is so efficient, you do not need an expensive server. You don’t need a dedicated machine costing $50/month.

For this project, the entry-level VPS packages from VPSPioneer are the perfect match.

  • Low Cost: Start with a basic plan. It’s cheaper than a cup of coffee per month.
  • Full Root Access: You have total control over the environment.
  • Reliability: VPSPioneer’s uptime ensures your passwords are accessible whenever you need them.

👉 Check out VPSPioneer’s VPS Plans here to get started.

Step-by-Step Installation Guide

We will use Docker to install Vaultwarden. This keeps your installation clean, portable, and easy to update. We will also use Caddy as a reverse proxy to automatically handle SSL (HTTPS) because sending passwords over an unencrypted connection is a huge security risk.

Prerequisites

  1. A VPSPioneer VPS (Ubuntu 20.04 or 22.04 recommended).
  2. A Domain Name (e.g., yourdomain.com).
  3. DNS A Record pointing a subdomain (e.g., passwords.yourdomain.com) to your VPS IP address.

Step 1: Update and Install Docker

Connect to your VPS via SSH. First, update your system packages to ensure security.

sudo apt update && sudo apt upgrade -y

Next, install Docker and Docker Compose using the official convenience script (or standard repository methods):

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

Verify that Docker is running:

sudo systemctl status docker

Step 2: Create the Directory Structure

We need a place to store your password data securely.

mkdir -p ~/vaultwarden
cd ~/vaultwarden

Step 3: The Docker Compose Setup (The Magic Part)

We will create a single docker-compose.yml file that sets up both Vaultwarden and the Caddy web server. Caddy is amazing because it will automatically request and renew an SSL certificate from Let’s Encrypt for you.

nano docker-compose.yml

Paste the following configuration. Be sure to change DOMAIN and EMAIL to your own.

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true  # Enables sync notifications
      - SIGNUPS_ALLOWED=true    # Set to false AFTER creating your account
    volumes:
      - ./vw-data:/data
    ports:
      - "8080:80" # Expose internal port 80 to host port 8080 (internal only)

  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - "80:80"   # HTTP port
      - "443:443" # HTTPS port
    volumes:
      - ./caddy_data:/data
      - ./caddy_config:/config
      - ./Caddyfile:/etc/caddy/Caddyfile
    environment:
      - ACME_AGREE=true

Save and exit (Ctrl+O, Enter, Ctrl+X).

Step 4: Configure Caddy for HTTPS

Now we need to tell Caddy where to send traffic. Create a file named Caddyfile:

nano Caddyfile

Paste this content (Replace passwords.yourdomain.com with your actual subdomain):

passwords.yourdomain.com {
    # Enable Gzip compression
    encode gzip

    # Proxy traffic to the vaultwarden container
    reverse_proxy vaultwarden:80 {
       # Send the true remote IP to Vaultwarden, so fail2ban works if needed
       header_up X-Real-IP {remote}
    }
}

Save and exit.

Step 5: Launch Your Safe House

Everything is ready. Start the containers:

sudo docker compose up -d

Wait a few seconds for Caddy to obtain the SSL certificate. Now, open your browser and go to https://passwords.yourdomain.com.

You should see the Bitwarden login screen!

Critical Security Step: Disable Signups

Right now, anyone who finds your URL can create an account on your server. You don’t want that.

  1. Go to your new site and Create an Account.
  2. Once your account is created, go back to your SSH terminal.
  3. Edit the docker-compose.yml file again.
  4. Change SIGNUPS_ALLOWED=true to SIGNUPS_ALLOWED=false.
  5. Apply the changes:
sudo docker compose up -d

Now, your server is locked down. Only you (and anyone you already invited) can use it.

Connecting Your Apps

To use your new server on your phone or computer:

  1. Download the official Bitwarden app.
  2. Before logging in, look for a Settings or Region/Server icon (usually a gear icon).
  3. Change the Self-hosted Environment URL to your new domain: https://passwords.yourdomain.com.
  4. Log in with the email and master password you just created.

Frequently Asked Questions (FAQ)

Q: Is Vaultwarden safe?

A: Vaultwarden is widely used and respected in the open-source community. It implements the same encryption standards as Bitwarden. Since the encryption happens on your device before data is sent to the server, even if the server is compromised, the attacker only gets encrypted gibberish without your master password.

Q: What happens if my VPSPioneer server crashes?

A: VPSPioneer offers excellent stability, but hardware is hardware. You must back up your data. In the setup above, all your password data is in the ~/vaultwarden/vw-data folder. Regularly back up this folder to a local computer or another cloud storage service.

Q: Can I use the cheapest VPS plan?

A: Absolutely. Vaultwarden is incredibly efficient. It typically uses less than 200MB of RAM. VPSPioneer’s entry-level VPS plans are more than capable of running Vaultwarden alongside other lightweight tools.

Q: Why not just use a password book?

A: Physical books can be lost, stolen, or destroyed by fire. A self-hosted instance, properly backed up, offers redundancy, accessibility from anywhere in the world, and the ability to use complex, 20+ character passwords that are impossible to crack but too hard to type manually from a book.