Tired of trusting your passwords to third-party services? Vaultwarden (formerly Bitwarden_RS) lets you run your own password manager with full Bitwarden client compatibility. Your passwords stay on your server, under your control.
In this guide, we’ll set up Vaultwarden using Docker with HTTPS and automatic backups.
Why Vaultwarden?
- Bitwarden compatible — Use official Bitwarden apps on all devices
- Lightweight — Runs on minimal hardware (even Raspberry Pi)
- Full featured — Organizations, attachments, 2FA, and more
- Free — All premium Bitwarden features at no cost
- Self-hosted — Your data never leaves your server
Prerequisites
- A server running Linux (Ubuntu, Debian, etc.)
- Docker and Docker Compose installed
- A domain name (required for HTTPS)
- Basic command line knowledge
Step 1: Install Docker
If you don’t have Docker installed:
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
Log out and back in, then install Docker Compose:
sudo apt install docker-compose-plugin -y
Verify installation:
docker --version
docker compose version
Step 2: Create Directory Structure
mkdir -p ~/vaultwarden/data
cd ~/vaultwarden
Step 3: Create Docker Compose File
Create docker-compose.yml:
nano docker-compose.yml
Add this configuration:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- WEBSOCKET_ENABLED=true
- SIGNUPS_ALLOWED=true
- ADMIN_TOKEN=your-secure-admin-token-here
volumes:
- ./data:/data
ports:
- "8080:80"
- "3012:3012"
Important: Replace your-secure-admin-token-here with a strong random string. Generate one with:
openssl rand -base64 48
Step 4: Start Vaultwarden
docker compose up -d
Check if it’s running:
docker compose logs -f
You should see Vaultwarden starting up. Press Ctrl+C to exit logs.
Step 5: Set Up Reverse Proxy with SSL
Vaultwarden needs HTTPS for browser extensions and mobile apps. We’ll use Caddy for automatic SSL.
Create a new file Caddyfile:
nano Caddyfile
Add:
vault.yourdomain.com {
reverse_proxy localhost:8080
# WebSocket support
@websockets {
header Connection *Upgrade*
header Upgrade websocket
}
reverse_proxy @websockets localhost:3012
}
Update docker-compose.yml to add Caddy:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- WEBSOCKET_ENABLED=true
- SIGNUPS_ALLOWED=true
- ADMIN_TOKEN=your-secure-admin-token-here
volumes:
- ./data:/data
caddy:
image: caddy:2
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./caddy-data:/data
- ./caddy-config:/config
Restart everything:
docker compose down
docker compose up -d
Step 6: Create Your Account
- Open
https://vault.yourdomain.comin your browser - Click Create Account
- Enter your email and a strong master password
- Complete registration
Step 7: Disable Signups (Important!)
After creating your account, disable public signups:
Edit docker-compose.yml and change:
- SIGNUPS_ALLOWED=false
Restart:
docker compose down
docker compose up -d
Step 8: Access Admin Panel
Visit https://vault.yourdomain.com/admin and enter your admin token.
From here you can:
- Manage users
- View configuration
- Invite specific users
- Monitor the server
Step 9: Install Bitwarden Clients
Vaultwarden works with all official Bitwarden clients:
- Browser Extensions: Chrome, Firefox, Safari, Edge
- Desktop Apps: Windows, macOS, Linux
- Mobile Apps: iOS, Android
When logging in, click the gear icon and set your server URL to https://vault.yourdomain.com before entering credentials.
Step 10: Set Up Backups
Your passwords are precious. Set up automatic backups:
Create backup.sh:
nano backup.sh
Add:
#!/bin/bash
BACKUP_DIR="/home/$USER/vaultwarden-backups"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p $BACKUP_DIR
cd ~/vaultwarden
# Stop container briefly for consistent backup
docker compose stop vaultwarden
# Backup the data directory
tar -czf "$BACKUP_DIR/vaultwarden_$DATE.tar.gz" data/
# Start container again
docker compose start vaultwarden
# Keep only last 7 backups
ls -t $BACKUP_DIR/vaultwarden_*.tar.gz | tail -n +8 | xargs -r rm
echo "Backup completed: vaultwarden_$DATE.tar.gz"
Make it executable and schedule daily backups:
chmod +x backup.sh
crontab -e
Add this line (runs daily at 3 AM):
0 3 * * * /home/YOUR_USER/vaultwarden/backup.sh
Security Best Practices
- Strong master password — Use a passphrase you can remember
- Enable 2FA — Add TOTP authentication to your account
- Keep updated — Regularly pull the latest image:
docker compose pull docker compose up -d - Firewall — Only expose ports 80 and 443
- Backup regularly — Test restoring from backups
Troubleshooting
Can’t connect from mobile app
Make sure you’re using HTTPS and have set the custom server URL in the app settings before logging in.
WebSocket errors
Ensure ports 3012 is properly proxied. Check the Caddyfile configuration.
Admin panel not working
Verify your ADMIN_TOKEN environment variable is set correctly. Restart the container after changes.
Wrapping Up
You now have your own self-hosted password manager with:
- Full Bitwarden compatibility
- Automatic HTTPS via Caddy
- Daily backups
- Admin panel for management
Your passwords are now truly yours — stored on your own server, encrypted with your master password, and backed up regularly.
Related guides:
Check out the official Vaultwarden wiki for advanced configuration options.