Vaultwarden

A lightweight Bitwarden-compatible server for personal use and small teams.

Review notes

Run behind HTTPS, configure the domain carefully, back up the database, and consider disabling open signups.

Deployment guide

Deploy as a lightweight container, but treat it as a sensitive service with strict security.

Create a dedicated volume for the database and attachments.
Run Vaultwarden behind a reverse proxy with HTTPS.
Set `DOMAIN` to the correct public URL so emails and clients work reliably.
Disable open signup with `SIGNUPS_ALLOWED=false` after creating users.
Enable 2FA and tightly restrict admin token access.

Backup:Back up the data volume regularly and test restores because this stores passwords.

Copy and run on your server

Use each block separately: save the compose file, or copy the bash script to create it and start the container.

docker-compose.ymlyaml

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    environment:
      DOMAIN: "https://vault.example.com"
      SIGNUPS_ALLOWED: "false"
    volumes:
      - ./data:/data
    ports:
      - "8080:80"
    restart: unless-stopped

setup.shbash

#!/usr/bin/env bash
set -euo pipefail

sudo mkdir -p /opt/vaultwarden
sudo chown "$USER":"$USER" /opt/vaultwarden
cd /opt/vaultwarden

cat > docker-compose.yml <<'COMPOSE'
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    environment:
      DOMAIN: "https://vault.example.com"
      SIGNUPS_ALLOWED: "false"
    volumes:
      - ./data:/data
    ports:
      - "8080:80"
    restart: unless-stopped
COMPOSE

docker compose up -d
echo "Vaultwarden is running on http://SERVER_IP:8080"

Stack

RustSQLiteDocker