$docker.recipes

Vaultwarden Password Manager

intermediate

Self-hosted Bitwarden-compatible password manager with automated encrypted backups. Lightweight alternative to official Bitwarden server.

[i]Overview

Vaultwarden is a lightweight, unofficial Bitwarden server implementation written in Rust that provides complete compatibility with official Bitwarden clients while consuming dramatically fewer resources than the official server. Originally known as bitwarden_rs, Vaultwarden offers all premium Bitwarden features for free, including organizations, collections, emergency access, and two-factor authentication, making it an ideal choice for individuals and small teams seeking self-hosted password management. This Docker stack combines Vaultwarden with ttionya/vaultwarden-backup to create a comprehensive password management solution featuring automated encrypted backups. The backup service runs on a configurable cron schedule and can compress and encrypt backup files, ensuring your password vault data is protected against both hardware failures and security breaches. Together, these components deliver enterprise-grade password management capabilities with minimal resource overhead and robust data protection. This combination is perfect for privacy-conscious users, families, small businesses, and organizations that want full control over their password data without the recurring costs of hosted solutions. The stack provides the security and features of commercial password managers while maintaining complete data sovereignty and offering unlimited users and premium features at no cost.

[*]Key Features

  • [+]Complete Bitwarden API compatibility with browser extensions and mobile apps
  • [+]WebSocket notifications for real-time vault synchronization across devices
  • [+]All Bitwarden premium features including organizations, collections, and emergency access
  • [+]Built-in admin panel for user management and server configuration
  • [+]Two-factor authentication support with TOTP, WebAuthn, and Duo
  • [+]Automated encrypted backups with configurable scheduling and compression
  • [+]Resource-efficient design requiring only 50MB RAM versus 2GB+ for official Bitwarden
  • [+]Encrypted backup storage with password protection and multiple destination support

[#]Common Use Cases

  • [1]Family password sharing with secure vault access for household members
  • [2]Small business credential management with organizational collections
  • [3]Development team secure storage of API keys and deployment credentials
  • [4]Privacy-focused individuals avoiding cloud-based password services
  • [5]Homelab enthusiasts centralizing authentication for self-hosted services
  • [6]Organizations requiring air-gapped password management systems
  • [7]Teams needing unlimited users without subscription costs

[!]Prerequisites

  • [!]Minimum 128MB RAM available for Vaultwarden container operation
  • [!]Ports 8080 and 3012 available for web interface and WebSocket connections
  • [!]Valid domain name and SSL certificate for production deployments
  • [!]Secure ADMIN_TOKEN generated using openssl or similar cryptographic tool
  • [!]Reverse proxy knowledge for HTTPS termination and domain routing
  • [!]Basic understanding of Bitwarden client configuration and import procedures
[!]

WARNING: For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

[$]docker-compose.yml

[docker-compose.yml]
1services: 
2  vaultwarden: 
3    image: vaultwarden/server:latest
4    container_name: vaultwarden
5    restart: unless-stopped
6    environment: 
7      - DOMAIN=${DOMAIN:-http://localhost:8080}
8      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}
9      - ADMIN_TOKEN=${ADMIN_TOKEN}
10      - WEBSOCKET_ENABLED=true
11    volumes: 
12      - vaultwarden_data:/data
13    ports: 
14      - "${VAULTWARDEN_PORT:-8080}:80"
15      - "${WEBSOCKET_PORT:-3012}:3012"
16
17  backup: 
18    image: ttionya/vaultwarden-backup:latest
19    container_name: vw-backup
20    restart: unless-stopped
21    environment: 
22      - RCLONE_REMOTE_NAME=local
23      - RCLONE_REMOTE_DIR=/backups
24      - CRON=${BACKUP_CRON:-0 2 * * *}
25      - ZIP_ENABLE=true
26      - ZIP_PASSWORD=${BACKUP_PASSWORD}
27    volumes: 
28      - vaultwarden_data:/bitwarden/data:ro
29      - ./backups:/backups
30
31volumes: 
32  vaultwarden_data:

[$].env Template

[.env]
1# Vaultwarden Configuration
2VAULTWARDEN_PORT=8080
3WEBSOCKET_PORT=3012
4DOMAIN=http://localhost:8080
5SIGNUPS_ALLOWED=true
6
7# Generate a secure token: openssl rand -base64 48
8ADMIN_TOKEN=your_secure_admin_token_here
9
10# Backup Configuration
11BACKUP_CRON=0 2 * * *
12BACKUP_PASSWORD=your_backup_encryption_password

[i]Usage Notes

  1. [1]Access Vaultwarden at http://localhost:8080
  2. [2]Use official Bitwarden browser extensions and mobile apps
  3. [3]Admin panel available at /admin (requires ADMIN_TOKEN)
  4. [4]Backups run daily at 2 AM and are stored in ./backups
  5. [5]For HTTPS, put behind a reverse proxy like Traefik or Caddy
  6. [6]Generate secure ADMIN_TOKEN: openssl rand -base64 48

Individual Services(2 services)

Copy individual services to mix and match with your existing compose files.

vaultwarden
vaultwarden:
  image: vaultwarden/server:latest
  container_name: vaultwarden
  restart: unless-stopped
  environment:
    - DOMAIN=${DOMAIN:-http://localhost:8080}
    - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}
    - ADMIN_TOKEN=${ADMIN_TOKEN}
    - WEBSOCKET_ENABLED=true
  volumes:
    - vaultwarden_data:/data
  ports:
    - ${VAULTWARDEN_PORT:-8080}:80
    - ${WEBSOCKET_PORT:-3012}:3012
backup
backup:
  image: ttionya/vaultwarden-backup:latest
  container_name: vw-backup
  restart: unless-stopped
  environment:
    - RCLONE_REMOTE_NAME=local
    - RCLONE_REMOTE_DIR=/backups
    - CRON=${BACKUP_CRON:-0 2 * * *}
    - ZIP_ENABLE=true
    - ZIP_PASSWORD=${BACKUP_PASSWORD}
  volumes:
    - vaultwarden_data:/bitwarden/data:ro
    - ./backups:/backups

[>]Quick Start

[terminal]
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  vaultwarden:
5    image: vaultwarden/server:latest
6    container_name: vaultwarden
7    restart: unless-stopped
8    environment:
9      - DOMAIN=${DOMAIN:-http://localhost:8080}
10      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}
11      - ADMIN_TOKEN=${ADMIN_TOKEN}
12      - WEBSOCKET_ENABLED=true
13    volumes:
14      - vaultwarden_data:/data
15    ports:
16      - "${VAULTWARDEN_PORT:-8080}:80"
17      - "${WEBSOCKET_PORT:-3012}:3012"
18
19  backup:
20    image: ttionya/vaultwarden-backup:latest
21    container_name: vw-backup
22    restart: unless-stopped
23    environment:
24      - RCLONE_REMOTE_NAME=local
25      - RCLONE_REMOTE_DIR=/backups
26      - CRON=${BACKUP_CRON:-0 2 * * *}
27      - ZIP_ENABLE=true
28      - ZIP_PASSWORD=${BACKUP_PASSWORD}
29    volumes:
30      - vaultwarden_data:/bitwarden/data:ro
31      - ./backups:/backups
32
33volumes:
34  vaultwarden_data:
35EOF
36
37# 2. Create the .env file
38cat > .env << 'EOF'
39# Vaultwarden Configuration
40VAULTWARDEN_PORT=8080
41WEBSOCKET_PORT=3012
42DOMAIN=http://localhost:8080
43SIGNUPS_ALLOWED=true
44
45# Generate a secure token: openssl rand -base64 48
46ADMIN_TOKEN=your_secure_admin_token_here
47
48# Backup Configuration
49BACKUP_CRON=0 2 * * *
50BACKUP_PASSWORD=your_backup_encryption_password
51EOF
52
53# 3. Start the services
54docker compose up -d
55
56# 4. View logs
57docker compose logs -f

[>]One-Liner

Run this command to download and set up the recipe in one step:

[terminal]
1curl -fsSL https://docker.recipes/api/recipes/vaultwarden-password-stack/run | bash

[?]Troubleshooting

  • [!]WebSocket connection failed in browser: Ensure port 3012 is accessible and WEBSOCKET_ENABLED=true is set
  • [!]Admin panel shows 'Invalid admin token': Regenerate ADMIN_TOKEN with openssl rand -base64 48 and restart container
  • [!]Bitwarden clients can't connect: Verify DOMAIN environment variable matches your actual access URL including protocol
  • [!]Backup service not creating files: Check that backup container has write permissions to ./backups directory
  • [!]High memory usage on small VPS: Disable WebSocket notifications and reduce worker processes in admin panel
  • [!]Database locked errors: Stop containers gracefully with docker-compose down before maintenance operations

Community Notes

Loading...
Loading notes...

## Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

## Components

vaultwardenbackup

## Tags

#passwords#bitwarden#security#vault#backup

## Category

Security & Networking

## Related