---
title: "Vaultwarden — Self-Hosted Password Manager"
domain: opensource
category: privacy-security
tags: [vaultwarden, bitwarden, passwords, self-hosting, docker]
status: published
created: 2026-04-02
updated: 2026-04-02
---
# Vaultwarden — Self-Hosted Password Manager

## Problem

Password managers are a necessity, but handing your credentials to a third-party cloud service is a trust problem. Bitwarden is open source and privacy-respecting, but if you're already running a homelab, there's no reason to depend on their servers.

## Solution

[Vaultwarden](https://github.com/dani-garcia/vaultwarden) is an unofficial, lightweight Bitwarden-compatible server written in Rust. It exposes the same API that all official Bitwarden clients speak — desktop apps, browser extensions, mobile apps — so you get the full Bitwarden UX pointed at your own hardware.

Your passwords never leave your network.

---

## Deployment (Docker + Caddy)

### docker-compose.yml

```yaml
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=https://vault.yourdomain.com
      - SIGNUPS_ALLOWED=false   # disable after creating your account
    volumes:
      - ./vw-data:/data
    ports:
      - "8080:80"
```

Start it:

```bash
sudo docker compose up -d
```

### Caddy reverse proxy

```
vault.yourdomain.com {
    reverse_proxy localhost:8080
}
```

Caddy handles TLS automatically. No extra cert config needed.

---

## Initial Setup

1. Browse to `https://vault.yourdomain.com` and create your account
2. Set `SIGNUPS_ALLOWED=false` in the compose file and restart the container
3. Install any official Bitwarden client (browser extension, desktop, mobile)
4. In the client, set the **Server URL** to `https://vault.yourdomain.com` before logging in

That's it. The client has no idea it's not talking to Bitwarden's servers.

---

## Access Model

On MajorInfrastructure, Vaultwarden runs on **majorlab** and is accessible:

- **Internally** — via Caddy on the local network
- **Remotely** — via Tailscale; vault is reachable from any device on the tailnet without exposing it to the public internet

This means the Caddy vhost does not need to be publicly routable. You can choose to expose it publicly (Let's Encrypt works fine) or keep it Tailscale-only.

---

## Backup

Vaultwarden stores everything in a single SQLite database at `./vw-data/db.sqlite3`. Back it up like any file:

```bash
# Simple copy (stop container first for consistency, or use sqlite backup mode)
sqlite3 /path/to/vw-data/db.sqlite3 ".backup '/path/to/backup/vw-backup-$(date +%F).sqlite3'"
```

Or include the `vw-data/` directory in your regular rsync backup run.

---

## Why Not Bitwarden (Official)?

The official Bitwarden server is also open source but requires significantly more resources (multiple services, SQL Server). Vaultwarden runs in a single container on minimal RAM and handles everything a personal or family vault needs.

---