Vaultwarden Password Manager
Self-hosted Bitwarden-compatible password manager with automated encrypted backups. Lightweight alternative to official Bitwarden server.
Overview
Vaultwarden is a lightweight, unofficial Bitwarden server implementation written in Rust that provides complete compatibility with official Bitwarden clients while consuming dramatically fewer resources than the official server. Originally known as bitwarden_rs, Vaultwarden offers all premium Bitwarden features for free, including organizations, collections, emergency access, and two-factor authentication, making it an ideal choice for individuals and small teams seeking self-hosted password management. This Docker stack combines Vaultwarden with ttionya/vaultwarden-backup to create a comprehensive password management solution featuring automated encrypted backups. The backup service runs on a configurable cron schedule and can compress and encrypt backup files, ensuring your password vault data is protected against both hardware failures and security breaches. Together, these components deliver enterprise-grade password management capabilities with minimal resource overhead and robust data protection. This combination is perfect for privacy-conscious users, families, small businesses, and organizations that want full control over their password data without the recurring costs of hosted solutions. The stack provides the security and features of commercial password managers while maintaining complete data sovereignty and offering unlimited users and premium features at no cost.
Key Features
- Complete Bitwarden API compatibility with browser extensions and mobile apps
- WebSocket notifications for real-time vault synchronization across devices
- All Bitwarden premium features including organizations, collections, and emergency access
- Built-in admin panel for user management and server configuration
- Two-factor authentication support with TOTP, WebAuthn, and Duo
- Automated encrypted backups with configurable scheduling and compression
- Resource-efficient design requiring only 50MB RAM versus 2GB+ for official Bitwarden
- Encrypted backup storage with password protection and multiple destination support
Common Use Cases
- 1Family password sharing with secure vault access for household members
- 2Small business credential management with organizational collections
- 3Development team secure storage of API keys and deployment credentials
- 4Privacy-focused individuals avoiding cloud-based password services
- 5Homelab enthusiasts centralizing authentication for self-hosted services
- 6Organizations requiring air-gapped password management systems
- 7Teams needing unlimited users without subscription costs
Prerequisites
- Minimum 128MB RAM available for Vaultwarden container operation
- Ports 8080 and 3012 available for web interface and WebSocket connections
- Valid domain name and SSL certificate for production deployments
- Secure ADMIN_TOKEN generated using openssl or similar cryptographic tool
- Reverse proxy knowledge for HTTPS termination and domain routing
- Basic understanding of Bitwarden client configuration and import procedures
For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms
docker-compose.yml
docker-compose.yml
1services: 2 vaultwarden: 3 image: vaultwarden/server:latest4 container_name: vaultwarden5 restart: unless-stopped6 environment: 7 - DOMAIN=${DOMAIN:-http://localhost:8080}8 - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}9 - ADMIN_TOKEN=${ADMIN_TOKEN}10 - WEBSOCKET_ENABLED=true11 volumes: 12 - vaultwarden_data:/data13 ports: 14 - "${VAULTWARDEN_PORT:-8080}:80"15 - "${WEBSOCKET_PORT:-3012}:3012"1617 backup: 18 image: ttionya/vaultwarden-backup:latest19 container_name: vw-backup20 restart: unless-stopped21 environment: 22 - RCLONE_REMOTE_NAME=local23 - RCLONE_REMOTE_DIR=/backups24 - CRON=${BACKUP_CRON:-0 2 * * *}25 - ZIP_ENABLE=true26 - ZIP_PASSWORD=${BACKUP_PASSWORD}27 volumes: 28 - vaultwarden_data:/bitwarden/data:ro29 - ./backups:/backups3031volumes: 32 vaultwarden_data: .env Template
.env
1# Vaultwarden Configuration2VAULTWARDEN_PORT=80803WEBSOCKET_PORT=30124DOMAIN=http://localhost:80805SIGNUPS_ALLOWED=true67# Generate a secure token: openssl rand -base64 488ADMIN_TOKEN=your_secure_admin_token_here910# Backup Configuration11BACKUP_CRON=0 2 * * *12BACKUP_PASSWORD=your_backup_encryption_passwordUsage Notes
- 1Access Vaultwarden at http://localhost:8080
- 2Use official Bitwarden browser extensions and mobile apps
- 3Admin panel available at /admin (requires ADMIN_TOKEN)
- 4Backups run daily at 2 AM and are stored in ./backups
- 5For HTTPS, put behind a reverse proxy like Traefik or Caddy
- 6Generate secure ADMIN_TOKEN: openssl rand -base64 48
Individual Services(2 services)
Copy individual services to mix and match with your existing compose files.
vaultwarden
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- DOMAIN=${DOMAIN:-http://localhost:8080}
- SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}
- ADMIN_TOKEN=${ADMIN_TOKEN}
- WEBSOCKET_ENABLED=true
volumes:
- vaultwarden_data:/data
ports:
- ${VAULTWARDEN_PORT:-8080}:80
- ${WEBSOCKET_PORT:-3012}:3012
backup
backup:
image: ttionya/vaultwarden-backup:latest
container_name: vw-backup
restart: unless-stopped
environment:
- RCLONE_REMOTE_NAME=local
- RCLONE_REMOTE_DIR=/backups
- CRON=${BACKUP_CRON:-0 2 * * *}
- ZIP_ENABLE=true
- ZIP_PASSWORD=${BACKUP_PASSWORD}
volumes:
- vaultwarden_data:/bitwarden/data:ro
- ./backups:/backups
Quick Start
terminal
1# 1. Create the compose file2cat > docker-compose.yml << 'EOF'3services:4 vaultwarden:5 image: vaultwarden/server:latest6 container_name: vaultwarden7 restart: unless-stopped8 environment:9 - DOMAIN=${DOMAIN:-http://localhost:8080}10 - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}11 - ADMIN_TOKEN=${ADMIN_TOKEN}12 - WEBSOCKET_ENABLED=true13 volumes:14 - vaultwarden_data:/data15 ports:16 - "${VAULTWARDEN_PORT:-8080}:80"17 - "${WEBSOCKET_PORT:-3012}:3012"1819 backup:20 image: ttionya/vaultwarden-backup:latest21 container_name: vw-backup22 restart: unless-stopped23 environment:24 - RCLONE_REMOTE_NAME=local25 - RCLONE_REMOTE_DIR=/backups26 - CRON=${BACKUP_CRON:-0 2 * * *}27 - ZIP_ENABLE=true28 - ZIP_PASSWORD=${BACKUP_PASSWORD}29 volumes:30 - vaultwarden_data:/bitwarden/data:ro31 - ./backups:/backups3233volumes:34 vaultwarden_data:35EOF3637# 2. Create the .env file38cat > .env << 'EOF'39# Vaultwarden Configuration40VAULTWARDEN_PORT=808041WEBSOCKET_PORT=301242DOMAIN=http://localhost:808043SIGNUPS_ALLOWED=true4445# Generate a secure token: openssl rand -base64 4846ADMIN_TOKEN=your_secure_admin_token_here4748# Backup Configuration49BACKUP_CRON=0 2 * * *50BACKUP_PASSWORD=your_backup_encryption_password51EOF5253# 3. Start the services54docker compose up -d5556# 4. View logs57docker compose logs -fOne-Liner
Run this command to download and set up the recipe in one step:
terminal
1curl -fsSL https://docker.recipes/api/recipes/vaultwarden-password-stack/run | bashTroubleshooting
- WebSocket connection failed in browser: Ensure port 3012 is accessible and WEBSOCKET_ENABLED=true is set
- Admin panel shows 'Invalid admin token': Regenerate ADMIN_TOKEN with openssl rand -base64 48 and restart container
- Bitwarden clients can't connect: Verify DOMAIN environment variable matches your actual access URL including protocol
- Backup service not creating files: Check that backup container has write permissions to ./backups directory
- High memory usage on small VPS: Disable WebSocket notifications and reduce worker processes in admin panel
- Database locked errors: Stop containers gracefully with docker-compose down before maintenance operations
Community Notes
Loading...
Loading notes...
Download Recipe Kit
Get all files in a ready-to-deploy package
Includes docker-compose.yml, .env template, README, and license
Components
vaultwardenbackup
Tags
#passwords#bitwarden#security#vault#backup
Category
Security & NetworkingAd Space
Shortcuts: C CopyF FavoriteD Download