bolt Valebyte VPS from $4/mo — NVMe, 60s deploy.

Get a VPS arrow_forward

Vaultwarden: Self-Hosted Bitwarden — Server Requirements and Setup Notes

calendar_month July 08, 2026 schedule 3 min read visibility 7 views
person
Valebyte Team
Vaultwarden: Self-Hosted Bitwarden — Server Requirements and Setup Notes
summarize

TL;DR

  • Vaultwarden is a Rust reimplementation of the Bitwarden server: all official apps and extensions work against it, on a fraction of the resources.
  • Real appetite: ~50–256 MB RAM — the smallest VPS you can rent is enough for a family or a small company.
  • Hard requirement: HTTPS via reverse proxy — browser crypto APIs refuse plain HTTP; a Caddy/nginx + Let's Encrypt front is 15 minutes.
  • Security floor: strong ADMIN_TOKEN (argon2), disable open signups after onboarding, put 2FA on every account.
  • The vault is the single point of failure by design — automate off-server backups of the data directory and TEST a restore.

Vaultwarden is the reason "self-hosted password manager" stopped being an enthusiast-only sport: it reimplements the Bitwarden server API in Rust, so every official Bitwarden client — browser extensions, mobile apps, desktop, CLI — works unmodified, while the server idles at 50–256 MB RAM instead of the multi-gigabyte official stack. A $5-class VPS runs it for a family; a $15 one runs it for a company. The setup itself is one container; the things worth engineering are HTTPS, the admin surface, and backups.

What it actually needs

DeploymentCPURAMDisk
Personal / family (2–10 users)1 vCPU512 MB total incl. OS1–2 GB (vault + attachments)
Small company (10–100 users)2 vCPU1–2 GB5–20 GB (attachments, sends)
With Postgres/MariaDB instead of SQLite2 vCPU+512 MBsame

SQLite is the default and — unpopular opinion, backed by the maintainers — is fine for the vast majority of instances: the write load of a password manager is trivial. Switch to Postgres when you have hundreds of users or want point-in-time recovery discipline you already run elsewhere.

The three gotchas that actually bite

  • HTTPS is not optional. The web vault and extensions use WebCrypto, which browsers only enable in secure contexts — over plain HTTP login simply fails. Put Vaultwarden behind Caddy (two lines of config, automatic Let's Encrypt) or nginx + certbot. Never expose the container port directly.
  • The admin panel is a loaded gun. /admin with a weak token equals total vault compromise. Generate the token as an argon2 hash (vaultwarden hash does it), or better: leave ADMIN_TOKEN unset (panel disabled) and enable it only when needed.
  • Open signups. Default allows anyone who finds the URL to register. After creating your accounts set SIGNUPS_ALLOWED=false and use invitations — internet scanners find Vaultwarden instances within hours of DNS going live.

Backups: the part people skip and regret

Self-hosting a password manager concentrates your entire digital life into one directory. The rules that matter:

  • Back up the whole data dir (db.sqlite3, attachments/, rsa_key* — the RSA keys are required or all sessions/2FA break on restore). For SQLite use sqlite3 db.sqlite3 ".backup ...", not a raw copy of a live file.
  • Ship backups off the server — restic or borg to another box or S3-compatible storage, encrypted. A backup on the same disk is a copy, not a backup.
  • Test a restore quarterly. Spin a throwaway container from the backup, log in, see entries. An untested backup is a hope, not a plan.
rocket_launch Quick pick

Looking for a server that just works?

Valebyte VPS — NVMe, 24/7 support, deploy in 60 seconds.

View VPS plans arrow_forward

Where to host it

Rationally, any tiny VPS in a stable jurisdiction works — Vaultwarden's E2E encryption means the host never sees your secrets, only availability matters. Practical picks: a small VPS in the EU (GDPR jurisdiction, close to you) or piggyback it on an existing box — it is light enough to share a server with a PaaS or monitoring stack from our self-hosted series. If it shares a machine, keep its backups separate and its reverse-proxy config boring. For the dedicated-paranoia tier (company vault, compliance), a $25–35 dedicated box from the catalog gives you physical isolation for less than two Bitwarden Enterprise seats.

Bottom line

Vaultwarden is one of the highest-value self-hosted services per megabyte in existence: full Bitwarden UX, trivial hardware, one container. Spend the saved effort exactly where this guide points — HTTPS, locked admin, closed signups, tested off-server backups — and it will quietly run for years. Facts checked July 8, 2026.

support_agent
Valebyte Support
Usually replies within minutes
Hi there!
Send us a message and we'll reply as soon as possible.