Self-hosted Bitwarden / Vaultwarden: a password manager for teams

To deploy Vaultwarden for a team of up to 50 people, a VPS with 1 vCPU, 512 MB RAM, and 10 GB of disk space is sufficient, costing approximately $4-5 per month. This provides full control over corporate passwords and eliminates monthly per-user fees.

Using cloud-based password managers involves risks: from data breaches on the provider's side to sudden account lockouts. Vaultwarden (formerly known as bitwarden_rs) is an alternative implementation of the Bitwarden API written in Rust. This lightweight solution allows you to deploy a full-featured bitwarden self hosted service that consumes 10-20 times fewer resources than the official Docker image from the developers, which is written in .NET Core and requires MSSQL.

Why Vaultwarden VPS is the Standard for Modern Business?

The main advantage of a vaultwarden vps lies in the combination of security and cost-efficiency. While the official Bitwarden requires at least 4 GB of RAM to run comfortably due to its heavy microservices architecture, the Rust version functions perfectly on entry-level plans. This is critical when scaling infrastructure or migrating from Vercel/Netlify to your own VPS, where every megabyte of memory counts.

Comparison of Architectural Solutions

The official Bitwarden uses a Microsoft technology stack, including SQL Server and multiple containers for different tasks (API, Identity, Web, Notifications). Vaultwarden combines all functions into a single binary file, using SQLite by default. This not only simplifies deployment but also reduces the attack surface. When using vaultwarden docker, you get a single container that is easy to update and migrate between servers.

Economic Benefits and Functionality

Paid Bitwarden features, such as creating organizations, shared password use in teams (Collections), and two-factor authentication (2FA) via Yubikey or Duo, are available for free in Vaultwarden. For a company of 20 people, using a cloud service would cost $60-100 monthly. Your own password manager based on Vaultwarden costs a fixed $5 for server rental, regardless of the number of employees.

Feature	Bitwarden Cloud (Free)	Bitwarden Enterprise	Vaultwarden (Self-hosted)
Cost	$0	$5/mo per user	VPS Price (~$5/mo)
Team Folders	No	Yes	Yes (Unlimited)
RAM Consumption	N/A	4-8 GB	128-256 MB
2FA (Yubikey/Duo)	No	Yes	Yes
Attachment Storage	100 MB	1 GB+	Limited by VPS disk

Technical Implementation of Vaultwarden Docker and System Requirements

Almost any modern Linux distribution is suitable for running a vaultwarden docker configuration. Ubuntu 22.04 LTS or Debian 12 are recommended as the most stable platforms with up-to-date Docker engine versions. If you are planning a move from DigitalOcean or another major provider, the setup process remains identical thanks to containerization.

Minimum and Recommended Specifications

• Processor: 1 core (even 2.0 GHz is enough for on-the-fly encryption).
• RAM: 256 MB for personal use, 512 MB - 1 GB for a team (accounting for OS caching).
• Disk Space: 10 GB NVMe (the password database is small; logs and attachments take up most of the space).
• Network: 100 Mbps - 1 Gbps (traffic is minimal as only text data is transmitted).

It is important to understand that the Rust implementation is extremely efficient. Even with hundreds of simultaneous requests from mobile clients and browser extensions, CPU load rarely exceeds 5-10%. This allows you to host Vaultwarden on the same server as other lightweight services, for example, if you use WireGuard on a VPS for secure internet access.

Step-by-Step Bitwarden Self-Hosted Installation

The deployment process for bitwarden self hosted begins with environment preparation. It is assumed you already have a clean VPS and a domain name pointed to the server's IP address. Using HTTPS is mandatory, as modern browsers block the Web Crypto API on insecure connections, making the password manager non-functional.

Step 1: Install Docker and Docker Compose

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo systemctl enable --now docker

Step 2: Create docker-compose.yml Configuration

Create a working directory and a configuration file. We will use the official Vaultwarden image and the built-in SQLite database, which is the optimal choice for 99% of teams in terms of performance and backup simplicity.

version: '3'
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - SIGNUPS_ALLOWED=true
      - DOMAIN=https://pass.yourdomain.com
      - DATABASE_URL=data/vaultwarden.db
      - ADMIN_TOKEN=some_strong_random_token_here
    volumes:
      - ./vw-data:/data
    ports:
      - 8080:80

In this configuration, the ADMIN_TOKEN parameter allows access to a hidden admin panel at /admin. There, you can manage users and server settings without editing configuration files. After all employees have registered, it is recommended to set SIGNUPS_ALLOWED=false to prevent unauthorized registrations.

Nginx and SSL Setup for Bitwarden Self-Hosted

Directly exposing container ports to the network is bad practice. To ensure security and manage SSL certificates, you must use a reverse proxy, such as Nginx. This is a standard scheme that we also recommend when setting up Self-hosted n8n or other web services.

Nginx Configuration

Install Nginx and Certbot to automatically obtain Let's Encrypt certificates. Example configuration file for the site:

server {
    listen 80;
    server_name pass.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name pass.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/pass.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pass.yourdomain.com/privkey.pem;

    client_max_body_size 128M;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
        proxy_pass http://127.0.0.1:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
        proxy_pass http://127.0.0.1:8080;
    }
}

The /notifications/hub section is necessary for WebSocket functionality. This allows mobile apps and browser extensions to receive instant notifications about changes in the password database without needing manual synchronization.

Administration and Team Access in Your Password Manager

Once your own password manager is running, primary management occurs via the web interface. For teamwork, Vaultwarden implements the concept of Organizations. An Organization is a shared space where an administrator can create collections (folders) and distribute access rights among employees.

SMTP Setup for Notifications

To invite new users, the server must be able to send emails. Add SMTP gateway settings in the admin panel or via environment variables. Without this, users won't be able to verify their email or receive login notifications from new devices.

- SMTP_HOST=smtp.mailgun.org
- [email protected]
- SMTP_PORT=587
- SMTP_SECURITY=starttls
- [email protected]
- SMTP_PASSWORD=password

Managing Collections

Within an organization, you can create collections such as "Marketing," "Development," or "Admins." Each employee is assigned an access level: "Read Only," "Read/Write," or "Collection Admin." This allows for flexible access control to critical infrastructure. This permission model is similar to those used in corporate VPN solutions like VLESS-Reality, where resource access is strictly regulated.

Security and Backups in a Self-Hosted Password Manager

The security of a password manager selfhost is based on end-to-end encryption (E2EE). The server never sees your master password in plain text—all encryption operations happen on the client side. However, the responsibility for the safety of the encrypted database lies with the VPS owner.

Backup Strategy

The SQLite database in Vaultwarden is a single file: db.sqlite3. However, simply copying the file while the server is running can lead to data corruption. The correct method is to use the .backup command via the sqlite3 CLI or specialized scripts.

1. Local Backup: Regularly create a database dump.
2. External Storage: Send encrypted archives to an S3-compatible cloud or another server.
3. Versioning: Keep copies for the last 30 days.

Example of a simple backup script:

#!/bin/bash
BACKUP_DIR="/backups/vaultwarden"
DATA_DIR="/opt/vaultwarden/vw-data"
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")

sqlite3 $DATA_DIR/db.sqlite3 ".backup '$BACKUP_DIR/db_$TIMESTAMP.sqlite3'"
tar -czf $BACKUP_DIR/attachments_$TIMESTAMP.tar.gz $DATA_DIR/attachments
find $BACKUP_DIR -type f -mtime +30 -delete

Importing Data from 1Password and LastPass

Switching to a vaultwarden vps is simplified by built-in import tools. The Bitwarden API supports almost all popular export formats. If your team previously used LastPass or 1Password, the migration process will take no more than 15 minutes.

Migration Instructions

• Export data from your old manager in .csv or .json format.
• In the Vaultwarden web interface, go to Tools -> Import Data.
• Select the source file format (e.g., "1Password (macOS/Windows)").
• Upload the file and click "Import."

Important: After a successful import, be sure to delete the export files from your local computer, as they contain your passwords in plain text. Vaultwarden correctly handles nested folders, tags, and even custom fields, keeping your database structure intact.

Optimization and Troubleshooting

Despite its high stability, running vaultwarden docker may involve nuances related to Nginx limits or container updates. If you upload large files (e.g., SSH keys or certificates) as attachments, you might encounter a 413 Request Entity Too Large error. This is solved by increasing client_max_body_size in the Nginx config, as shown above.

Updating Vaultwarden

Updating is done by recreating the container with a new image. Since all data is stored in an external volume, this process is safe and takes less than a minute:

docker-compose pull
docker-compose up -d --remove-orphans

It is recommended to check for updates once a month, as developers promptly patch discovered vulnerabilities in the upstream Bitwarden version and add support for new client application features.

Conclusions

For the reliable operation of a corporate Vaultwarden password manager, it is optimal to use a VPS with 1 GB RAM and an NVMe disk, ensuring instant data access and stability as the team grows. It is recommended to set up automatic database backups to external storage and disable new user registrations immediately after the staff is onboarded.