Vaultwarden

Self-hosted password management, honestly reviewed. No marketing fluff, just what you get when you stop trusting someone else with your master vault.

TL;DR

• What it is: An unofficial, open-source reimplementation of the Bitwarden server API, written in Rust — meaning you run it yourself and your passwords never touch anyone else’s cloud [README].
• Who it’s for: Privacy-conscious individuals, homelab enthusiasts, and small teams who want Bitwarden’s polished clients without paying Bitwarden’s subscription fees or trusting their servers [1][2].
• Cost savings: LastPass Premium runs $36/year. Bitwarden cloud starts at $10/year. Vaultwarden self-hosted costs $0 in software and ~$6/mo on a VPS — or essentially nothing on a Raspberry Pi you already own [3][4][5].
• Key strength: Full Bitwarden client compatibility (browser extensions, mobile apps, desktop clients work unchanged) in a single Docker container that runs on 128MB RAM [3][4].
• Key weakness: Unofficial project with community-only support. No relationship with Bitwarden, Inc. If something breaks between Bitwarden client updates and Vaultwarden’s server, you wait for a community fix [README][2].

---

What is Vaultwarden

Vaultwarden is not a fork of Bitwarden. It’s a ground-up reimplementation of the Bitwarden server API, written in Rust by an independent developer (dani-garcia) and a community of contributors. The official Bitwarden clients — the browser extensions, iOS app, Android app, and desktop app — speak to whatever server you point them at. Vaultwarden speaks the same protocol, so all those clients work with it unchanged [README][2].

The motivation was straightforward: Bitwarden’s official self-hosted server is a heavy piece of infrastructure. It requires 11 Docker containers, a minimum of 2GB RAM, 12GB storage, and runs on Microsoft SQL Server — which is a strange dependency for a personal password manager [3]. Vaultwarden collapses that to one container, 128MB RAM, and 200MB storage [3]. It’ll run comfortably on a Raspberry Pi, a Synology NAS, or whatever hardware you’ve got idle in a closet [1][5].

The project currently sits at 56,917 GitHub stars and 2,700+ forks — one of the most-starred self-hosted projects in existence. It has 78 releases and is actively maintained, with multiple community support channels (Matrix, GitHub Discussions, Discourse) [README]. The license is AGPL-3.0, which means the source is open but any modifications you distribute must also be open source.

One important caveat the README makes explicit: Vaultwarden is not affiliated with Bitwarden, Inc. Bugs go to the Vaultwarden issue tracker, not Bitwarden support. One of the active maintainers is employed by Bitwarden and is “allowed to contribute to the project,” but that’s where the official relationship ends [README].

---

Why people choose it

The reviews tell a consistent story: people migrate to Vaultwarden after a security incident or a pricing change at their current password manager.

The LastPass exodus. The 2022 LastPass breach — in which attackers stole encrypted vault data — is the event that pushed a lot of people to look at self-hosted alternatives [3][5]. TechAddressed’s tutorial [3] opens with it directly: “The recent data breach at LastPass, resulting in the theft of users’ encrypted password vaults, has highlighted the importance of taking control of your password security.” One XDA author migrated from LastPass to Vaultwarden overnight and describes the process as straightforward — export to CSV, import into Vaultwarden, redirect the browser extension [5]. The migration took under 15 minutes in the XDA review [1].

Full control over the attack surface. The central appeal isn’t just cost — it’s the security posture. When your vault lives on your server, you decide who can reach it, what network it’s on, and whether it’s exposed to the internet at all. The XDA author who wrote “Self-hosting Vaultwarden is the best decision I ever made” [1] specifically mentions implementing firewall hardening and network isolation on top of Vaultwarden — things you cannot do with any cloud password manager. Another author went the Tailscale route: the Vaultwarden server is only accessible via a private Tailscale network, so the vault is never exposed to the open internet at all [5].

Feature parity at zero cost. This is the practical kicker. Bitwarden’s official self-hosted server gates features behind paid licenses — hardware two-factor authentication (FIDO2, YubiKey), emergency access, and additional user accounts all require payment. Vaultwarden unlocks all of these in the community edition at no cost [3]. The comparison TechAddressed makes is blunt: Bitwarden charges for the features, Vaultwarden gives them to you for free.

Resource efficiency. Multiple reviewers mention running Vaultwarden on Raspberry Pi as a first-class use case, not an edge case [1][2][5]. 128MB RAM for a full-featured password manager is genuinely impressive. Rust’s memory safety guarantees also get called out specifically — the language was chosen because “the last thing you want in your password management system is a memory leak or other security concern” [3].

---

Features

From the README and the reviews, Vaultwarden implements nearly the full Bitwarden feature set:

Core vault:

• Personal vault with passwords, secure notes, credit cards, identities [README]
• Bitwarden Send — encrypted file/text sharing with expiry and access controls [README]
• File attachments per vault item [README]
• Website icon fetching [README]
• Personal API key for CLI/automation access [README]
• Password generation and strength checking [3][4]
• Auto-fill via browser extensions [3][5]

Organizations and sharing:

• Organizations with Collections, Password Sharing, Member Roles, Groups [README]
• Event Logs, Admin Password Reset, Directory Connector [README]
• Policies for organizational password rules [README]

Two-factor authentication:

• Authenticator app (TOTP) [README]
• Email OTP [README]
• FIDO2 WebAuthn — hardware keys like YubiKey and Titan [README][3]
• YubiKey OTP [README]
• Duo [README]

Admin and deployment:

• Vaultwarden Admin Backend — a web UI for managing users, invitations, and instance config [README]
• Modified web vault client bundled in the container [README]
• CLI access and API for automation and CI/CD pipeline integration [4]
• Single Docker container deployment [README][3]

What’s not there compared to official Bitwarden cloud:

• No Bitwarden-managed backup (you manage your own vw-data/ backups)
• No official support — community only [2][README]
• No compliance certifications (SOC 2, etc.) — relevant if you’re evaluating this for a business with audit requirements

---

Pricing: SaaS vs self-hosted math

LastPass (the migration target most reviewers came from):

• Free tier: heavily limited, single device
• Premium: $36/year ($3/mo)
• Families: $48/year for up to 6 users

Bitwarden cloud (the service Vaultwarden replaces):

• Free: unlimited passwords, basic 2FA, one device type
• Premium: $10/year ($0.83/mo) — adds TOTP, hardware 2FA, vault health reports
• Families: $40/year for up to 6 users

Vaultwarden self-hosted:

• Software: $0 (AGPL-3.0)
• Raspberry Pi (if you already have one): ~$0 incremental cost
• VPS (Hetzner/Contabo cheapest tier): ~$4–6/month
• Your own hardware with spare capacity: $0 incremental

Concrete math for a family of 4:

On Bitwarden Families cloud, 4 users with premium features = $40/year. On Vaultwarden running on a Raspberry Pi 4 you bought for other purposes, the marginal cost is $0 — and you get all the premium features (hardware 2FA, emergency access, file attachments) that Bitwarden gates behind its $10/year individual premium license [3].

If you’re paying for a dedicated VPS just for Vaultwarden: $5/mo × 12 = $60/year. That’s more than Bitwarden Premium ($10/year) but less than Bitwarden Families, and you’re not trusting Bitwarden’s servers. The VPS economics only make sense if you’re running other services on the same box — which most self-hosters do.

The real comparison isn’t Bitwarden cloud (which is already cheap) — it’s LastPass, 1Password, or Dashlane, which run $36–$60/year per user. For a business paying $5–8/user/month on a premium password manager, a single Vaultwarden instance replaces the entire bill [4].

---

Deployment reality check

The install path is a single Docker container, and every review agrees the core setup is fast. The XDA migration article [5] describes the entire process as “overly simplified.” The TechAddressed tutorial [3] walks through Docker Compose configuration in about a dozen lines of YAML.

What you actually need:

• Any Linux machine with Docker (a Raspberry Pi 4, NAS, VPS, or old laptop)
• A domain name and reverse proxy (Caddy or nginx) for HTTPS — required because browsers won’t allow the Web Crypto API over plain HTTP [README]
• Either a VPN (Tailscale, Wireguard) for private access, or proper HTTPS + a firewall for public access
• A backup strategy for the vw-data/ directory — Vaultwarden doesn’t do this for you

The HTTPS requirement is the main trip hazard. The README is explicit: “The web-vault requires a secure context for the Web Crypto API. That means it will only work via http://localhost:8000 or if you enable HTTPS.” For a local-network-only setup, you need either a self-signed cert (with browser trust issues) or a real domain with Let’s Encrypt pointed at an internal IP via a reverse proxy. This is the step that tends to confuse non-technical users [README][5].

Recommended setup path for non-technical users: Tailscale + Vaultwarden. Install Tailscale on the server and your devices, run Vaultwarden listening only on the Tailscale interface, get a Tailscale HTTPS certificate. No domain registrar, no Let’s Encrypt, no public exposure. The XDA author [5] took exactly this route and calls it a “simple Tailscale setup.”

Realistic time estimates:

• Technical user with Docker experience: 20–45 minutes to a working instance
• Non-technical user following a guide: 2–4 hours including domain/DNS setup
• Non-technical user using the Tailscale path: closer to 1–2 hours

Platform support: Raspberry Pi is genuinely first-class, not an afterthought [1][2][5]. DietPi (a Raspberry Pi OS variant) even includes Vaultwarden as an installable package via its built-in software installer — no command-line Docker needed [5]. Synology NAS deployments are also well-documented in the community [1][2].

---

Pros and cons

Pros

• Full Bitwarden client compatibility. Every official Bitwarden app works with Vaultwarden unchanged — browser extensions, mobile, desktop. You’re not giving up the polished client to self-host [2][3][4].
• Absurdly lightweight. 128MB RAM, 200MB storage, single container. Runs on hardware you’d otherwise use as a doorstop [3][4].
• All premium features unlocked for free. Hardware 2FA (FIDO2, YubiKey), emergency access, organizations, event logs — gated behind paid plans in official Bitwarden, free in Vaultwarden [3].
• Written in Rust. Memory safety, null safety, thread safety enforced at compile time. For a tool protecting your credentials, this matters more than it does for a todo app [3].
• Your data never leaves your hardware. End-to-end encryption means even if someone breaks into your server, the vault contents are encrypted. And with a VPN-only setup, the server isn’t even reachable from the public internet [1][4][5].
• 56,917 GitHub stars. This isn’t an abandoned hobby project — it has more stars than most commercially-backed open-source tools and 78 releases [README].
• Fast migration. CSV/JSON import from LastPass, 1Password, Bitwarden, and others. Multiple reviewers completed their migration in under 15 minutes [1][5].

Cons

• Unofficial project, community-only support. No SLA, no support ticket, no phone call. If Bitwarden ships a client update that breaks compatibility with Vaultwarden’s server implementation, you wait for a community fix [README][2].
• HTTPS setup is a real barrier for non-technical users. The Web Crypto API requirement means you cannot just run it on a local IP and call it done — you need a domain, a reverse proxy, or a VPN. This is the most common stumbling block [README][5].
• You own the backups. Vaultwarden does nothing to protect you from a failed drive. Automating backups of vw-data/ is on you [2].
• No compliance certifications. If you’re a business that needs SOC 2, HIPAA, or similar for audit purposes, Vaultwarden won’t help you [4].
• AGPL-3.0 license. Copyleft. If you modify and distribute Vaultwarden as part of a product, you must open-source your modifications. For personal or internal business use this is irrelevant, but worth knowing [README].
• Not affiliated with Bitwarden. This cuts both ways — you get the premium features free, but you also get no relationship with the company whose clients you’re depending on [README][2].

---

Who should use this / who shouldn’t

Use Vaultwarden if:

• You’re paying for LastPass, 1Password, or Dashlane and you’re tired of the bill or spooked by data breaches.
• You already have home server hardware (Raspberry Pi, NAS, spare VPS) and want to get more out of it.
• You want hardware 2FA, emergency access, and organizational features without paying Bitwarden’s premium tier.
• You’re comfortable following a Docker Compose tutorial and setting up a reverse proxy, or you’re willing to learn.
• Data sovereignty matters to you — your vault physically cannot be subpoenaed from a cloud provider you don’t control.

Use official Bitwarden cloud instead if:

• You want professional support with an SLA.
• You need compliance certifications for an audit.
• The difference between $10/year and $0/year isn’t worth an afternoon of setup to you — Bitwarden’s cloud offering is already cheap and well-run.
• You’re evaluating this for an enterprise with strict IT policies.

Use a different manager entirely if:

• You’ve never touched a terminal and don’t want to — the HTTPS setup will block you.
• You need your passwords accessible 24/7 regardless of home server uptime.

---

Alternatives worth considering

• Bitwarden cloud — the official service Vaultwarden reimplements. Free tier is generous, Premium is $10/year, and it’s SOC 2 certified. If you want the Bitwarden UX without self-hosting complexity, just use this.
• Bitwarden self-hosted (official) — technically available, but requires 11 containers, 2GB RAM, and a commercial license for the premium features. Vaultwarden defeats it on every practical metric for individual and small-team use [3].
• 1Password — polished, business-friendly, Travel Mode, Secrets Automation for developers. $3–8/user/month. No self-host option.
• LastPass — what most migrants are fleeing. The 2022 breach is worth googling before reconsidering it [3][5].
• KeePassXC + Syncthing — the other self-hosted approach: encrypted local database file, synced across devices with Syncthing. No server to maintain, but no browser auto-fill without manual setup, and sync conflicts are possible. Good for the truly paranoid who don’t want a server process at all.
• Passbolt — open-source password manager built for teams with a proper user management interface. More setup complexity than Vaultwarden, better for organizations that need workflow features.

For individuals and families coming from a cloud password manager, the realistic choice is Vaultwarden versus just paying for Bitwarden cloud. The self-hosted route wins on features (premium unlocked free) and data control. The cloud route wins on maintenance burden and uptime reliability.

---

Bottom line

Vaultwarden is the rare self-hosted project where the practical argument is essentially airtight. You get every premium feature that Bitwarden charges for, in a single container that runs on 128MB RAM, compatible with every official Bitwarden client you already know. The project has 56,917 GitHub stars because it works exactly as advertised. The only honest trade-offs are: you own the backups, you own the uptime, and you own the HTTPS setup — which is the one step that requires some technical literacy to get right. For anyone who’s been burned by a cloud password manager breach, paying SaaS fees for features that exist in open source, or just philosophically uncomfortable with a company having a copy of every credential they own, the math and the case are clear. A Raspberry Pi that costs $35 one time replaces a recurring subscription that only ever goes up.

If the reverse proxy and domain setup is the blocker, that’s exactly what upready.dev deploys for clients. One-time fee, done, your passwords stay yours.

---

Sources

1. XDA Developers — “Self-hosting Vaultwarden is the best decision I ever made” https://www.xda-developers.com/self-hosting-vaultwarden-is-the-best-decision-i-ever-made/

2. WunderTech — “Vaultwarden vs. Bitwarden: Best Password Manager?” https://www.wundertech.net/vaultwarden-vs-bitwarden/

3. TechAddressed — “Easily Self Host Vaultwarden Using Docker Compose” https://www.techaddressed.com/tutorials/vaultwarden-docker-compose/

4. Geeky Gadgets — “Vaultwarden: Free Password Manager, Self Hosted & No Subscriptions” https://www.geeky-gadgets.com/vaultwarden-self-hosted-free-password-manager/

5. XDA Developers — “I migrated from LastPass to a self-hosted Vaultwarden overnight” https://www.xda-developers.com/migrate-from-lastpass-to-vaultwarden-overnight/

Primary sources:

• GitHub repository and README: https://github.com/dani-garcia/vaultwarden (56,917 stars, AGPL-3.0 license)
• Docker Hub: https://hub.docker.com/r/vaultwarden/server
• Community forums: https://vaultwarden.discourse.group/