Vaultwarden is the reason "self-hosted password manager" stopped being an enthusiast-only sport: it reimplements the Bitwarden server API in Rust, so every official Bitwarden client — browser extensions, mobile apps, desktop, CLI — works unmodified, while the server idles at 50–256 MB RAM instead of the multi-gigabyte official stack. A $5-class VPS runs it for a family; a $15 one runs it for a company. The setup itself is one container; the things worth engineering are HTTPS, the admin surface, and backups.
What it actually needs
| Deployment | CPU | RAM | Disk |
|---|---|---|---|
| Personal / family (2–10 users) | 1 vCPU | 512 MB total incl. OS | 1–2 GB (vault + attachments) |
| Small company (10–100 users) | 2 vCPU | 1–2 GB | 5–20 GB (attachments, sends) |
| With Postgres/MariaDB instead of SQLite | 2 vCPU | +512 MB | same |
SQLite is the default and — unpopular opinion, backed by the maintainers — is fine for the vast majority of instances: the write load of a password manager is trivial. Switch to Postgres when you have hundreds of users or want point-in-time recovery discipline you already run elsewhere.
The three gotchas that actually bite
- HTTPS is not optional. The web vault and extensions use WebCrypto, which browsers only enable in secure contexts — over plain HTTP login simply fails. Put Vaultwarden behind Caddy (two lines of config, automatic Let's Encrypt) or nginx + certbot. Never expose the container port directly.
- The admin panel is a loaded gun.
/adminwith a weak token equals total vault compromise. Generate the token as an argon2 hash (vaultwarden hashdoes it), or better: leave ADMIN_TOKEN unset (panel disabled) and enable it only when needed. - Open signups. Default allows anyone who finds the URL to register. After creating your accounts set
SIGNUPS_ALLOWED=falseand use invitations — internet scanners find Vaultwarden instances within hours of DNS going live.
Backups: the part people skip and regret
Self-hosting a password manager concentrates your entire digital life into one directory. The rules that matter:
- Back up the whole data dir (
db.sqlite3,attachments/,rsa_key*— the RSA keys are required or all sessions/2FA break on restore). For SQLite usesqlite3 db.sqlite3 ".backup ...", not a raw copy of a live file. - Ship backups off the server — restic or borg to another box or S3-compatible storage, encrypted. A backup on the same disk is a copy, not a backup.
- Test a restore quarterly. Spin a throwaway container from the backup, log in, see entries. An untested backup is a hope, not a plan.
Looking for a server that just works?
Valebyte VPS — NVMe, 24/7 support, deploy in 60 seconds.
Where to host it
Rationally, any tiny VPS in a stable jurisdiction works — Vaultwarden's E2E encryption means the host never sees your secrets, only availability matters. Practical picks: a small VPS in the EU (GDPR jurisdiction, close to you) or piggyback it on an existing box — it is light enough to share a server with a PaaS or monitoring stack from our self-hosted series. If it shares a machine, keep its backups separate and its reverse-proxy config boring. For the dedicated-paranoia tier (company vault, compliance), a $25–35 dedicated box from the catalog gives you physical isolation for less than two Bitwarden Enterprise seats.
Bottom line
Vaultwarden is one of the highest-value self-hosted services per megabyte in existence: full Bitwarden UX, trivial hardware, one container. Spend the saved effort exactly where this guide points — HTTPS, locked admin, closed signups, tested off-server backups — and it will quietly run for years. Facts checked July 8, 2026.