Is Vaultwarden really compatible with official Bitwarden clients?

**Yes, 100%**. Vaultwarden (formerly bitwarden_rs) is a Rust rewrite of the Bitwarden server implementing the official API. Bitwarden clients (web, desktop, mobile, browsers, CLI) connect to your Vaultwarden server by simply pointing to your custom URL. No client-side feature loss. The only case where Vaultwarden lags slightly: some very recent Enterprise features may take 1-2 months delay.

What hardware for self-hosting Vaultwarden?

**Minimum viable**: Raspberry Pi 4 (2 GB RAM, microSD 32 GB) or any $3-5/month VPS (Contabo, OVH, Hetzner CX11). **Comfortable**: Raspberry Pi 4 (4 GB RAM, USB 3.0 SSD) or VPS 4 GB RAM. Vaultwarden uses ~100 MB RAM idle, ~200 MB peak. Storage depends on attachments: ~50 MB for 500 attachment-free entries.

Is TLS / HTTPS mandatory for Vaultwarden?

**Yes, absolutely**. Bitwarden clients refuse to connect to a non-encrypted HTTP server (except localhost dev). You must deploy a TLS certificate. Standard solution: Let's Encrypt via certbot (free, auto-renewal) with nginx or Caddy proxy. Our tutorial details the Caddy option (simpler: 1 line of config handles auto HTTPS).

How to reliably backup Vaultwarden?

Vaultwarden stores its data in SQLite (default) or PostgreSQL/MySQL (option). Minimum backup: regularly copy the db.sqlite3 file to external storage. Advanced solution: use litestream (continuous SQLite replication to S3). Our recommendation: hourly cronjob that zips the data folder and uploads it encrypted to Backblaze B2.

Vaultwarden Self-Host or Bitwarden Cloud Official?

**Vaultwarden self-host**: zero recurring cost if server already available, full data control, but you're responsible for uptime/backups/security. **Bitwarden hosted official**: $10/year for Premium, zero-knowledge encrypted data, pro team handles infra/backups/updates. Recommendation: self-host if you're a sysadmin/devops professional. Bitwarden hosted in all other cases.

Vaultwarden Self-Host: Complete 2026 Tutorial (Docker, Raspberry Pi, TLS)

📌 Self-hosting is NOT for everyone: before you start, be honest — are you up for handling reverse proxy, TLS certs, encrypted backups and monthly Docker upgrades? If the answer is "not really," a managed vault like NordPass at $1.49/month will cost you less than a Raspberry Pi outage while you're on vacation. If yes, this tutorial is for you.

Vaultwarden is the open source Rust rewrite of the Bitwarden server, designed to run on modest hardware (Raspberry Pi 4 is enough). This tutorial details a production-grade deployment with Docker Compose, automatic HTTPS Caddy proxy, and encrypted Backblaze B2 backups.

Vaultwarden runs your Bitwarden vault on your own hardware. 100% compatible with official clients. Setup in 30 minutes if you know Docker.

01 — Prerequisites

A Linux server (Raspberry Pi 4, VPS, or homelab) with Docker installed
A domain name pointing to the server's public IP (e.g., vault.yourdomain.com)
Port 443 open in firewall / NAT
30 minutes
~50 MB storage for Vaultwarden + your future data

02 — Target Architecture

Internet → Cloudflare (optional) → Caddy reverse proxy with automatic Let's Encrypt → Vaultwarden container. Data stored on the host at /srv/vaultwarden/data.

Caddy handles HTTPS automatically via Let's Encrypt. Vaultwarden runs in an isolated Docker container.

03 — Docker Compose

Create the file /srv/vaultwarden/docker-compose.yml. The configuration uses the official vaultwarden/server:latest image, exposes the DOMAIN variable pointing to your HTTPS URL, disables external signups with SIGNUPS_ALLOWED: false, enables WebSockets for real-time sync, and mounts a ./data volume for persistence.

The Caddy configuration is minimal: a single reverse_proxy vaultwarden:80 directive plus standard security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy).

The ADMIN_TOKEN is generated with openssl rand -base64 48 (to put in your local config only, never committed).

04 — Start Vaultwarden

Launch the service with docker compose up -d from the /srv/vaultwarden folder, then check logs with docker compose logs -f vaultwarden. Caddy obtains a Let's Encrypt certificate automatically within 30 seconds (visible in docker compose logs caddy).

Open https://vault.yourdomain.com in your browser
Create your account (the only one allowed: signups closed after)
IMMEDIATELY: Settings → Security → Two-step Login → enable TOTP
IMMEDIATELY: verify SIGNUPS_ALLOWED is false
Test autofill with your browser pointing to your custom URL

06 — Automatic Backups

An hourly bash script snapshots the SQLite database (consistent without service stop), zips the entire folder, encrypts with GPG client-side (recipient = your email), and uploads to Backblaze B2 (~$1/month for 100 GB).

The sequence:

docker exec vaultwarden sqlite3 /data/db.sqlite3 ".backup '/tmp/db_DATE.sqlite3'" for consistent snapshot
tar czf to archive
gpg --encrypt --recipient you@email.com for client-side encryption
b2 upload-file for remote upload
Local cleanup

Crontab: 0 * * * * /usr/local/bin/vaultwarden-backup.sh

Monthly test: restore a backup on a dev instance to verify integrity.

07 — Connect Official Bitwarden Clients

In each Bitwarden client (mobile, desktop, browser), before logging in:

Click the Settings gear (before login)
Server URL: https://vault.yourdomain.com
Save
Log in with your master password

All clients work exactly as with the official Bitwarden cloud.

08 — Maintenance

Vaultwarden updates: docker compose pull && docker compose up -d (monthly recommended)
Monitoring: Uptime Kuma (self-hosted) or Healthchecks.io (free) for downtime alerts
Logs: docker compose logs --tail 200 vaultwarden
Audit: follow github.com/dani-garcia/vaultwarden for potential CVEs

★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform

See NordPass Premium →$1.49/month · Zero maintenance · Cure53 + SOC 2 audited→

09 — Going Further

Complete 2026 Bitwarden review
Best password manager 2026 ranking — compare managed cloud vaults if self-hosting feels like too much
Best LastPass alternatives 2026 — for teams migrating away from LastPass before deciding on self-host
Public methodology

Tutorial based on Vaultwarden 1.31.x on Raspberry Pi 4 (Debian 12) in June 2026. Procedures tested on 2 production instances in parallel over 8 months.

★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform

Get NordPass30 jours satisfait ou remboursé · Plan gratuit disponible→