Self-Host Your Password Manager: Vaultwarden in 20 Minutes
Self-host the Bitwarden experience on a $35 Raspberry Pi or any Linux box, with Docker, HTTPS, and automatic backups. Step-by-step playbook.
Vaultwarden is the unofficial Rust rewrite of the Bitwarden server. Same client compatibility, ten times less RAM, runs comfortably on a Raspberry Pi 4. If you want the Bitwarden UX without trusting bitwarden.com with your vault, this is the path.
What you need
- A small always-on machine: Raspberry Pi 4 with 2GB RAM is plenty. A $5/month VPS works too.
- A domain name you control, with DNS pointing at the machine.
- 20 minutes.
Step 1: Docker
On Raspberry Pi OS or any Debian-based Linux:
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
newgrp docker
Verify with docker --version. Reboot if needed.
Step 2: Caddy + Vaultwarden
Caddy handles HTTPS automatically via Let's Encrypt. The cleanest single-file setup is a docker-compose.yml that runs both:
services:
vaultwarden:
image: vaultwarden/server:latest
restart: unless-stopped
volumes:
- ./vw-data:/data
environment:
DOMAIN: https://vault.example.com
SIGNUPS_ALLOWED: "true"
caddy:
image: caddy:2
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy-data:/data
volumes:
caddy-data:
Caddyfile in the same directory:
vault.example.com {
reverse_proxy vaultwarden:80
}
Replace vault.example.com with your real domain. docker compose up -d and you're live.
Step 3: Create your account, then disable signups
Visit https://vault.example.com, click Create Account, set a strong master password. Once you have your account, edit docker-compose.yml and set SIGNUPS_ALLOWED: "false", then docker compose up -d again. This prevents random signups by anyone who finds your URL.
Step 4: Enable 2FA on the master account
In Web Vault → Account → Two-step Login. The default is TOTP — pair it with Aegis or Ente Auth. For maximum security, also add a YubiKey under Security Keys.
Step 5: Install the clients
Bitwarden's official browser extensions, mobile apps, and desktop apps all work with Vaultwarden — point them at your URL during sign-in. Nothing about the client experience changes.
Step 6: Backups (skip this and lose your vault)
The vw-data folder contains everything. A simple cron job to a separate location is enough:
0 2 * * * tar czf /backup/vw-$(date +\%Y\%m\%d).tar.gz /home/pi/vaultwarden/vw-data
Pair that with Cryptomator or rclone-crypt to sync the encrypted archive to a cloud bucket. Test the restore procedure once a year — an untested backup is not a backup.
Common pitfalls
- Caddy fails to get a certificate: ports 80 and 443 must be open to the public internet for Let's Encrypt to validate. Behind a home router, you need port forwarding.
- Vault is slow on Pi 3: bcrypt rounds eat CPU. Pi 4 or newer is the floor.
- You lose your master password: there is no recovery. Vaultwarden cannot reset it. This is the same trade-off as cloud Bitwarden, and it is the right one — but write your password down and store it physically before you forget.
When to use this vs cloud Bitwarden
Self-host if: you have a home server already, you object to trusting bitwarden.com on principle, or you live in a jurisdiction where they do not operate.
Stay on cloud Bitwarden if: you want apps to work the moment you open them on a new device without you maintaining anything. The cloud free tier is excellent. The self-host trade-off is real and not for everyone.