Self-Hosting Bitwarden in 2026: Practical Guide

Bitwarden’s hosted service is excellent and only $1/month for Premium. But for users who want complete control over their password vault — no third-party involvement — self-hosting is the answer.

Vaultwarden is the practical way to do this. It’s a Rust implementation of the Bitwarden server, compatible with all official Bitwarden clients but dramatically lighter and easier to host than Bitwarden’s official server.

Here’s the complete 2026 guide.

TL;DR

• What: Run your own Bitwarden-compatible server using Vaultwarden
• Where: Hetzner / Linode / DigitalOcean VPS, or a home server
• Cost: $4-10/month for VPS hosting; free if home server
• Time: 30-90 minutes for first-time setup
• Backup strategy mandatory — losing your server = losing your passwords
• Use clients: Official Bitwarden apps (browser, iOS, Android, desktop) point to your server

Why self-host (and why not)

Reasons to self-host

• Complete data ownership — passwords never on any third-party server
• No subscription fees — pay only for hosting (~$5/mo VPS)
• Customization — modify or extend if technically capable
• Audit your own setup — open-source server code, your own infrastructure
• Independence from company changes — if Bitwarden’s policies change, your data is yours

Reasons NOT to self-host

• You become your own IT department. Server crashes = no password access until you fix it.
• Backups are critical. Lose your server data without backup = lose every password.
• Security responsibility is on you. Server misconfiguration could expose your vault.
• The $1/mo official Premium is excellent. Most users don’t get enough benefit from self-hosting to justify the time.

If you’re not comfortable with Linux administration, basic networking, and backup discipline: use Bitwarden’s hosted service. Self-hosting is for technical users.

Vaultwarden vs official Bitwarden server

The official Bitwarden server is written in .NET, uses MS SQL Server, and is heavy. It’s designed for enterprise deployment.

Vaultwarden (formerly “bitwarden_rs”) is:
– Written in Rust
– Uses SQLite or PostgreSQL
– Compatible with all official Bitwarden clients
– Dramatically lighter (runs on a Raspberry Pi)
– Open source, MIT licensed
– Actively maintained

For self-hosting: use Vaultwarden. Official Bitwarden server is for enterprise.

Architecture

[Browser / Mobile / Desktop] ↔ [Reverse Proxy (Caddy/Nginx)] ↔ [Vaultwarden] ↔ [SQLite DB]

You need:
1. A server (VPS or home server with port forwarding)
2. A domain name (or subdomain) pointing to your server
3. TLS certificate (Let’s Encrypt, automated)
4. Vaultwarden process (Docker container)
5. Reverse proxy (Caddy is easiest for TLS automation)

Step-by-step setup

Prerequisites

• Linux server with Docker installed (Ubuntu 22.04+ recommended)
• A domain name (any DNS provider; Cloudflare DNS is free and useful)
• ~30 minutes

Step 1: Get a server

VPS options:
– Hetzner Cloud: €4/mo (CPX11) — best value
– DigitalOcean: $6/mo (Basic droplet)
– Linode: $5/mo (Nanode)
– Vultr: $6/mo

Any of these work. Hetzner is cheapest and reliable.

Home server options:
– Raspberry Pi 4 (4GB) — works fine
– Old laptop running Linux
– NUC or small form factor PC

For home: requires port forwarding through your router (port 443) and a dynamic DNS service (DuckDNS, No-IP) or static IP.

Step 2: Set up DNS

Point a subdomain to your server IP.

Example: vault.yourdomain.com → 123.45.67.89

On Cloudflare DNS (or your provider):
– Create A record
– Name: vault
– Value: your server’s IP
– Proxy: typically off (orange cloud = off) for direct connection

Step 3: Install Docker on your server

sudo apt update
sudo apt install docker.io docker-compose-plugin
sudo systemctl enable docker
sudo usermod -aG docker $USER
# Log out and back in

Step 4: Set up Vaultwarden + Caddy

Create a working directory:

mkdir ~/vaultwarden
cd ~/vaultwarden

Create docker-compose.yml:

services:
  caddy:
    image: caddy:latest
    container_name: caddy
    restart: always
    ports:
      - "443:443"
      - "80:80"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    environment:
      DOMAIN: "vault.yourdomain.com"
      EMAIL: "your-email@example.com"

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      WEBSOCKET_ENABLED: "true"
      SIGNUPS_ALLOWED: "true"  # Disable after first signup
      ADMIN_TOKEN: "GENERATE_LONG_RANDOM_STRING"
      DOMAIN: "https://vault.yourdomain.com"
    volumes:
      - vw_data:/data

volumes:
  caddy_data:
  caddy_config:
  vw_data:

Create Caddyfile:

{$DOMAIN} {
    encode gzip

    reverse_proxy /notifications/hub/negotiate vaultwarden:80
    reverse_proxy /notifications/hub vaultwarden:3012
    reverse_proxy vaultwarden:80

    tls {$EMAIL}
}

Generate a strong admin token:

openssl rand -base64 48

Replace GENERATE_LONG_RANDOM_STRING in docker-compose.yml with that value.

Step 5: Start Vaultwarden

docker compose up -d

Caddy automatically obtains a Let’s Encrypt TLS certificate.

Wait 1-2 minutes for everything to initialize.

Step 6: Create your first account

Visit https://vault.yourdomain.com in your browser.

Click “Create Account.”

Sign up with email and master password.

After your account is created, set SIGNUPS_ALLOWED: "false" in docker-compose.yml and restart:

docker compose up -d

This prevents anyone else from creating accounts on your server.

Step 7: Configure clients

In any official Bitwarden client (browser extension, iOS, Android, desktop):

1. Open Settings → Self-hosted environment
2. Enter your server URL: https://vault.yourdomain.com
3. Save
4. Log in with your account

All clients now communicate with your server. Familiar Bitwarden interface; your data on your server.

Backup strategy (critical)

Without backup: server fails = lose all passwords. Don’t skip this.

What to back up

# The Vaultwarden data directory contains everything
docker volume inspect vaultwarden_vw_data
# Backup the path it gives

Specifically:
– db.sqlite3 (or your PostgreSQL data)
– attachments/ directory (file attachments)
– sends/ directory (Bitwarden Sends)
– config.json

Backup methods

Method 1: Daily rsync to remote storage

#!/bin/bash
# /usr/local/bin/backup-vaultwarden.sh
DATE=$(date +%Y%m%d)
docker exec vaultwarden sqlite3 /data/db.sqlite3 ".backup '/data/backup.sqlite3'"
rsync -avz /var/lib/docker/volumes/vaultwarden_vw_data/_data/ \
  user@backup-server:/backups/vaultwarden/$DATE/

Add to crontab: 0 3 * * * /usr/local/bin/backup-vaultwarden.sh

Method 2: Encrypted backup to Backblaze B2 / S3

Use restic, borgbackup, or duplicity to encrypt and ship to cloud storage.

Method 3: Manual periodic export from Bitwarden client

Open desktop client → File → Export vault. Saves encrypted JSON locally. Manual but works as last-resort restore option.

Recommendation: All three. Daily automated rsync + weekly encrypted cloud backup + monthly manual export.

Security hardening

1. Disable signups after initial setup

SIGNUPS_ALLOWED: "false"

2. Use admin token strongly

The admin token gives access to the admin panel at https://vault.yourdomain.com/admin. Use a strong random token.

3. Configure firewall

Only allow ports 22 (SSH), 80 (Caddy redirect), 443 (Caddy HTTPS).

ufw allow 22
ufw allow 80
ufw allow 443
ufw enable

4. Disable root SSH

In /etc/ssh/sshd_config:
– PermitRootLogin no
– PasswordAuthentication no (key-only login)

5. Set up fail2ban

apt install fail2ban

Protects against brute-force SSH attempts.

6. Enable Vaultwarden’s brute force protection

In docker-compose.yml:

SHOW_PASSWORD_HINT: "false"
ENABLE_DB_WAL: "true"
LOGIN_RATELIMIT_MAX_BURST: "10"
LOGIN_RATELIMIT_SECONDS: "60"

7. Use 2FA on your Vaultwarden account

After login: Settings → Two-step Login → Enable. Use your YubiKey (Premium feature, requires donation/license) or authenticator app.

8. Regularly update Vaultwarden

cd ~/vaultwarden
docker compose pull
docker compose up -d

Vaultwarden releases security updates regularly. Update monthly.

What if your server fails?

Scenario 1: VPS provider has an outage.
– You can’t access your vault temporarily
– Wait for provider to recover
– If extended outage: restore from backup on different provider

Scenario 2: Server hardware failure / data corruption.
– Restore from your backup to a new server
– Update DNS to point to new server
– All clients reconnect automatically

Scenario 3: You lose all backups.
– Use the manual export from Bitwarden client (you kept this, right?)
– Set up new server, import the exported file
– If you didn’t export: try recovery from another logged-in client

Always have multiple backup paths. This is the most important part of self-hosting.

Performance considerations

Vaultwarden is lightweight. A $4/mo VPS handles a single user easily. For a family of 5: same VPS is fine.

For 50+ users: consider Hetzner CPX21 ($7/mo) or similar.

For 500+ users: PostgreSQL backend, more substantial server.

For 99% of self-hosters: cheapest VPS works.

Mobile and browser experience

Once configured, the experience is identical to using Bitwarden’s hosted service:

• Browser extension auto-fills passwords
• Mobile app generates and saves
• Desktop app syncs
• All clients point to your server

The only “self-hosted” aspect is the server URL in settings. Everything else is identical.

Common mistakes

Mistake 1: Setting up without backups.

Server dies, vault dies. Always set up backups before adding passwords.

Mistake 2: Using weak admin token.

Anyone with the admin token can manage your server. Use a long random string.

Mistake 3: Leaving SIGNUPS_ALLOWED on.

If discovered, others can create accounts on your server.

Mistake 4: Not updating Vaultwarden.

Security vulnerabilities get patched. Update monthly.

Mistake 5: Hosting at home without a dynamic DNS / port forwarding strategy.

Your IP changes → clients can’t reach server. Use DuckDNS or similar.

Mistake 6: Not testing restore from backup.

Take a backup, intentionally corrupt your server, restore from backup, verify. Do this once before you rely on the backups.

Mistake 7: Confusing Vaultwarden with Bitwarden’s official server.

You’re running Vaultwarden. The clients you use are official Bitwarden clients. They’re compatible but distinct projects.

Should you self-host?

Yes if:
– You’re technically comfortable with Linux administration
– You want complete data ownership
– You’re disciplined about backups
– You enjoy the “self-hosted” aesthetic

No if:
– You’re not familiar with Linux/Docker
– You don’t have time to maintain infrastructure
– $1/mo Bitwarden Premium is fine for you
– You can’t commit to backup discipline

For most users: Bitwarden’s hosted service is the right answer. Self-hosting is a hobby/preference.

Disclosure

We have no affiliate relationship with Vaultwarden (it’s open source). We use Bitwarden’s hosted Premium service ourselves. See our affiliate disclosure.

Last updated 2026 Q2.