Most people pick a cloud password manager and stick with it because it works well enough, and they never think about it again. That’s a reasonable choice, but it means your encrypted credentials are sitting on someone else’s servers, subject to their pricing decisions, their security practices, and whatever happens to their business down the road. Self-hosting your password manager puts all of that back in your hands, and Vaultwarden makes it practical enough to run on modest hardware without a complicated setup.
Please stop storing passwords in your browser
Time’s up for your browser password manager.
Self-Hosted is generally better than the cloud
Managing your own hardware keeps it at home
The way people manage credentials has shifted a lot over the years, and most people land on a centralized cloud service like Bitwarden without thinking too hard about it. That works fine for most users. However, you don’t need to rely on a subscription service anymore. This is why many people are moving toward hosting their own setup instead. I would rather hold my own data than hand it to an external company.
I trust my own hardware more than I trust someone else’s, so I’m not comfortable using the standard cloud model. Otherwise, you’re just betting on the provider’s infrastructure security and financial stability. When you self-host, you just need to trust the open-source code and your own administrative skills. I find that trade-off worth it, but it’s not for everyone.
Hardware requirements tend to shape which software you end up picking. The official self-hosted Bitwarden server needs over a dozen containers and a heavy Microsoft SQL Server backend, which rules it out for a lot of people running modest hardware. That’s where Vaultwarden comes in.
It’s an unofficial version of the Bitwarden API that fits the entire stack into a single container. This is how people run their own servers with it, but I’d recommend this track more. You can run it on a Raspberry Pi or a cheap virtual private server without breaking a sweat.
That small footprint also means less maintenance and a smaller attack surface. This setup proves the whole point of self-hosting. You’re gaining real ownership of your infrastructure without needing expensive hardware to pull it off.
There’s also the question of who owns your data, which matters to a lot of people. In the standard Bitwarden cloud model, your encrypted data still sits on servers managed by the provider somewhere in the United States. When you self-host, none of that data leaves your local network unless you specifically want it to. For anyone who thinks carefully about where their data physically lives, that’s a meaningful difference.
Here’s how to get better safety
Your own password vault
Moving from a cloud password manager to a self-hosted setup has its downsides, but Vaultwarden makes it a lot easier than you’d expect. One of the best parts is that you don’t have to give up the applications you already use. To do it, you just need to make sure your hardware is ready for virtualization. Restart your machine and enter the BIOS, usually by tapping F2 or Delete, and enable Intel Virtualization Technology or VT-x. Once you’re back in Windows, open Task Manager, go to the Performance tab, and check that Virtualization says Enabled.
If you’ve run a virtual box before, you likely don’t need to redo the BIOS method.
Next, open PowerShell as an administrator and type wsl --install to add the Windows Subsystem for Linux. Restart when it finishes, then download Docker Desktop. If you’re not sure of which Windows you have, you likely have the AMD64 version. Either way, your PC will tell you if you downloaded the wrong one when you try to run it.
During installation, make sure the option to use WSL 2 is checked so everything runs the way it should. Once Docker is installed and the whale icon in your system tray says it is active, you’re ready to set up the server.
Create a folder at C:\Vaultwarden and inside it create a file called docker-compose.yml. Type in this code:
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
SIGNUPS_ALLOWED: "true"
volumes:
- ./vw-data:/data
caddy:
image: caddy:2
container_name: caddy
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./caddy_data:/data
- ./caddy_config:/configI have heard of many people having issues with Docker here, so it’s important to also make a Caddy file. Caddy handles the security side of things because Chrome and Firefox both require a secure HTTPS connection for the vault encryption to work properly.
Unfortunately, you’ll use HTTP for this, and it won’t work without this workaround. If you can do it without Caddy, then feel free not to use it.
In the Vaultwarden folder, create a second file called Caddyfile under .all and remove any file extension if it is written out. Inside it, add this block
localhost {
reverse_proxy vaultwarden:80
}In the command bar, type in cd C:\Vaultwarden. Then, docker compose up -d. Once it’s running, go to https://localhost in your browser. You’ll see a security warning since the certificate is local; click Advanced and proceed past it to reach the setup page and create your account.
Once you create it, you can start using it, and there’s even an extension you can download that it offers.
You are the new IT team
Adjust your way of thinking
In a self-hosted setup, you’re fully responsible for keeping your data available. Since there’s no support team or corporate recovery strategy to fall back on, losing your primary database without a backup means losing everything permanently. I think about this a lot, which is why I treat backups as the most important part of the whole setup.
The most reliable way to handle this is the same way professional IT teams do it: with the 3-2-1 strategy. You keep three total copies of your data on two different types of media, with one copy stored offsite. It sounds like a lot, but once it’s automated, you don’t think about it again.
You can’t just copy the database file while the server is running. Instead, you run the SQLite backup command directly inside the Docker container to get a clean, consistent snapshot without any downtime.
A complete backup needs to include the database file, cryptographic keys, configuration files, and your secure attachments directory. Missing any of those means the backup isn’t actually usable.
Self-hosting may be the right choice for you
Self-hosting a password manager isn’t the right move for everyone. You’re taking on the responsibility of backups, updates, and making sure your server stays available. If you’re not comfortable with that, a managed cloud service is still a reasonable option. However, if you’d rather own your infrastructure and not depend on a provider’s pricing or security record, Vaultwarden is one of the cleaner ways to do it. The hardware requirements are low, the setup is straightforward, and once it’s running, you get a fully functional password manager that doesn’t cost anything month to month.
- Developer
-
Daniel García
- Price model
-
Free, Open-source
Vaultwarden is a lightweight, self-hosted password manager compatible with Bitwarden clients, designed to run efficiently on low-resource servers.
