How to Install Vaultwarden

Step 1: Prepare the Server

You need a Linux server with Docker Engine and Docker Compose installed. Ubuntu 22.04 or 24.04 LTS, Debian 12, or AlmaLinux 9 are all solid choices. The minimum hardware requirements are modest: 1 CPU core, 512 MB of RAM, and 10 GB of disk space. A VPS from Hetzner, DigitalOcean, Linode, or Vultr at the three to five dollar per month tier is more than sufficient.

Install Docker Engine following the official Docker documentation for your distribution. On Ubuntu, this involves adding Docker's apt repository and installing the docker-ce, docker-ce-cli, containerd.io, and docker-compose-plugin packages. Verify the installation by running docker --version and docker compose version. Both commands should return version numbers without errors.

You also need a domain name or subdomain pointed at your server's public IP address. Create an A record in your DNS provider pointing vault.yourdomain.com (or whatever subdomain you choose) to the server's IP. DNS propagation typically completes within a few minutes for new records. Bitwarden clients require HTTPS, and you need a valid domain to obtain a TLS certificate from Let's Encrypt.

Step 2: Create the Docker Compose File

Create a directory for your Vaultwarden deployment. A common convention is /opt/vaultwarden. Inside that directory, create a docker-compose.yml file that defines the Vaultwarden service.

The compose file should specify the vaultwarden/server image with the latest tag, mount a local data directory as a volume at /data inside the container, and expose a port for the reverse proxy to connect to. Mapping to port 8080 on the host is a common choice, though any available port works. Set the container to restart automatically unless manually stopped.

The key environment variables to configure in the compose file are DOMAIN (set to your full HTTPS URL like https://vault.yourdomain.com), SIGNUPS_ALLOWED (set to true initially so you can create your first account, then change to false after), and ADMIN_TOKEN (a long random string that grants access to the admin panel). Generate the admin token with a command like openssl rand -base64 48 and save it somewhere secure.

Additional environment variables worth setting from the start include WEBSOCKET_ENABLED set to true for real-time sync notifications, SENDS_ALLOWED set to true to enable the Bitwarden Send feature for sharing text and files securely, and LOG_LEVEL set to warn to keep log output manageable. If you have an SMTP server or email service, configure SMTP_HOST, SMTP_FROM, SMTP_PORT, SMTP_SECURITY, SMTP_USERNAME, and SMTP_PASSWORD to enable email notifications, account verification, and password reset functionality.

Also create the data directory that you referenced in the volume mount. This directory will hold the SQLite database, file attachments, RSA keys, and icon cache. Everything Vaultwarden needs to persist between container restarts lives here.

Step 3: Configure the Reverse Proxy

Vaultwarden needs to be served over HTTPS. A reverse proxy handles TLS termination and forwards traffic to the Vaultwarden container. Caddy is the simplest option because it automatically obtains and renews Let's Encrypt certificates with zero configuration beyond specifying your domain name.

If using Caddy, you can add it to the same Docker Compose file or install it directly on the host. The Caddyfile configuration needs just two directives: your domain name and a reverse_proxy line pointing to Vaultwarden's local port. Caddy automatically handles HTTPS, HTTP to HTTPS redirection, certificate renewal, and OCSP stapling. It also supports WebSocket proxying by default, which Vaultwarden uses for real-time sync.

If using Nginx instead, install it on the host and create a server block configuration file. The configuration should listen on ports 80 and 443, use Certbot-managed TLS certificates, and include proxy_pass directives for both the regular HTTP traffic and the WebSocket endpoint. The WebSocket connection requires specific Upgrade and Connection header proxying. Run certbot --nginx to obtain the initial certificate, and certbot will configure automatic renewal via a systemd timer or cron job.

Whichever reverse proxy you choose, verify that HTTPS is working by navigating to your domain in a browser. You should see a valid TLS certificate and the Bitwarden web vault login page. If you see a certificate error, double-check your DNS records and make sure ports 80 and 443 are open in your server's firewall.

Step 4: Start Vaultwarden and Create Your Account

With the compose file and reverse proxy configured, start the containers. Run docker compose up -d from the directory containing your compose file. The -d flag runs the containers in detached mode. Check the logs with docker compose logs -f vaultwarden to confirm that Vaultwarden started without errors. You should see a message indicating the server is listening on the configured port.

Navigate to your domain in a web browser. The Bitwarden web vault interface will appear. Click "Create Account" and register with your email address and a strong master password. This is the single password that protects your entire vault, so it must be strong and unique. A passphrase of four or more random words is both secure and memorable. Write down a recovery sheet with your master password and store it in a physically secure location, because there is no password reset mechanism, if you forget your master password, your vault is permanently inaccessible.

After creating your account, visit the admin panel at your domain with /admin appended. Enter the admin token you configured in the environment variables. The admin panel lets you view registered users, manage organizations, configure server settings, and review diagnostics. Verify that your account appears in the user list and that the server diagnostics show no warnings.

Step 5: Lock Down the Installation

With your account created, immediately disable public signups. Edit the SIGNUPS_ALLOWED environment variable in your compose file, changing it from true to false, then restart the container with docker compose up -d. This prevents anyone who discovers your server from creating accounts. If you need to add users later, temporarily re-enable signups or use the admin panel to invite specific email addresses.

Secure the admin panel by ensuring your ADMIN_TOKEN is long and random. Some administrators disable the admin panel entirely after initial setup by removing the ADMIN_TOKEN variable. Without a token configured, the admin panel endpoint returns a 404, eliminating it as an attack surface. You can always re-enable it temporarily when needed by adding the token back and restarting.

Configure the server firewall to allow only ports 22 (SSH), 80 (HTTP for certificate validation), and 443 (HTTPS). On Ubuntu, use ufw: enable it, allow these three ports, and deny everything else. Install fail2ban and configure a jail that monitors your reverse proxy access logs for repeated failed login attempts. This protects against brute-force attacks on the web vault login page.

Set up automated backups of the data directory. For the SQLite database specifically, use the sqlite3 command to create a consistent backup rather than copying the file directly, since a raw copy of a database being written to can be corrupted. A cron job running nightly that creates an sqlite3 backup, compresses the data directory, and copies the archive to offsite storage is sufficient for most deployments. Encrypt the backup before uploading to any third-party storage service.

Step 6: Connect Bitwarden Clients

Install the Bitwarden app or browser extension on each device you want to use. Before logging in, you need to point the client at your server instead of the default Bitwarden cloud.

In the desktop apps and browser extensions, click the gear icon on the login screen and enter your server URL in the "Self-hosted environment" section. Use your full domain with https, for example https://vault.yourdomain.com. On mobile apps, tap the region selector on the login screen and choose "Self-hosted," then enter your server URL.

After setting the server URL, log in with the account you created. The client will sync your vault from your server. You can now start adding passwords manually, importing from another password manager, or saving new credentials as you browse. The browser extension will offer to save login credentials automatically when you sign into websites.

If you are migrating from another password manager, use the import feature in the web vault or desktop app. Bitwarden supports imports from over forty formats including LastPass, 1Password, Dashlane, KeePass, Chrome, and Firefox. Export your existing passwords, import the file into Bitwarden, verify all entries transferred correctly, then delete the export file since it contains unencrypted passwords.