Running your own password manager? Vaultwarden uses 50 MB of RAM where the official Bitwarden server needs 2+ GB — and it unlocks premium features for free. Here's the full comparison for self-hosters.
Originally published on selfhosting.sh.
Quick Verdict
Vaultwarden is the better choice for self-hosting. It uses 50 MB of RAM vs Bitwarden's 2+ GB, runs on SQLite with a single container, and provides the same client compatibility. The official Bitwarden server is only worth the complexity if you need enterprise features like SCIM provisioning, directory sync, or SSO with your corporate identity provider.
Overview
Bitwarden is the official open-source password manager. The self-hosted server (bitwarden/server) runs the full .NET stack with Microsoft SQL Server. It's the same codebase that powers Bitwarden's cloud service — identical features, identical resource requirements.
Vaultwarden (formerly bitwarden_rs) is a Rust reimplementation of the Bitwarden server API. It was built specifically for self-hosting — lightweight, efficient, and compatible with all official Bitwarden clients. It implements features that Bitwarden reserves for paid plans (organizations, TOTP, Send, emergency access) at no cost.
Feature Comparison
| Feature | Bitwarden (Official) | Vaultwarden |
|---|---|---|
| Browser extensions | Yes | Yes (same clients) |
| Desktop apps | Yes | Yes (same clients) |
| Mobile apps (auto-fill) | Yes | Yes (same clients) |
| Organizations (sharing) | Yes (paid plans) | Yes (free) |
| TOTP 2FA storage | Yes (Premium/$10/yr) | Yes (free) |
| Bitwarden Send | Yes (paid) | Yes (free) |
| Emergency access | Yes (Premium) | Yes (free) |
| Passkeys | Yes | Yes |
| Directory sync (LDAP/AD) | Enterprise only | No |
| SCIM provisioning | Enterprise only | No |
| SSO (SAML/OIDC) | Enterprise only | No |
| Database | MSSQL (required) | SQLite, MySQL, PostgreSQL |
| License | AGPL-3.0 + proprietary | AGPL-3.0 |
Installation Complexity
Bitwarden official requires multiple containers: the main server, MSSQL database, Nginx proxy, and several microservices. The resulting stack needs at least 4 GB RAM just for the password manager.
Vaultwarden is a single container with SQLite — no external database needed. A basic docker compose up -d with 5 lines of configuration gets you running. Total setup time: under 5 minutes.
Winner: Vaultwarden. Not close. One container vs. a dozen.
Performance and Resource Usage
| Metric | Bitwarden (Official) | Vaultwarden |
|---|---|---|
| Idle RAM | ~2 GB (with MSSQL) | ~50 MB |
| Containers | 10+ | 1 |
| Docker images total | ~3 GB | ~150 MB |
| CPU at idle | Moderate (.NET + MSSQL) | Negligible (Rust) |
| Startup time | 30-60 seconds | 2-3 seconds |
| Minimum server RAM | 4 GB | 512 MB |
Vaultwarden is roughly 40x lighter on RAM. On a Raspberry Pi, small VPS, or shared homelab server, this is the deciding factor.
Client Compatibility
Both work with the exact same Bitwarden clients — browser extensions, desktop apps, mobile apps, and CLI. Vaultwarden implements the Bitwarden API, so clients can't tell the difference. You point any Bitwarden client at your Vaultwarden server URL and everything works.
The only caveat: when Bitwarden adds a new API feature, Vaultwarden needs time to implement it. In practice, Vaultwarden tracks Bitwarden releases closely and usually catches up within days to weeks.
Security
Both encrypt your vault client-side with AES-256 before data reaches the server. Your master password never leaves your device. The encryption model is identical because they use the same client software.
The difference is operational:
- Bitwarden has a professional security team, regular third-party audits (SOC 2 Type II), and a bug bounty program.
- Vaultwarden is a community project. The Rust implementation reduces certain classes of bugs (memory safety), but it hasn't undergone the same level of formal scrutiny.
For most self-hosters, this distinction is academic — the encryption happens client-side regardless.
Community and Support
| Metric | Bitwarden (Official) | Vaultwarden |
|---|---|---|
| GitHub stars | 16K+ (server) | 43K+ |
| Community | Large | Very large |
| Update frequency | Regular | Very active |
Vaultwarden actually has a larger self-hosting community than the official server. Most self-hosting guides, forum posts, and tutorials reference Vaultwarden.
Use Cases
Choose Bitwarden Official If...
- You need SCIM provisioning for automated user lifecycle management
- You need SSO integration with your corporate identity provider (SAML/OIDC)
- You need directory sync with Active Directory or LDAP
- You need enterprise compliance features (policies, audit logs)
- You have 100+ users and need the full admin console
- You have dedicated hardware with 4+ GB RAM available
Choose Vaultwarden If...
- You're self-hosting for personal use or a small team
- You want organizations, TOTP, Send, and emergency access without paying
- You're running on limited hardware (Pi, small VPS, shared server)
- You want the simplest possible setup (one container, SQLite)
- You don't need enterprise features (SCIM, SSO, directory sync)
Final Verdict
Vaultwarden for 99% of self-hosters. It's lighter by an order of magnitude, simpler to set up, and provides every feature that personal users and small teams need — including features Bitwarden charges for. The official Bitwarden server exists for organizations that need enterprise identity management features.
Don't overthink this one. Vaultwarden.
FAQ
Is Vaultwarden legal?
Yes. Vaultwarden is a clean-room reimplementation of the Bitwarden API, not a fork of Bitwarden's code. It's licensed under AGPL-3.0. There are no legal issues with running Vaultwarden.
Can I migrate from Bitwarden to Vaultwarden?
Yes. Export your vault from Bitwarden (Settings -> Export Vault -> JSON format), then import it into Vaultwarden (Tools -> Import Data -> Bitwarden JSON). All passwords, notes, and cards transfer cleanly.
Will Bitwarden clients always work with Vaultwarden?
Vaultwarden has tracked every major Bitwarden API change since 2018. The maintainer is responsive and typically implements new API endpoints within days. The track record is excellent.
Top comments (0)