Vaultwarden on Proxmox LXC: Self-Hosted Bitwarden-Compatible Password Manager

Deploy Vaultwarden (the lightweight Bitwarden-compatible server) in an unprivileged Proxmox LXC container with HTTPS, automatic backups, and mobile client access via Tailscale.

Bitwarden is the gold-standard open-source password manager. Vaultwarden is an unofficial, lightweight Rust implementation of the Bitwarden server API — it runs on a fraction of the resources and is fully compatible with all official Bitwarden clients (browser extensions, iOS, Android, desktop apps).

Running it yourself means your vault never touches a cloud server. Combined with Tailscale for remote access, this setup gives you the convenience of a hosted service with complete data sovereignty.


Why Vaultwarden over self-hosted Bitwarden

Bitwarden’s official self-hosted server is a multi-container Docker stack that requires at least 2 GB RAM and a modern CPU. Vaultwarden is a single Rust binary that runs in 50 MB RAM and has been audited by the security community for years.

Note

Vaultwarden was formerly named Bitwarden_RS. It is not officially affiliated with Bitwarden, Inc., but implements the same API spec. All official Bitwarden clients work with it — the connection URL is the only thing that changes.


Architecture

Bitwarden clientsBrowser · iOS · Androidvia TailscaleCT 111 · VaultwardenRust binary · port 8010.0.0.79SQLite / data dirvault DB + attachments/opt/vaultwarden/dataTailscaleremote access (no port forward)

Task 1: Create the Vaultwarden container

1Create CT 1115 min
Field Value
VMID 111
Hostname vaultwarden
OS Ubuntu 24.04 LXC (unprivileged)
IP 10.0.0.79 (static)
Cores 1
RAM 256 MB
Disk 5 GB

Vaultwarden is unusually lightweight. 256 MB RAM is genuinely sufficient for a single-household vault.


Task 2: Install Vaultwarden

Vaultwarden provides pre-built binaries for common architectures. This avoids needing Rust installed.

1Download the Vaultwarden binary5 min
Inside CT 111 — download Vaultwarden

apt-get update && apt-get install -y curl unzip

# Check https://github.com/dani-garcia/vaultwarden/releases for latest version
# Replace 1.32.0 with the current release tag
mkdir -p /opt/vaultwarden/data
curl -sSL https://github.com/dani-garcia/vaultwarden/releases/download/1.32.0/vaultwarden-1.32.0-linux-x86_64.tar.gz -o /tmp/vaultwarden.tar.gz
tar xzf /tmp/vaultwarden.tar.gz -C /opt/vaultwarden/

# Download the web vault UI
curl -sSL https://github.com/dani-garcia/bw_web_builds/releases/download/v1.32.0/bw_web_v1.32.0.tar.gz -o /tmp/web-vault.tar.gz
tar xzf /tmp/web-vault.tar.gz -C /opt/vaultwarden/
2Create the vaultwarden system user2 min
Inside CT 111 — create service user

useradd -r -s /bin/false vaultwarden
chown -R vaultwarden:vaultwarden /opt/vaultwarden
3Create the environment configuration5 min
Create /opt/vaultwarden/.env

cat > /opt/vaultwarden/.env << 'EOF'
# Data directory
DATA_FOLDER=/opt/vaultwarden/data

# Web vault UI
WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
WEB_VAULT_ENABLED=true

# Listen on all interfaces, port 80
ROCKET_ADDRESS=0.0.0.0
ROCKET_PORT=80

# Enable signups only for initial setup — DISABLE AFTER CREATING YOUR ACCOUNT
SIGNUPS_ALLOWED=true

# Admin token (generate with: openssl rand -base64 48)
ADMIN_TOKEN=CHANGE_ME_USE_openssl_rand_base64_48

# Log level
LOG_LEVEL=warn

# Enable 2FA
AUTHENTICATOR_DISABLE_TIME_DRIFT=false
EOF

chown vaultwarden:vaultwarden /opt/vaultwarden/.env
chmod 600 /opt/vaultwarden/.env
Generate a real admin token

Run openssl rand -base64 48 and replace CHANGE_ME_USE_openssl_rand_base64_48 in the .env file. This token protects the Vaultwarden admin panel — treat it like a password.

4Create the systemd service3 min
Create /etc/systemd/system/vaultwarden.service

cat > /etc/systemd/system/vaultwarden.service << 'EOF'
[Unit]
Description=Vaultwarden Password Manager
After=network.target

[Service]
User=vaultwarden
Group=vaultwarden
WorkingDirectory=/opt/vaultwarden
EnvironmentFile=/opt/vaultwarden/.env
ExecStart=/opt/vaultwarden/vaultwarden
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

systemctl enable --now vaultwarden
5Verify Vaultwarden is running2 min
Check service status

systemctl status vaultwarden
journalctl -u vaultwarden -f
# Look for: Vaultwarden is running on http://0.0.0.0:80

Open http://10.0.0.79 in your browser. You should see the Bitwarden web vault login page.


Task 3: Create your account and disable signups

1Create your admin account3 min

On the Vaultwarden login page, click Create Account. Fill in your email and a strong master password.

Your master password cannot be recovered

Vaultwarden does not have a password reset mechanism. If you forget your master password, your vault is permanently locked. Use a strong, memorable passphrase and store it somewhere offline (written on paper in a secure location).

2Disable new account signups2 min

Once your account is created, disable open registration so no one else can create accounts:

Edit /opt/vaultwarden/.env

sed -i 's/SIGNUPS_ALLOWED=true/SIGNUPS_ALLOWED=false/' /opt/vaultwarden/.env
systemctl restart vaultwarden

Task 4: Configure Bitwarden clients

1Configure the browser extension2 min

In the Bitwarden browser extension (Chrome/Firefox/Edge):

  1. Click the extension icon
  2. Click the settings gear icon in the top-left
  3. Under Self-hosted environment, set Server URL to: http://10.0.0.79
  4. Click Save

You can now log in with the account you created.

2Configure mobile clients2 min

On iOS/Android Bitwarden:

  1. Tap the region selector on the login screen
  2. Choose Self-hosted
  3. Set Server URL to your Tailscale IP for the container’s host, or the LAN IP if you’re on the same network
  4. Log in
Tip

For mobile access outside your LAN without port forwarding, install Tailscale on your phone. The Vaultwarden container’s host node (pvelab04) is a Tailscale node, so you can reach http://10.0.0.79 from anywhere your phone has Tailscale running — no public exposure needed.


Task 5: Set up automatic backups

The entire Vaultwarden state is in /opt/vaultwarden/data/. Back up this directory and you have everything.

1Create a daily backup script5 min
Create /opt/vaultwarden/backup.sh

cat > /opt/vaultwarden/backup.sh << 'EOF'
#!/bin/bash
BACKUP_DIR="/opt/vaultwarden/backups"
DATE=$(date +%Y%m%d_%H%M)
mkdir -p "$BACKUP_DIR"

# Stop Vaultwarden to ensure a clean SQLite backup
systemctl stop vaultwarden
tar czf "$BACKUP_DIR/vault_$DATE.tar.gz" -C /opt/vaultwarden data/
systemctl start vaultwarden

# Keep last 14 backups
find "$BACKUP_DIR" -name "vault_*.tar.gz" -mtime +14 -delete
echo "Backup complete: $BACKUP_DIR/vault_$DATE.tar.gz"
EOF

chmod +x /opt/vaultwarden/backup.sh
Schedule daily 3AM backup

echo "0 3 * * * /opt/vaultwarden/backup.sh >> /var/log/vaultwarden-backup.log 2>&1" | crontab -

Enabling 2FA on your vault

Vaultwarden supports TOTP-based 2FA (Google Authenticator, Bitwarden Authenticator, Aegis, etc.). Enable it in the Bitwarden web vault:

  1. Log into http://10.0.0.79
  2. Go to Account Settings → Security → Two-step Login
  3. Enable Authenticator App
  4. Scan the QR code with your TOTP app

After enabling 2FA, even if someone knows your master password, they cannot access your vault without the TOTP code.


Service management reference

# View logs
journalctl -u vaultwarden -f

# Restart after config change
systemctl restart vaultwarden

# Check data directory size
du -sh /opt/vaultwarden/data/

# List backups
ls -lh /opt/vaultwarden/backups/

Related posts:

This post contains Amazon affiliate links (tag: buildahomelab-20). I earn a small commission on qualifying purchases at no extra cost to you.