Self-Host Your Password Manager: Vaultwarden for Homelab

Replace Bitwarden's cloud with your own lightweight Vaultwarden server. Complete Docker setup guide for homelab password management.

• 5 min read
homelabself-hostedpassword-managerdockervaultwardensecurity
Self-Host Your Password Manager: Vaultwarden for Homelab
Table of Contents

If you’re running a homelab, you’ve probably thought about self-hosting your password manager. Cloud services are convenient, but they come with monthly fees, privacy concerns, and the nagging feeling that your data lives on someone else’s server. Enter Vaultwarden—a lightweight, self-hosted alternative to Bitwarden that’s perfect for homelab setups.

Why Vaultwarden?

Vaultwarden is an unofficial Bitwarden server implementation written in Rust. It’s fully compatible with official Bitwarden clients (browser extensions, mobile apps, desktop apps) while using a fraction of the resources.

ServiceRAM UsageContainer Size
Vaultwarden~10-50 MB~50 MB
Official Bitwarden~500 MB+~1 GB+

For a homelab running on a Raspberry Pi or a modest VPS, that resource savings is significant.

Key Features

  • Full Bitwarden compatibility — Use official apps and extensions
  • Web vault interface — Manage passwords from any browser
  • 2FA support — TOTP, WebAuthn, YubiKey, Duo
  • Secure sharing — Share passwords with family/team members
  • File attachments — Store sensitive documents
  • Emergency access — Designate trusted contacts
  • Live sync — WebSocket for real-time updates across devices

Prerequisites

Before you begin, you’ll need:

  • A Linux server (Ubuntu, Debian, etc.)
  • Docker and Docker Compose installed
  • A domain name (recommended for HTTPS)
  • Basic familiarity with the command line

Docker Compose Setup

Create a directory for your Vaultwarden installation:

mkdir ~/vaultwarden
cd ~/vaultwarden
mkdir vw-data

Create your docker-compose.yml file:

version: '3.8'
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - "8080:80"
    volumes:
      - ./vw-data:/data/
    environment:
      TZ: "America/New_York"
      
      # Security settings
      ADMIN_TOKEN: ""  # Generate a secure token!
      SIGNUPS_ALLOWED: "true"  # Set to false after creating first account
      
      # Enable WebSocket for live sync
      WEBSOCKET_ENABLED: "true"
      
      # Optional: Email settings
      # SMTP_HOST: "smtp.example.com"
      # SMTP_FROM: "[email protected]"
      # SMTP_PORT: "587"
      # SMTP_SECURITY: "starttls"
      # SMTP_USERNAME: "your_username"
      # SMTP_PASSWORD: "your_password"

networks:
  default:
    name: vaultwarden-network

:::warning The ADMIN_TOKEN is critical for securing your admin panel. Don’t skip generating it! :::

Generating a Secure Admin Token

Never use a plain password. Generate an Argon2 hash:

# Install argon2
sudo apt install argon2 -y

# Generate the hash
echo -n 'YourSecureAdminPassword' | argon2 "$(openssl rand -base64 16)" -e -id -k 65536 -t 3 -p 4 | sed 's/\$/\$\$/g'

Copy the entire output (starting with $$argon2id$$...) and paste it into your ADMIN_TOKEN environment variable.

Starting Vaultwarden

docker compose up -d

Access the web interface at http://your-server-ip:8080. Create your account, then immediately disable signups:

# Edit docker-compose.yml
# Change: SIGNUPS_ALLOWED: "false"
docker compose down
docker compose up -d

Setting Up HTTPS with a Reverse Proxy

For production use, you need HTTPS. Here’s a quick Caddy setup:

vault.yourdomain.com {
    reverse_proxy vaultwarden:80
    encode gzip
}

Or with Nginx Proxy Manager, point your domain to http://vaultwarden:80 and request an SSL certificate.

:::note If using a reverse proxy, bind Vaultwarden to localhost only: 127.0.0.1:8080:80 in your docker-compose.yml. :::

Client Configuration

Browser Extensions

  1. Install the Bitwarden extension from your browser’s store
  2. Open extension settings
  3. Set the server URL to your self-hosted instance: https://vault.yourdomain.com
  4. Log in with your created account

Mobile Apps

The official Bitwarden apps work perfectly:

  1. Download from App Store (iOS) or Play Store (Android)
  2. Go to Settings → Server
  3. Enter your self-hosted URL
  4. Log in normally

Desktop Apps

Download from bitwarden.com/download, then configure the self-hosted server in settings.

Backup Strategy

Your passwords are only as safe as your backups. The vw-data folder contains everything:

# Simple backup script
#!/bin/bash
BACKUP_DIR="/backups/vaultwarden"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR
tar -czf $BACKUP_DIR/vaultwarden-$DATE.tar.gz ~/vaultwarden/vw-data/

# Keep only last 30 days
find $BACKUP_DIR -name "*.tar.gz" -mtime +30 -delete

Set up a cron job:

0 3 * * * /path/to/backup-script.sh

:::warning Never rely on a single backup location. Use 3-2-1: 3 copies, 2 different media types, 1 offsite. :::

Security Best Practices

  1. Disable signups immediately after creating your account
  2. Use a strong admin token — 32+ characters minimum
  3. Enable 2FA on your account (TOTP or hardware key)
  4. Use HTTPS exclusively — never expose HTTP to the internet
  5. Regular updatesdocker compose pull && docker compose up -d
  6. Monitor logs — Check for suspicious login attempts
  7. Backup encryption database — The rsa_key*.der files are crucial

Why Homelab Enthusiasts Choose Vaultwarden

FeatureVaultwardenBitwarden CloudKeepassXC
Self-hosted
Mobile syncManual
Browser integrationPlugin
Resource usageMinimalN/ALocal only
SharingManual
CostFree$10/yr premiumFree

For homelabbers, the choice is clear: full control, minimal resources, zero cost, and compatibility with the ecosystem you already use.

Troubleshooting

Can’t Access the Web Interface

# Check if container is running
docker ps

# Check logs
docker logs vaultwarden

# Verify port binding
docker compose port vaultwarden 80

Clients Can’t Connect

  1. Verify your domain DNS is pointing to the correct IP
  2. Check firewall rules: sudo ufw status
  3. Ensure HTTPS certificate is valid
  4. Check browser console for mixed content errors

Forgot Admin Token

  1. Stop the container: docker compose down
  2. Edit docker-compose.yml
  3. Generate a new token and restart

What’s Next?

Once Vaultwarden is running, consider:

  • Setting up email — SMTP config for password resets and invitations
  • Family/team accounts — Create an organization for shared passwords
  • Emergency access — Designate a trusted contact
  • API access — Use the Bitwarden CLI for automation

Your passwords, your server, your rules. That’s the homelab way.

Anthony Lattanzio

Anthony Lattanzio

Tech Enthusiast & Builder

I'm a tech enthusiast who loves building things with hardware and software. By night, I run a homelab that's grown way beyond what any reasonable person needs. Check out about me for more.

If you liked this, check out...

Building a Budget Intel N100 Homelab: The Ultimate 2024 Guide

Building a Budget Intel N100 Homelab: The Ultimate 2024 Guide

Build a powerful, energy-efficient homelab with Intel N100 mini PCs and Proxmox. Complete guide with parts list, setup steps, and real-world performance.

homelab

Comments

Powered by GitHub Discussions