A hosted password manager means trusting a company's servers with the keys to your entire digital life. Vaultwarden — a lightweight, unofficial Rust re-implementation of the Bitwarden server API — lets you keep that vault on hardware you control, while still using the official Bitwarden apps and browser extensions. It runs comfortably on a $5 VPS or a Raspberry Pi.
Here's a clean, minimal setup plus the hardening that actually matters.
The Docker Compose
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
DOMAIN: "https://vault.example.com"
SIGNUPS_ALLOWED: "false" # turn off after you create your account
ADMIN_TOKEN: "<argon2-hash>" # see below
volumes:
- ./vw-data:/data
ports:
- "127.0.0.1:8080:80" # bind to localhost, terminate TLS at a reverse proxy
Two deliberate choices in that file:
-
ports: 127.0.0.1:8080:80— Vaultwarden speaks plain HTTP. Never expose that to the internet. Bind it to localhost and put a reverse proxy (Caddy/nginx/Traefik) in front to handle TLS. The web vault and the Bitwarden clients refuse to send credentials over anything but HTTPS, so this isn't optional. -
SIGNUPS_ALLOWED: "false"— leave ittrueonly long enough to register your own account, then flip it and recreate the container. An open Vaultwarden on a public IP will get strangers registering on it.
Hardening that matters
Hash the admin token. The /admin panel is a juicy target. Don't paste a plaintext token — generate an Argon2 hash and use that:
docker run --rm -it vaultwarden/server /vaultwarden hash
Put the admin panel behind something extra — IP allow-list at the proxy, or a VPN-only route. A leaked admin token otherwise exposes every user.
Back up vw-data/. It holds the SQLite DB (encrypted blobs, but also account metadata) plus your rsa_key files. No backup = one disk failure from losing every password. A nightly sqlite3 .backup to an offsite target (the 3-2-1 rule applies to your vault too) is the difference between an inconvenience and a catastrophe.
Keep the image pinned and updated. latest is fine for a personal box if you actually pull regularly; Vaultwarden ships security fixes and you want them.
What you're actually trading
Self-hosting removes the "trust a third party's servers" risk and replaces it with "you are now the server admin." That's a real responsibility: you own patching, backups, TLS, and uptime. For a lot of developers that trade is worth it; for non-technical family members, a reputable hosted manager is often the safer default. There's no universally right answer — only the one that matches your threat model and your willingness to operate infrastructure.
If you want the full step-by-step — reverse-proxy configs, automatic backups, fail2ban, and the security trade-offs in detail — I wrote it up here: Self-host a password manager with Vaultwarden.
Top comments (0)