Vaultwarden (Bitwarden) on a VPS (2026): Private Password Manager
Vaultwarden is a lightweight Bitwarden server. A VPS keeps it private and fast.
Table of Contents
- Why Vaultwarden
- VPS specs
- Install overview
- Security basics
- Backups
- Client tips
- Related guides
1. Why Vaultwarden
Cross-platform clients and simple server setup.
2. VPS specs
Very lightweight; runs fine on small plans.
3. Install overview
Docker with SQLite or Postgres; HTTPS. Prefer Postgres for multi-user setups, and set environment variables for admin token and SMTP for invites.
4. Security basics
Strong admin password; keep endpoints limited. Enforce 2FA for users, disable public registration for private instances, and rate-limit auth endpoints via reverse proxy.
5. Backups
Nightly database backups. Include attachments, configs, and test restores periodically.
6. Client tips
Use official Bitwarden clients; enable autofill judiciously and keep local vault locked on mobile.
7. Related guides
- Nginx Proxy Manager on a VPS
- WireGuard VPN on a VPS
- Hosting options: /vps-hosting
See /vps-hosting for plans.
Why Vaultwarden over upstream Bitwarden
Vaultwarden is a Rust re-implementation of the Bitwarden server API. It runs in ~50 MB of RAM versus ~1.5 GB for the official Docker stack and is fully compatible with the official Bitwarden clients (browser extension, mobile app, desktop, CLI).
| Vaultwarden | Bitwarden Server (official) | |
|---|---|---|
| RAM at idle | 30-80 MB | 1.0-1.5 GB |
| Containers | 1 | 11 |
| Clients compatibility | full | full |
| Family / org sharing | yes | yes |
| Free for self-host | yes | yes (community edition) |
| Premium features (TOTP, attachments) | unlocked | requires license key |
For a household or small team, Vaultwarden is the obvious pick.
docker-compose
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
DOMAIN: "https://vault.example.com"
ADMIN_TOKEN: "$argon2id$v=19$m=65540,t=3,p=4$..."
SIGNUPS_ALLOWED: "false"
INVITATIONS_ALLOWED: "true"
WEBSOCKET_ENABLED: "true"
SMTP_HOST: smtp.example.com
SMTP_FROM: vault@example.com
SMTP_USERNAME: vault@example.com
SMTP_PASSWORD: "..."
volumes:
- ./data:/data
ports:
- "127.0.0.1:8080:80"
Generate ADMIN_TOKEN with:
docker run --rm vaultwarden/server /vaultwarden hash
Never use plain text for ADMIN_TOKEN; always Argon2.
Reverse proxy (Caddy)
vault.example.com {
reverse_proxy 127.0.0.1:8080
}
Caddy auto-issues TLS via Let's Encrypt. WebSocket pass-through is automatic.
What to set in the admin panel
After first login at /admin:
- Disable open signup (
SIGNUPS_ALLOWED=falsealready does this). - Enable email-required for new accounts.
- Set up SMTP for password reset and invitations.
- Turn on Argon2 server-side iterations (default settings are conservative).
Backups that survive ransomware
Vaultwarden stores everything in ./data:
db.sqlite3(or Postgres URL)attachments/sends/
# stop, snapshot, start
docker compose stop vaultwarden
sqlite3 ./data/db.sqlite3 ".backup '/backups/vw-$(date +%F).sqlite3'"
docker compose start vaultwarden
Then encrypt and ship off-site:
gpg -e -r your-key /backups/vw-$(date +%F).sqlite3
rsync /backups/vw-*.gpg backup-host:/srv/vw/
If the VPS is compromised, the backups must not also be readable by the same key on that VPS.
Two-factor authentication
Vaultwarden supports TOTP, U2F/WebAuthn, Duo, Email. Enforce at the org level for shared secrets.
Common breakage
| Symptom | Cause | Fix |
|---|---|---|
| Mobile app says "URL not valid" | DOMAIN env not matching public URL | set DOMAIN to exact https URL |
| WebSocket sync fails | reverse proxy not forwarding | enable WebSocket forwarding (Caddy does it automatically; nginx needs Upgrade headers) |
| Email reset doesn't arrive | SMTP env wrong or port 25 blocked | use 587/STARTTLS via a relay |
| Admin page returns 404 | ADMIN_TOKEN not set | set ADMIN_TOKEN in env |
