Bitwarden is the gold-standard open-source password manager. Vaultwarden is an unofficial, lightweight Rust implementation of the Bitwarden server API — it runs on a fraction of the resources and is fully compatible with all official Bitwarden clients (browser extensions, iOS, Android, desktop apps).
Running it yourself means your vault never touches a cloud server. Combined with Tailscale for remote access, this setup gives you the convenience of a hosted service with complete data sovereignty.
Why Vaultwarden over self-hosted Bitwarden
Bitwarden’s official self-hosted server is a multi-container Docker stack that requires at least 2 GB RAM and a modern CPU. Vaultwarden is a single Rust binary that runs in 50 MB RAM and has been audited by the security community for years.
Vaultwarden was formerly named Bitwarden_RS. It is not officially affiliated with Bitwarden, Inc., but implements the same API spec. All official Bitwarden clients work with it — the connection URL is the only thing that changes.
Architecture
Task 1: Create the Vaultwarden container
| Field | Value |
|---|---|
| VMID | 111 |
| Hostname | vaultwarden |
| OS | Ubuntu 24.04 LXC (unprivileged) |
| IP | 10.0.0.79 (static) |
| Cores | 1 |
| RAM | 256 MB |
| Disk | 5 GB |
Vaultwarden is unusually lightweight. 256 MB RAM is genuinely sufficient for a single-household vault.
Task 2: Install Vaultwarden
Vaultwarden provides pre-built binaries for common architectures. This avoids needing Rust installed.
apt-get update && apt-get install -y curl unzip
# Check https://github.com/dani-garcia/vaultwarden/releases for latest version
# Replace 1.32.0 with the current release tag
mkdir -p /opt/vaultwarden/data
curl -sSL https://github.com/dani-garcia/vaultwarden/releases/download/1.32.0/vaultwarden-1.32.0-linux-x86_64.tar.gz -o /tmp/vaultwarden.tar.gz
tar xzf /tmp/vaultwarden.tar.gz -C /opt/vaultwarden/
# Download the web vault UI
curl -sSL https://github.com/dani-garcia/bw_web_builds/releases/download/v1.32.0/bw_web_v1.32.0.tar.gz -o /tmp/web-vault.tar.gz
tar xzf /tmp/web-vault.tar.gz -C /opt/vaultwarden/
useradd -r -s /bin/false vaultwarden
chown -R vaultwarden:vaultwarden /opt/vaultwarden
cat > /opt/vaultwarden/.env << 'EOF'
# Data directory
DATA_FOLDER=/opt/vaultwarden/data
# Web vault UI
WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
WEB_VAULT_ENABLED=true
# Listen on all interfaces, port 80
ROCKET_ADDRESS=0.0.0.0
ROCKET_PORT=80
# Enable signups only for initial setup — DISABLE AFTER CREATING YOUR ACCOUNT
SIGNUPS_ALLOWED=true
# Admin token (generate with: openssl rand -base64 48)
ADMIN_TOKEN=CHANGE_ME_USE_openssl_rand_base64_48
# Log level
LOG_LEVEL=warn
# Enable 2FA
AUTHENTICATOR_DISABLE_TIME_DRIFT=false
EOF
chown vaultwarden:vaultwarden /opt/vaultwarden/.env
chmod 600 /opt/vaultwarden/.env
Run openssl rand -base64 48 and replace CHANGE_ME_USE_openssl_rand_base64_48 in the .env file. This token protects the Vaultwarden admin panel — treat it like a password.
cat > /etc/systemd/system/vaultwarden.service << 'EOF'
[Unit]
Description=Vaultwarden Password Manager
After=network.target
[Service]
User=vaultwarden
Group=vaultwarden
WorkingDirectory=/opt/vaultwarden
EnvironmentFile=/opt/vaultwarden/.env
ExecStart=/opt/vaultwarden/vaultwarden
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl enable --now vaultwarden
systemctl status vaultwarden
journalctl -u vaultwarden -f
# Look for: Vaultwarden is running on http://0.0.0.0:80
Open http://10.0.0.79 in your browser. You should see the Bitwarden web vault login page.
Task 3: Create your account and disable signups
On the Vaultwarden login page, click Create Account. Fill in your email and a strong master password.
Vaultwarden does not have a password reset mechanism. If you forget your master password, your vault is permanently locked. Use a strong, memorable passphrase and store it somewhere offline (written on paper in a secure location).
Once your account is created, disable open registration so no one else can create accounts:
sed -i 's/SIGNUPS_ALLOWED=true/SIGNUPS_ALLOWED=false/' /opt/vaultwarden/.env
systemctl restart vaultwarden
Task 4: Configure Bitwarden clients
In the Bitwarden browser extension (Chrome/Firefox/Edge):
- Click the extension icon
- Click the settings gear icon in the top-left
- Under Self-hosted environment, set Server URL to:
http://10.0.0.79 - Click Save
You can now log in with the account you created.
On iOS/Android Bitwarden:
- Tap the region selector on the login screen
- Choose Self-hosted
- Set Server URL to your Tailscale IP for the container’s host, or the LAN IP if you’re on the same network
- Log in
For mobile access outside your LAN without port forwarding, install Tailscale on your phone. The Vaultwarden container’s host node (pvelab04) is a Tailscale node, so you can reach http://10.0.0.79 from anywhere your phone has Tailscale running — no public exposure needed.
Task 5: Set up automatic backups
The entire Vaultwarden state is in /opt/vaultwarden/data/. Back up this directory and you have everything.
cat > /opt/vaultwarden/backup.sh << 'EOF'
#!/bin/bash
BACKUP_DIR="/opt/vaultwarden/backups"
DATE=$(date +%Y%m%d_%H%M)
mkdir -p "$BACKUP_DIR"
# Stop Vaultwarden to ensure a clean SQLite backup
systemctl stop vaultwarden
tar czf "$BACKUP_DIR/vault_$DATE.tar.gz" -C /opt/vaultwarden data/
systemctl start vaultwarden
# Keep last 14 backups
find "$BACKUP_DIR" -name "vault_*.tar.gz" -mtime +14 -delete
echo "Backup complete: $BACKUP_DIR/vault_$DATE.tar.gz"
EOF
chmod +x /opt/vaultwarden/backup.sh
echo "0 3 * * * /opt/vaultwarden/backup.sh >> /var/log/vaultwarden-backup.log 2>&1" | crontab -
Enabling 2FA on your vault
Vaultwarden supports TOTP-based 2FA (Google Authenticator, Bitwarden Authenticator, Aegis, etc.). Enable it in the Bitwarden web vault:
- Log into
http://10.0.0.79 - Go to Account Settings → Security → Two-step Login
- Enable Authenticator App
- Scan the QR code with your TOTP app
After enabling 2FA, even if someone knows your master password, they cannot access your vault without the TOTP code.
# View logs
journalctl -u vaultwarden -f
# Restart after config change
systemctl restart vaultwarden
# Check data directory size
du -sh /opt/vaultwarden/data/
# List backups
ls -lh /opt/vaultwarden/backups/
Related posts:
- Proxmox LXC Networking: Bridges, VLANs, and Static IPs — assign a static IP to this container
- Proxmox Firewall Guide — isolate Vaultwarden at the CT level so only trusted IPs can reach it
- Proxmox Security Hardening — harden the host node running this container
- Tailscale Subnet Router: Remote Access to Your Entire Homelab — access your vault remotely without exposing it to the internet
- Proxmox Backup Server: Automated Container Backups — back up the vault data directory automatically
This post contains Amazon affiliate links (tag: buildahomelab-20). I earn a small commission on qualifying purchases at no extra cost to you.