Who Vaultwarden is for#
Homelab administrators managing credentials for household members
Run Vaultwarden on a Raspberry Pi or home server to give every household member a shared password manager. You control the data, no monthly fees apply, and the official Bitwarden mobile apps work as expected for non-technical family members who already know the Bitwarden interface.
Skip if:
You want a managed service with automatic backups and uptime SLAs. Running Vaultwarden means you own the backup responsibility, and the vault is unreachable if your home server goes offline.
Small teams and startups sharing credentials without per-seat fees
Use Vaultwarden's Organizations feature to create shared Collections for team credentials without paying Bitwarden's per-seat Teams tier. Supports role-based access control, event logs for auditing, group policies, and admin password reset for teams of up to several dozen users.
Skip if:
You need enterprise SSO via SAML or OIDC with your identity provider fully supported and vendor-tested. Consider the official Bitwarden self-hosted or Bitwarden cloud for that requirement.
Privacy-focused individuals moving off cloud password managers
Migrate from Bitwarden cloud, LastPass, or 1Password to a self-hosted instance where credentials never leave your infrastructure. After importing your vault export, point any existing Bitwarden client app at your Vaultwarden server URL, preserving the same UX with no retraining or new apps.
Skip if:
You need vault access from devices you do not control when your home server is unreachable and you have not configured external access (VPN or public DNS). Cloud services remain more available than a typical home server without external access configured.
Compliance teams air-gapping credential storage on-premises
Deploy Vaultwarden on an internal network with no public internet access for environments where credentials must stay on-premises under internal security policy or regulatory requirements. Configure it with a local CA certificate for TLS and restrict access by VPN or network segment.
Skip if:
Your compliance mandate requires a vendor-backed SOC 2 Type II certification for the credential store itself. Vaultwarden is community-maintained and carries no formal compliance certifications.
The problem it solves#
The official Bitwarden cloud service stores your passwords on Bitwarden's servers, which requires trusting a third party with your most sensitive credentials. For privacy-conscious users and organizations under compliance requirements, that is a non-starter. Bitwarden does offer a self-hosted option, but it runs as a suite of Docker containers with resource-intensive dependencies, demanding at least 2GB RAM and considerable infrastructure that puts it out of reach for home lab setups or small VPS instances.
The result is a gap: users who want Bitwarden's polished cross-platform client ecosystem but cannot justify the official self-hosted stack's overhead had no practical option. Small teams, homelab administrators, and privacy-focused individuals were left choosing between cloud dependency and an operationally demanding self-host.
How it solves it#
Full Bitwarden client compatibility
Works with every official Bitwarden app: iOS, Android, browser extensions (Chrome, Firefox, Safari), and desktop clients. No custom clients required. Your team switches from Bitwarden cloud to Vaultwarden by changing the server URL in the existing app, with no reinstallation or retraining.
Single-container Docker deployment
Runs as one lightweight Docker container using SQLite by default, with no SQL Server, Redis, or multi-container orchestration required. A Raspberry Pi 3 with 512MB RAM can run Vaultwarden for a family or small team. Persistent data mounts to a single volume directory.
Organizations, sharing, and role-based access
Supports full Bitwarden Organizations features: shared collections, member roles (owner, admin, manager, user), group policies, event logs, admin password reset, and the Directory Connector for LDAP and Active Directory sync. Teams can share credentials with access controls without a paid Bitwarden plan.
Multi-factor authentication options
Supports TOTP authenticator apps, email OTP, FIDO2 WebAuthn hardware keys (including YubiKey), and Duo Security. All MFA methods are available on the self-hosted instance at no extra cost, regardless of the plan tiers that normally gate some MFA options on Bitwarden cloud.
Admin backend and bundled web vault
Includes a web-based admin panel for user management, server diagnostics, and instance configuration. Bundles a modified Bitwarden web vault client inside the container, so browser-based vault access works out of the box without a separate web client deployment.
Strengths and trade-offs#
Strengths
- Runs on minimal hardwareWhere the official Bitwarden self-hosted stack requires multiple containers and at least 2GB RAM, Vaultwarden runs in a single container using under 100MB of RAM in steady state. It operates on a Raspberry Pi, a $5/month VPS, or any spare machine, making it the only practical Bitwarden-compatible option for low-resource deployments.
- Uses official Bitwarden client appsUnlike other self-hosted password managers that require their own clients or browser extensions, Vaultwarden uses the actual Bitwarden API. Users get the same polished mobile apps, browser extensions, and desktop clients that Bitwarden cloud users have, with no compromises on the client experience.
- All premium features included at no per-user costThe official Bitwarden cloud charges per-user for Organizations and premium features including hardware key MFA, file attachments, and emergency access. Self-hosting Vaultwarden makes every one of those features available to all users at no per-seat cost, as long as you operate the server yourself.
- Active project with community maintainershipThe project has regular releases, active issue tracking, and a maintainer who is independently employed by Bitwarden (contributions reviewed separately). Community support runs across Matrix, GitHub Discussions, and Discourse forums, with a detailed wiki covering configuration, proxies, and migration from other password managers.
Trade-offs
- -Not an official Bitwarden productVaultwarden is an independent reimplementation, not affiliated with or endorsed by Bitwarden, Inc. Security patches for the Bitwarden API may not land in Vaultwarden at the same pace as the official server. The project explicitly states it cannot guarantee protection against data loss, and administrators are responsible for monitoring updates and maintaining backups.
- -Requires HTTPS and a reverse proxy to functionVaultwarden cannot run over plain HTTP for production use. The Web Crypto API used by Bitwarden clients requires a secure context (HTTPS). Setting up a reverse proxy (nginx, Caddy, or Traefik) and a valid TLS certificate is a prerequisite, which adds configuration steps beyond a simple Docker run for users new to self-hosting.
- -AGPL-3.0 restricts commercial redistributionAGPL-3.0 requires that any modified version served as a network service must make its source code available to users. Teams that want to resell or wrap Vaultwarden in a commercial offering must comply with this. For personal and internal team use, this restriction has no practical impact.
- -Some enterprise features may differ from official BitwardenA small number of Bitwarden enterprise features, including certain SAML SSO configurations and some organization policy options, may lag or behave differently from the official server. The Vaultwarden wiki documents supported and unsupported features. Teams with specific enterprise SSO requirements should verify compatibility before migrating.
Vaultwarden vs alternatives#
Vaultwarden vs Bitwarden
Vaultwarden and official Bitwarden self-hosted both give you a Bitwarden-compatible password server, but they fit different operating models. Vaultwarden is AGPL-3.0, community-maintained, and designed for a single lightweight container; official Bitwarden is AGPL-3.0, first-party, and runs a larger multi-service stack.
| Decision point | Vaultwarden | Bitwarden self-hosted or cloud |
|---|---|---|
| Resource needs | Single container, typically under 100MB RAM | Self-hosted stack needs 2GB+ RAM |
| Clients | Works with official Bitwarden clients through API compatibility | Official first-party compatibility |
| Cost | No per-seat fee beyond server costs | Cloud Teams and premium features are paid per user |
| Support model | Community support and self-managed backups | Vendor support, managed cloud, or official self-host docs |
Choose Vaultwarden when you want Bitwarden's client experience on a Raspberry Pi, home server, or small VPS without recurring user fees. Choose official Bitwarden when you need vendor-backed support, enterprise SSO, SCIM, formal audit evidence, or a managed cloud service where Bitwarden handles uptime, backups, and security patching.
Install and self-host#
# Docker CLI
docker run --detach --name vaultwarden \
--env DOMAIN="https://vw.domain.tld" \
--volume /vw-data/:/data/ \
--restart unless-stopped \
--publish 127.0.0.1:8000:80 \
vaultwarden/server:latest
```
```yaml
# Docker Compose (compose.yaml)
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
DOMAIN: "https://vw.domain.tld"
volumes:
- ./vw-data/:/data/
ports:
- 127.0.0.1:8000:80What it's built on#
- Languages
- RustTypeScript
- Databases
- MySQLPostgreSQL
- Infrastructure
- Docker
FAQ#
Is Vaultwarden the same as Bitwarden?
No. Vaultwarden is an independent, community-built server that implements the Bitwarden API but is not made or endorsed by Bitwarden, Inc. It is compatible with all official Bitwarden clients. Think of it as a lightweight server that speaks Bitwarden's protocol, letting you self-host without running the full official server stack.
Can I migrate my existing Bitwarden vault to Vaultwarden?
Yes. Export your vault from Bitwarden as a JSON file and import it into your Vaultwarden instance via the web vault or any Bitwarden client. The data format is identical since Vaultwarden uses the Bitwarden API. The Vaultwarden wiki covers the migration steps in detail.
How much RAM and CPU does Vaultwarden require?
Vaultwarden is designed for low-resource environments and runs comfortably on a Raspberry Pi 3 with 512MB RAM or a small VPS. Idle memory usage is typically under 100MB. The official Bitwarden self-hosted stack, by contrast, requires at least 2GB RAM due to its multi-container architecture.
Is Vaultwarden secure?
Vaultwarden implements the same client-side AES-256 encryption as Bitwarden, so your vault data is encrypted before it leaves the client and the server cannot read your passwords. The main security responsibilities are keeping Vaultwarden updated promptly when releases ship, securing your server with a firewall, enforcing HTTPS, and running regular backups. The project cannot guarantee protection against data loss.
Does Vaultwarden support two-factor authentication?
Yes. Vaultwarden supports TOTP authenticator apps, email OTP, FIDO2 WebAuthn hardware keys (including YubiKey), and Duo Security. All MFA methods work on the self-hosted instance without any paid plan requirement, unlike Bitwarden cloud where some MFA options require a premium subscription.
Similar open-source tools#
KeePass
Free open source password manager with encrypted local file
KeePassXC
Cross-platform open source password manager with browser plugin
Passbolt
Open source team password manager with sharing and audit
Psono
Self-hosted password manager for teams with enterprise SSO
Keestash
Self-hosted team password manager with web-based access control
Passwordcockpit
Self-hosted team password manager with role-based access