DEV Community

Vikas Singhal
Vikas Singhal

Posted on

The Cheapest Way to Self-Host Vaultwarden in 2026

#security #opensource #devops #selfhosted

Last updated: April 2026

Vaultwarden is the most popular self-hosted password manager in 2026 - a lightweight, Rust-based alternative to Bitwarden's official server. It's compatible with all official Bitwarden clients (browser extensions, mobile apps, desktop apps, CLI), uses a fraction of the resources, and search interest has grown 83% year-over-year. Over 42,000 GitHub stars and actively maintained.

The catch with any self-hosted password manager: it has to be online 24/7, it has to be secure, and it has to be backed up. If your Vaultwarden instance goes down, you can't log into anything. If it gets compromised, everything is compromised. The hosting choice matters more here than for almost any other self-hosted app.

I've run Vaultwarden on multiple setups. Here's every option I found, ranked by actual monthly cost, with the trade-offs that matter for a password manager specifically.

TLDR: The cheapest managed option is InstaPods at $3/mo - one-click deploy with SSL, backups, and zero maintenance. The cheapest self-managed option is a $4-5/mo Hetzner VPS with Docker. Bitwarden's official cloud starts at $0 (free tier) or $10/year for Premium. The right answer depends on whether you want to own your data and how many users you have.

Vaultwarden vs Bitwarden: Why Self-Host?

Before the hosting comparison, the obvious question: why not just use Bitwarden Cloud?

Bitwarden Cloud pricing:

  • Free: 1 user, unlimited passwords, basic features
  • Premium: $10/year per user (TOTP, file attachments, vault health reports)
  • Families: $40/year for 6 users
  • Teams: $4/user/month
  • Enterprise: $6/user/month

For a single person, Bitwarden's free tier is hard to beat. But self-hosting Vaultwarden makes sense when:

  • You have a family/team - Vaultwarden gives you unlimited users and all premium features for free. A family of 6 saves $40/year. A team of 10 saves $480/year.
  • You want full data control - Your vault never touches Bitwarden's servers. Useful for compliance or paranoia.
  • You want premium features without paying - TOTP authenticator, file attachments, emergency access, vault health reports - all free in Vaultwarden.
  • You're already self-hosting other apps - Adding Vaultwarden to an existing server costs nothing extra.

Every Way to Host Vaultwarden, Ranked by Cost

Method Monthly Cost You Manage Setup Time Users
Add to existing server $0 extra Container ~10 min Unlimited
Oracle Cloud free tier $0 Everything ~1 hr Unlimited
InstaPods $3 Nothing ~30 sec Unlimited
PikaPods ~$2.50 Nothing ~1 min Unlimited
Hetzner VPS + Docker ~$4-5 Everything ~45 min Unlimited
Coolify on Hetzner VPS ~$5-8 VPS + OS ~15 min Unlimited
Elestio ~$17 Nothing ~3 min Unlimited
Cloudron on Hetzner VPS ~$21 VPS + OS ~40 min Unlimited
Bitwarden Cloud (free) $0 Nothing ~2 min 1
Bitwarden Cloud (families) $3.33 Nothing ~2 min 6

Let me walk through each one.

1. Hetzner VPS + Docker (~$4-5/mo)

The standard self-hosted approach. Rent a VPS, install Docker, run Vaultwarden.

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.yourdomain.com"
      SIGNUPS_ALLOWED: "false"
      ADMIN_TOKEN: "your-secure-admin-token-here"
    volumes:
      - vw-data:/data
    ports:
      - "8080:80"
volumes:
  vw-data:
Enter fullscreen mode Exit fullscreen mode

Cost breakdown:

  • Hetzner CX22: EUR 3.99/mo (~$4.30) - 2 vCPU, 4 GB RAM, 40 GB storage
  • Or Hetzner CAX11 (ARM): EUR 3.29/mo (~$3.55) - 2 Ampere vCPU, 4 GB RAM

What you also need to set up:

  • Reverse proxy (Caddy recommended - automatic HTTPS)
  • SSL certificate (handled by Caddy, or Let's Encrypt + nginx)
  • Firewall rules (UFW - allow only 443 and SSH)
  • Automatic updates (Watchtower or cron job to pull new images)
  • Backups (critical - cron job to back up the /data volume to offsite storage)
  • Fail2ban or similar (Vaultwarden supports fail2ban log format)

Security considerations for a password manager:

  • Set SIGNUPS_ALLOWED=false after creating your account
  • Use a strong ADMIN_TOKEN (or disable the admin panel entirely with an empty value)
  • Enable 2FA on your Vaultwarden account immediately
  • Set up automated offsite backups (not just local snapshots)
  • Keep the VPS updated - unattended-upgrades for automatic security patches

Pros: Full control. Can run other apps on the same server. Cheapest paid option.
Cons: You're the sysadmin. A misconfigured reverse proxy or firewall exposes your password vault. The responsibility is real.

Best for: Experienced Linux admins who already manage servers and understand the security implications.

2. Oracle Cloud Free Tier ($0/mo)

Oracle offers an always-free ARM instance (4 OCPU, 24 GB RAM) that can run Vaultwarden easily. It's massively overpowered for this use case.

Cost: $0 if you can get an instance. Availability is limited - you'll likely hit "out of capacity" errors for days or weeks.

Catch: Oracle has reclaimed free-tier instances from some users without warning. Your password manager going down because Oracle decided to reclaim your VM is a worst-case scenario. Reports vary - some people have run free-tier instances for years, others lost theirs after months.

Best for: Testing Vaultwarden. Not recommended for your primary password vault unless you have reliable backups and a migration plan.

3. Coolify on Hetzner VPS (~$5-8/mo)

Install Coolify on a VPS and deploy Vaultwarden from a Docker Compose template.

Cost: VPS ~$4-8/mo depending on size. Coolify is free. Recommended: CX22 or higher since Coolify itself needs ~2 GB RAM.

Pros: Web dashboard for managing Vaultwarden. Automated SSL. Can host other apps alongside it.
Cons: Coolify adds resource overhead. You still manage the VPS itself. More moving parts = more potential failure points for a security-critical app.

Best for: People already running Coolify who want to add Vaultwarden to their stack.

4. InstaPods ($3/mo)

InstaPods has Vaultwarden as a one-click app. Click deploy, get a running instance with HTTPS in about 30 seconds. $3/mo on the Launch plan.

Full disclosure: I built InstaPods. Including it because it's genuinely one of the cheapest managed options. I'll be honest about the gaps.

Cost: $3/mo (Launch plan: 0.5 vCPU, 512 MB RAM, 5 GB storage). Vaultwarden is extremely lightweight - the $3 plan is plenty even for a family vault.

Pros: Fastest setup. SSL and custom domain included. Backups included. No server to manage. SSH access if you need to poke around.
Cons: New platform (launched 2026). Single region (EU - Nuremberg). Smaller community than established platforms.

Best for: People who want a managed Vaultwarden instance at the lowest price without touching a terminal.

5. PikaPods (~$2.50/mo)

PikaPods offers managed Vaultwarden hosting. Set your resource sliders, deploy, done.

Cost: ~$2.50/mo for Vaultwarden with default resources. PikaPods shares 30% of revenue with the Vaultwarden project.

Pros: Zero maintenance. Supports the Vaultwarden project financially. $5 welcome credit. Established platform with good track record.
Cons: Limited configuration compared to self-hosted. No SSH access.

Best for: Non-technical users who want the simplest managed path.

6. Elestio (~$17/mo)

Elestio deploys Vaultwarden on a dedicated VM with your choice of cloud provider.

Cost: ~$17/mo minimum on Hetzner. Higher on AWS, GCP, or Azure.

Pros: True zero-maintenance. Auto-updates, backups, security patches handled. Choose from 8 cloud providers.
Cons: $17/mo for a single app is steep when managed alternatives exist at $3/mo.

Best for: Teams with budget who want fully managed hosting on their preferred cloud.

7. Cloudron on Hetzner VPS (~$21/mo)

Install Cloudron on a VPS and deploy Vaultwarden from the app store.

Cost: VPS (~$5/mo) + Cloudron license (EUR 15/mo) = ~$21/mo.

Pros: Best admin dashboard of any self-hosted platform. SSO, automated backups, one-click updates.
Cons: The license fee makes this the most expensive self-hosted option. Only worth it if you're running 5-10 apps on the same Cloudron server.

Best for: Existing Cloudron users. Not worth the license for Vaultwarden alone.

8. Adding Vaultwarden to an Existing Server ($0 extra)

Already running a VPS or self-hosted platform for other apps? Adding Vaultwarden costs nothing extra. It's one of the lightest self-hosted apps out there - 50 MB RAM, minimal CPU.

Add a Vaultwarden service to your existing Docker Compose stack, point a subdomain at it, and you're done. This is how most people end up running Vaultwarden - it piggybacks on infrastructure they already have.

Best for: Anyone who already has a server running other self-hosted apps.

The Real Comparison

Here's what it comes down to:

If you just need a personal password manager:
Bitwarden Cloud's free tier is hard to beat. You get unlimited passwords, sync across all devices, and zero maintenance. The $10/year Premium plan adds TOTP and file attachments.

If you have a family or small team:
Self-hosted Vaultwarden saves money fast. PikaPods (~$2.50/mo) and InstaPods ($3/mo) are the cheapest managed options. Unlimited users, all premium features, your data on a server you control. A family of 6 on Vaultwarden ($3/mo = $36/year) saves $4/year vs Bitwarden Families ($40/year) - modest. But a team of 10 saves $480/year vs Bitwarden Teams ($4/user/month = $480/year), and the gap grows with every user you add.

If you want full control:
Hetzner VPS + Docker at ~$4-5/mo. You manage everything, including security - which matters more for a password manager than for most apps.

If security is your top priority:
Honestly? Bitwarden Cloud. Their infrastructure is audited, they have a dedicated security team, and they've been doing this for years. Self-hosting means you are the security team. If you're confident in your ability to keep a server patched, a firewall configured, and backups verified, self-host. If not, Bitwarden Cloud is the safer choice.

Vaultwarden Security Checklist

If you self-host, run through this list before sharing access with anyone:

  • [ ] SIGNUPS_ALLOWED=false after creating your account(s)
  • [ ] Strong ADMIN_TOKEN set (or admin panel disabled)
  • [ ] 2FA enabled on all Vaultwarden accounts
  • [ ] HTTPS enforced (never run a password manager over HTTP)
  • [ ] Firewall configured (only ports 443 and SSH open)
  • [ ] Automated offsite backups running and tested
  • [ ] OS auto-updates enabled (unattended-upgrades on Ubuntu)
  • [ ] Vaultwarden image auto-updates configured (Watchtower or cron)
  • [ ] Fail2ban configured for brute-force protection
  • [ ] Emergency access plan (what happens if the server dies and you can't log into anything?)

That last point is critical. Export your vault regularly and store the encrypted export somewhere safe that doesn't require Vaultwarden to access.

FAQ

How much RAM does Vaultwarden need?
Almost nothing. Vaultwarden uses about 50 MB of RAM in normal operation. Even the smallest VPS or managed plan runs it comfortably. This is one of the lightest self-hosted apps you can run - the $3/mo tier on any managed platform is more than enough.

Is Vaultwarden as secure as Bitwarden?
Vaultwarden implements the same client-server protocol as Bitwarden. Your vault is encrypted client-side before it ever reaches the server - even the server operator (you) can't read your passwords. The difference is infrastructure security: Bitwarden Cloud has a dedicated security team and regular audits. Self-hosted security depends entirely on you.

Can I use official Bitwarden apps with Vaultwarden?
Yes. All official Bitwarden clients work with Vaultwarden - browser extensions (Chrome, Firefox, Safari, Edge), mobile apps (iOS, Android), desktop apps (Windows, Mac, Linux), and the CLI. Just point the client to your Vaultwarden URL instead of vault.bitwarden.com.

How do I migrate from Bitwarden Cloud to Vaultwarden?
Export your vault from Bitwarden Cloud (Settings > Export Vault), then import the JSON file into Vaultwarden. All passwords, notes, cards, and identities transfer over. Attachments need to be re-uploaded manually.

How do I back up Vaultwarden?
Back up the /data directory (Docker volume). It contains the SQLite database with all vault data, attachments, and configuration. Use a cron job to copy this to offsite storage (S3, Backblaze B2, or another server) daily. On managed platforms like PikaPods and InstaPods, backups are handled automatically.

What happens if my Vaultwarden server goes down?
Bitwarden clients cache your vault locally. You can still access passwords offline on any device that has synced recently. But you can't sync new passwords, share items, or log in on a new device until the server is back. This is why uptime matters more for a password manager than most apps.

Should I use Vaultwarden or the official Bitwarden self-hosted server?
Vaultwarden if you want minimal resource usage, easy Docker setup, and all premium features for free. Official Bitwarden self-hosted server if you need enterprise features (SSO/SCIM, event logs, policy management) or want official support. The official server needs 4+ GB RAM and Docker Compose with multiple containers - it's heavier to run.

For a broader comparison of self-hosted platforms (not just for Vaultwarden), I wrote about Coolify vs Cloudron vs CapRover and a 6-platform comparison.

If you want to try the managed route, InstaPods has Vaultwarden as a one-click app - $3/mo, HTTPS included, deployed in 30 seconds.

What's your Vaultwarden setup? Running it on its own server or piggybacking on an existing stack? Drop it in the comments.

Top comments (0)