How to Self-Host a Password Manager

Step 1: Choose Your Software and Server

The two main options for self-hosted open source password managers are Vaultwarden and the official Bitwarden self-hosted server. Both use the same Bitwarden client apps and browser extensions, so the end-user experience is identical regardless of which server you run.

Vaultwarden is the recommended choice for individuals, families, and small teams. It is written in Rust, uses under 50 MB of RAM at idle, and runs on virtually any hardware including Raspberry Pi boards and the cheapest VPS instances available. It uses SQLite by default, so there is no separate database server to configure. Vaultwarden includes nearly all Bitwarden premium features at no cost.

The official Bitwarden self-hosted server is a better fit for organizations that need SSO with SAML 2.0 or OpenID Connect, SCIM-based user provisioning, custom security policies, or official vendor support. It requires multiple Docker containers and at least 2 GB of RAM, making it more resource-intensive than Vaultwarden.

For your server, you need a Linux machine with Docker Engine and Docker Compose installed. A VPS from providers like DigitalOcean, Hetzner, Linode, or Vultr works well. The minimum practical specification is 1 CPU core, 512 MB of RAM, and 10 GB of storage for Vaultwarden. You also need a domain name (or subdomain) pointed at your server's IP address, since Bitwarden clients require HTTPS and you will need a domain to obtain a TLS certificate.

Step 2: Deploy with Docker

With Docker installed and your domain's DNS pointing to your server, create a directory for Vaultwarden's data and start the container. The data directory stores your encrypted vault database, attachments, and configuration. Place it somewhere with reliable storage and include it in your backup plan.

Create a directory such as /opt/vaultwarden/data to hold the persistent data. Then run the Vaultwarden container with the data directory mounted as a volume, mapping the container's internal port to a local port that your reverse proxy will connect to. The key environment variables to set at this stage are the domain URL, the admin token for accessing the admin panel, and signup controls.

If you prefer Docker Compose, create a compose file that defines the Vaultwarden service with the same volume mount and environment variables. Docker Compose makes it easier to manage restarts, updates, and multi-container configurations if you later add a reverse proxy or monitoring tools to the same stack.

At this point, Vaultwarden is running and listening on a local port, but it is not yet accessible over the internet with HTTPS. The next step handles that.

Step 3: Configure HTTPS with a Reverse Proxy

Bitwarden client apps refuse to connect to a server over plain HTTP in production, so HTTPS is mandatory. A reverse proxy sits in front of Vaultwarden, terminates TLS connections, and forwards decrypted traffic to the Vaultwarden container over the local network.

Caddy is the simplest reverse proxy for this purpose because it handles TLS certificate provisioning automatically. Install Caddy, create a Caddyfile with your domain name and a reverse_proxy directive pointing to Vaultwarden's local port, and start Caddy. It will automatically obtain a TLS certificate from Let's Encrypt, configure HTTPS, and renew the certificate before it expires. No manual certificate management is required.

Nginx is the alternative if you need more control over the proxy configuration or are already running Nginx for other services. With Nginx, you configure a server block for your domain with proxy_pass directives pointing to Vaultwarden, and use Certbot to obtain and auto-renew Let's Encrypt certificates. Nginx requires slightly more configuration than Caddy but offers more flexibility for complex setups.

Regardless of which reverse proxy you use, make sure to configure WebSocket proxying. Vaultwarden uses WebSockets for real-time sync notifications, and without WebSocket support in the proxy, clients will fall back to periodic polling instead of receiving instant updates.

Step 4: Create Your Account and Disable Public Signups

With HTTPS working, navigate to your domain in a web browser. You will see the Bitwarden web vault interface. Click "Create Account" and register with your email address and a strong master password. This is the master password that protects all your stored credentials, so choose something long, unique, and memorable. Consider a passphrase of four or more random words.

After creating your account, immediately disable public signups to prevent unauthorized users from creating accounts on your server. You can do this through the Vaultwarden admin panel (accessible at your domain with /admin appended) or by setting the SIGNUPS_ALLOWED environment variable to false and restarting the container. If you need to add more users later, you can temporarily re-enable signups or use the admin panel to invite specific email addresses.

While you are in the admin panel, review the other settings. Enable the admin token requirement if you have not already, configure SMTP settings if you want email notifications and account verification, and review the organization settings if you plan to create shared vaults for family or team members.

Step 5: Connect Client Apps

Install the Bitwarden app or browser extension on each device you want to use. Before logging in, tap the gear icon or settings button and change the server URL from the default Bitwarden cloud address to your own domain. Then log in with the account you just created.

All official Bitwarden clients support custom server URLs: the desktop apps for Windows, macOS, and Linux, the mobile apps for iOS and Android, and the browser extensions for Chrome, Firefox, Safari, Edge, and Brave. The web vault on your domain also works as a full-featured client.

Once connected, start by importing any existing passwords from your current password manager or browser. Bitwarden clients support imports from dozens of sources including LastPass, 1Password, Dashlane, Chrome, and Firefox. After importing, verify that all entries transferred correctly, then begin generating new, strong passwords for your most important accounts using the built-in password generator.

Step 6: Set Up Automated Backups

Your Vaultwarden data directory contains your entire encrypted vault. If this data is lost, all your stored passwords are gone. Automated backups are not optional.

The simplest backup approach is a cron job that copies the data directory to a second location on a schedule. For Vaultwarden with SQLite, use the sqlite3 command-line tool to create a consistent backup of the database file, since copying a SQLite file while it is being written to can produce a corrupted copy. The command sqlite3 /path/to/db.sqlite3 ".backup /path/to/backup/db.sqlite3" creates an atomic backup safely.

Store backups in a separate physical location from your server. Options include a different cloud provider's object storage, a separate VPS, a NAS at home if your server is remote, or an encrypted archive uploaded to a general-purpose cloud storage service. Encrypt your backups before uploading them to any third-party storage, even though the vault data itself is already encrypted, adding another encryption layer prevents metadata exposure.

Test your backups by restoring them to a separate Vaultwarden instance periodically. A backup you have never tested is a backup you cannot trust.

Step 7: Harden Security and Monitor

A self-hosted password manager is a high-value target, so defense in depth is important. Start with the basics: configure a firewall (ufw on Ubuntu, firewalld on CentOS) to allow only ports 80, 443, and your SSH port. Everything else should be blocked.

Install fail2ban and configure it to monitor your reverse proxy's access logs for repeated failed login attempts. Vaultwarden does not have built-in brute-force protection, so fail2ban provides this by temporarily blocking IP addresses that make too many failed authentication attempts in a short period.

Keep your server's operating system and Docker images updated. Set up unattended security updates for the OS, and periodically pull the latest Vaultwarden Docker image to get security patches and new features. You can automate Docker image updates with tools like Watchtower, though some administrators prefer manual updates for password manager servers to avoid unexpected changes.

Consider setting up basic monitoring to alert you if the server goes down. Uptime monitoring services like Uptime Kuma (itself open source and self-hostable) can check your Vaultwarden URL at regular intervals and send notifications if it becomes unreachable. Your devices will continue to work with cached vault data during outages, but new changes will not sync until the server is back online.