majorlinux/MajorWiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
31d0a9806d8e0c26a8793022631a622161ee1378
MajorWiki/03-opensource/privacy-security/vaultwarden.md
MajorLinux 6e0ceb0972 wiki: add Vaultwarden article to privacy-security section 
Add 03-opensource/privacy-security/vaultwarden.md covering deployment
with Docker Compose, Caddy reverse proxy, client setup, access model
via Tailscale, and SQLite backup. Remove KeePassXC from backlog.

Article count: 31 → 32. Open source section: 4 → 5.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-13 23:48:40 -04:00

2.8 KiB
Raw Blame History

Vaultwarden — Self-Hosted Password Manager

Problem

Password managers are a necessity, but handing your credentials to a third-party cloud service is a trust problem. Bitwarden is open source and privacy-respecting, but if you're already running a homelab, there's no reason to depend on their servers.

Solution

Vaultwarden is an unofficial, lightweight Bitwarden-compatible server written in Rust. It exposes the same API that all official Bitwarden clients speak — desktop apps, browser extensions, mobile apps — so you get the full Bitwarden UX pointed at your own hardware.

Your passwords never leave your network.

Deployment (Docker + Caddy)

docker-compose.yml

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=https://vault.yourdomain.com
      - SIGNUPS_ALLOWED=false   # disable after creating your account
    volumes:
      - ./vw-data:/data
    ports:
      - "8080:80"

Start it:

sudo docker compose up -d

Caddy reverse proxy

vault.yourdomain.com {
    reverse_proxy localhost:8080
}

Caddy handles TLS automatically. No extra cert config needed.

Initial Setup

  1. Browse to https://vault.yourdomain.com and create your account
  2. Set SIGNUPS_ALLOWED=false in the compose file and restart the container
  3. Install any official Bitwarden client (browser extension, desktop, mobile)
  4. In the client, set the Server URL to https://vault.yourdomain.com before logging in

That's it. The client has no idea it's not talking to Bitwarden's servers.

Access Model

On MajorInfrastructure, Vaultwarden runs on majorlab and is accessible:

  • Internally — via Caddy on the local network
  • Remotely — via Tailscale; vault is reachable from any device on the tailnet without exposing it to the public internet

This means the Caddy vhost does not need to be publicly routable. You can choose to expose it publicly (Let's Encrypt works fine) or keep it Tailscale-only.

Backup

Vaultwarden stores everything in a single SQLite database at ./vw-data/db.sqlite3. Back it up like any file:

# Simple copy (stop container first for consistency, or use sqlite backup mode)
sqlite3 /path/to/vw-data/db.sqlite3 ".backup '/path/to/backup/vw-backup-$(date +%F).sqlite3'"

Or include the vw-data/ directory in your regular rsync backup run.

Why Not Bitwarden (Official)?

The official Bitwarden server is also open source but requires significantly more resources (multiple services, SQL Server). Vaultwarden runs in a single container on minimal RAM and handles everything a personal or family vault needs.

Tags

#vaultwarden #bitwarden #passwords #privacy #self-hosting #docker #linux

Reference in New Issue View Git Blame Copy Permalink