Your Most Sensitive Data on Hardware You Control
A password manager is where the master key to your digital life lives. When that service is hosted by a third party, a breach of their servers is a breach of every credential you have stored. Vaultwarden is an open-source, Bitwarden-compatible server written in Rust. It speaks the same API as the official Bitwarden server, so all the official Bitwarden clients — browser extensions, desktop apps, mobile apps — work with it without modification. And it runs in 10 MB of RAM instead of the 2 GB or more that the official Java-based server requires, making it perfect for a Pi.
10MB RAM
Write the Docker Compose File for Vaultwarden
Create a directory for Vaultwarden: mkdir -p ~/docker/vaultwarden. Inside it, create a docker-compose.yml that defines a single vaultwarden service using the vaultwarden/server image. Mount a named volume to /data inside the container — this is where Vaul
Configure Caddy as the HTTPS Reverse Proxy
Add a block to your Caddyfile for the vault subdomain — vault.home.example.com for a local CA setup, or vault.example.com if you have a public domain with port forwarding. The block contains a single reverse_proxy directive pointing to vaultwarden:80. Cad
Create Your Account and Lock Down Registration
Click Create Account on the Vaultwarden web interface. Use a strong master password — this is the one password you need to memorize, and it protects everything else. After your account is created and you have confirmed you can log in, go back to your dock
Enable Two-Factor Authentication
Log into your Vaultwarden web vault. Go to Account Settings and then Security. Enable TOTP-based two-factor authentication by scanning the QR code with an authenticator app. Store the recovery codes somewhere secure — print them or save them in a secondar
Connect the Official Bitwarden Clients
Install the Bitwarden browser extension or desktop app. Before logging in, click the gear or settings icon to change the server URL. Enter your Vaultwarden URL. Log in with the credentials you created. The client connects to your server, syncs your vault,
Set Up Nightly Backup of the SQLite Database
Vaultwarden's entire data store lives in a single SQLite file at /data/db.sqlite3 inside the container. In your restic backup script from the earlier slate, add the Vaultwarden data volume path to the backup job. For extra safety, also configure a pre-bac
Disable the admin panel token after completing initial setup. The admin panel at /admin gives full access to all user accounts and vault management without requiring the master password. If ADMIN_TOKEN is set, anyone who finds it has complete control of your vault server. Remove the ADMIN_TOKEN environment variable from your compose file and restart the container to disable admin panel access entirely.
What Comes Next
Managing one vault for one person is straightforward. Managing who gets access to fifteen different self-hosted services, with different roles and permissions per service, at scale across a household or small team, is a different problem entirely. That is where single sign-on comes in — one account, one login, every service connected.
