Setting up a Self-Hosted Password Manager: Vaultwarden on Ubuntu 24.04

Giteqa

Greetings, friends!

Are you familiar with that feeling of slight anxiety when you entrust all your critical passwords, access keys, and payment data to commercial cloud managers? In recent years, major security incidents have proven that centralized clouds are always the number one target for hackers. If you want to gain 100% control over your credentials, the best solution in 2026 is deploying your own encrypted password server.

In the self-hosted solution industry, the combination of official Bitwarden client applications and the lightweight server fork, Vaultwarden (written in Rust), has become the undisputed standard. It is fully compatible with all official browser extensions and mobile apps, yet consumes a negligible amount of resources. We have discussed its installation multiple times before and even shot a step-by-step video guide, which we duplicate here for your convenience.

In this guide, we will break down the architecture of secure password storage and set up your own protected server with automatic SSL certificate issuance step by step.

Key Takeaways: Why Choose Vaultwarden

  • Maximum Lightweightness: The official Bitwarden server requires a heavy MSSQL database and at least 2 GB of RAM. The alternative Vaultwarden is written in Rust, runs on SQLite/PostgreSQL, and consumes just 50–100 MB of RAM, running perfectly on any micro-server.

  • Uncompromising Security: All passwords are encrypted on your device's side (client-side) before being sent to the server. Even if an attacker gains physical access to your VPS database, without your master password, they will only see an array of random bytes.

  • HTTPS is a Strict Requirement: Modern browsers and Bitwarden applications utilize the Web Crypto API, which hardware-blocks the manager's functionality over an unencrypted HTTP connection.

  • Full Premium Functionality: The free Vaultwarden includes features that are only available under a paid subscription in the official cloud: time-based one-time password generation (TOTP), organizations for password sharing within a team, and secure file attachments.

Secure Password Access Architecture

For a reliable setup, you will need three components: a clean operating system (Ubuntu 24.04), a Docker container running the application itself, and a reverse proxy (such as Nginx or Caddy) responsible for traffic encryption and communication with the Let's Encrypt certificate authority.

Step-by-Step Password Server Deployment

For a successful installation, we will need Docker and the Docker Compose utility, which allows you to spin up an isolated stack using a single command. You can find all the commands used in the pinned comment under the video. The video itself is presented below:

The deployment process is demonstrated on Ubuntu 24.04.

Chronological Video Guide Steps:

  • [00:16] System Update: First, update your server package lists and upgrade existing packages to ensure maximum security.

  • [00:43] Prerequisites Installation: Install Docker and create a dedicated project directory to store your Vaultwarden configuration.

  • [02:04] Docker Compose Configuration: Create a docker-compose.yml file and paste the deployment configuration.

  • [02:20] Launching the Container: Start your Docker container in detached mode using the docker compose command.

  • [02:30] Initial Account Creation: Open your web browser, navigate to your server's IP address or domain name, and register your primary master account.

  • [04:10] Disabling Public Registrations: Modify your configuration file to change signup permissions from true to false, then restart the container to lock down the server.

Platform Comparison: Official Stack vs. Vaultwarden

CriterionOfficial Bitwarden StackVaultwarden (Rust Version)Infrastructure Impact
Resource ConsumptionVery high (from 2 GB RAM)Ultra-low (50–100 MB RAM)Vaultwarden saves money on server rentals.
DatabaseMicrosoft SQL ServerSQLite / PostgreSQL / MariaDBEasy backups by copying a single folder.
Premium FeaturesPaid subscription ($40+/year)Free out of the boxTOTP, sharing, and organizations are instantly available.
CompatibilityNative ecosystem100% compatible with clientsWorks flawlessly with all official apps and extensions.

Crucial Step: Securing the Perimeter

By default, your newly deployed Vaultwarden server is open to the entire internet. This means any random visitor who discovers your URL can register an account and consume your disk space.

To block this loophole, perform this critical procedure:

  1. Access your site via your domain name, click "Create Account", and register your main account with a strong master password [02:36].

  2. Return to the server terminal, open the configuration file using nano docker-compose.yml, and change the registration variable from open to closed [04:17]:

    YAML
    - SIGNUPS_ALLOWED=false
    
  3. Restart the container: docker compose down && docker compose up -d [04:17].

Now, the registration button on the home page is locked, preventing outsiders from creating accounts on your server. You can still manually invite colleagues or family members through the hidden admin panel at https://yourdomain.com/admin.

FAQ: Briefly About the Essentials

  • How do I connect a mobile app or browser extension to my server?

    Install the official Bitwarden client on your smartphone or browser. On the login screen (before entering credentials), click the gear icon (settings) in the top corner. In the "Server URL" field, change the region to Self-hosted and enter your domain URL: https://yourdomain.com. Save the settings and log in normally.

  • How do I back up the password database?

    Since Vaultwarden uses SQLite by default, all your data, encrypted attachments, and settings are physically stored in a single directory: ./vw-data. To create a backup, simply set up a simple cron job that archives this directory (e.g., using the tar utility) and uploads the archive to an isolated remote storage.

Conclusion

Deploying your own Vaultwarden server is the best way to permanently solve the privacy and sovereignty issue of your data. You eliminate dependency on third-party B2B platforms, remove corporate leak risks, and gain full premium business-class functionality completely free of charge.

Since Vaultwarden is written in Rust, it does not require colossal CPU computing power. The core requirements for stable operation and instant key synchronization across all devices are a 24/7 server uptime and a static IP address.


Article Author: Anatolie Cohaniuc