Bitwarden Self-Hosted Password Manager

Bitwarden is an open-source password management solution providing secure storage and synchronization of passwords, login credentials, and sensitive data across devices. With self-hosted deployment, organizations maintain complete control over their password infrastructure and user data. This guide covers Docker deployment, SSL configuration, admin panel setup, user management, and backup strategy.

Table of Contents

• Prerequisites
• System Requirements
• Docker Installation
• Bitwarden Deployment
• Nginx Configuration
• SSL Certificate Setup
• Admin Panel Configuration
• User Management
• Organization Setup
• Backup Strategy
• Conclusion

Prerequisites

Ensure you have:

• Ubuntu 20.04 LTS or later
• Root or sudo access
• A registered domain name
• Minimum 2GB RAM (4GB+ recommended)
• 15GB available disk space
• Basic Linux administration knowledge

Update system:

sudo apt update && sudo apt upgrade -y

System Requirements

Verify system specifications:

Check OS version:

cat /etc/os-release
uname -m

Check available resources:

free -h
df -h

Docker Installation

Install Docker and Docker Compose:

sudo apt install -y docker.io docker-compose

Add user to docker group:

sudo usermod -aG docker $USER
newgrp docker

Verify installation:

docker --version
docker-compose --version

Start Docker:

sudo systemctl start docker
sudo systemctl enable docker

Bitwarden Deployment

Create Bitwarden directory:

mkdir -p /opt/bitwarden
cd /opt/bitwarden

Create docker-compose.yml:

nano docker-compose.yml

Add configuration:

version: '3'

services:
  bitwarden:
    image: bitwardenrs/server:latest
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /opt/bitwarden/data:/data
      - /opt/bitwarden/ssl:/ssl
    environment:
      DOMAIN: https://vault.example.com
      SIGNUPS_ALLOWED: "false"
      INVITATIONS_ORG_ALLOW: "true"
      SHOW_PASSWORD_HINT: "false"
      LOG_LEVEL: info
      LOG_FILE: /data/bitwarden.log
      EXTENDED_LOGGING: "true"
      DATABASE_URL: sqlite:///data/db.sqlite3
    labels:
      - "com.example.description=Bitwarden Password Manager"

Create data directory:

mkdir -p /opt/bitwarden/data
mkdir -p /opt/bitwarden/ssl

Start Bitwarden container:

docker-compose up -d

Verify container is running:

docker-compose ps
docker-compose logs -f bitwarden

Wait for initialization to complete.

Nginx Configuration

Install Nginx:

sudo apt install -y nginx

Create Nginx configuration:

sudo nano /etc/nginx/sites-available/bitwarden

Add configuration:

upstream bitwarden {
    server localhost:80;
}

server {
    listen 80;
    listen [::]:80;
    server_name vault.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name vault.example.com;

    ssl_certificate /etc/letsencrypt/live/vault.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vault.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    client_max_body_size 100M;

    location / {
        proxy_pass http://bitwarden;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }

    location /notifications/hub {
        proxy_pass http://bitwarden;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Enable site:

sudo ln -s /etc/nginx/sites-available/bitwarden /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl start nginx
sudo systemctl enable nginx

SSL Certificate Setup

Install Certbot:

sudo apt install -y certbot python3-certbot-nginx

Obtain SSL certificate:

sudo certbot certonly --standalone -d vault.example.com

Verify certificate:

sudo openssl x509 -in /etc/letsencrypt/live/vault.example.com/fullchain.pem -noout -dates

Set up auto-renewal:

sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

Admin Panel Configuration

Access Bitwarden admin panel:

Navigate to https://vault.example.com/admin

The first time, you'll need to set a master password.

Configure admin settings:

1. Settings → General

   • Organization invitations allowed
   • Allow signups (set to false for security)
   • Password hint display

2. Settings → Mail

   • Configure email sender
   • SMTP server details

3. Settings → Backup

   • Download backup configuration

User Management

Invite users to Bitwarden:

1. Admin Panel → Users
2. Click "Invite User"
3. Enter email address
4. User receives invitation via email

Accept invitation:

1. Click invitation link in email
2. Create master password
3. Activate account

Create organization:

1. Click "New Organization"
2. Set organization name
3. Invite users to organization
4. Configure permissions

Configure user permissions:

1. Go to Organization → Members
2. Set access level for each user:
   • Owner
   • Admin
   • User
   • Manager

Organization Setup

Create collections:

1. Organization → Collections
2. Click "New Collection"
3. Name collection (Teams, Finance, etc.)
4. Assign users access

Add items to collection:

1. Login as member
2. Click "+" to create item
3. Select collection
4. Add credentials or secure notes

Configure collection permissions:

1. Organization → Collections
2. Set read/edit permissions per collection
3. Manage user access levels

Backup Strategy

Create backup script:

sudo nano /usr/local/bin/bitwarden-backup.sh

Add:

#!/bin/bash

BACKUP_DIR="/backups/bitwarden"
BITWARDEN_DIR="/opt/bitwarden"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR

# Stop Bitwarden
docker-compose -f $BITWARDEN_DIR/docker-compose.yml stop

# Data backup
tar -czf "$BACKUP_DIR/bitwarden-data-$DATE.tar.gz" "$BITWARDEN_DIR/data"

# Start Bitwarden
docker-compose -f $BITWARDEN_DIR/docker-compose.yml start

# Keep only 30 days
find $BACKUP_DIR -type f -mtime +30 -delete

echo "Backup completed: $DATE"

Make executable:

sudo chmod +x /usr/local/bin/bitwarden-backup.sh

Schedule daily backups:

sudo crontab -e

Add:

0 2 * * * /usr/local/bin/bitwarden-backup.sh >> /var/log/bitwarden-backup.log 2>&1

Update Bitwarden:

cd /opt/bitwarden
docker-compose pull
docker-compose down
docker-compose up -d

Monitor container health:

docker-compose logs -f bitwarden
docker stats bitwarden

Test password vault:

1. Navigate to https://vault.example.com
2. Create test account (if signups enabled)
3. Add test password entry
4. Verify sync across devices

Conclusion

Bitwarden is now fully deployed as a self-hosted password management solution. With Docker containerization, SSL encryption, and admin panel control, you have a secure password vault. Create organizations, manage user permissions, and enforce strong password policies. Regular backups ensure password recovery and data protection. Maintain security by keeping Bitwarden updated and monitoring access logs.