Vaultwarden Installation Lightweight Bitwarden
Vaultwarden is a lightweight, Rust-based implementation of the Bitwarden password manager server, offering significantly lower resource requirements than the official Bitwarden server. Perfect for small deployments and resource-constrained environments, Vaultwarden maintains full compatibility with Bitwarden clients. This guide covers Docker installation, Nginx configuration, SSL setup, admin panel, user management, and backup strategy.
Table of Contents
- Prerequisites
- System Requirements
- Docker Installation
- Vaultwarden Deployment
- Nginx Configuration
- SSL Certificate Setup
- Admin Panel Setup
- User Management
- Backup and Updates
- Troubleshooting
- Conclusion
Prerequisites
Ensure you have:
- Ubuntu 20.04 LTS or later
- Root or sudo access
- A registered domain name
- Minimum 1GB RAM (2GB+ recommended)
- 10GB available disk space
- Basic Linux administration knowledge
Update system:
sudo apt update && sudo apt upgrade -y
System Requirements
Verify system specifications:
Check OS version:
cat /etc/os-release
uname -m
Check available resources:
free -h
df -h
Docker Installation
Install Docker and Docker Compose:
sudo apt install -y docker.io docker-compose
Add user to docker group:
sudo usermod -aG docker $USER
newgrp docker
Verify installation:
docker --version
docker-compose --version
Start Docker:
sudo systemctl start docker
sudo systemctl enable docker
Vaultwarden Deployment
Create Vaultwarden directory:
mkdir -p /opt/vaultwarden
cd /opt/vaultwarden
Create docker-compose.yml:
nano docker-compose.yml
Add configuration:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
restart: always
ports:
- "80:80"
volumes:
- /opt/vaultwarden/data:/data
environment:
DOMAIN: https://vault.example.com
SIGNUPS_ALLOWED: "false"
INVITATIONS_ORG_ALLOW: "true"
SHOW_PASSWORD_HINT: "false"
LOG_LEVEL: info
LOG_FILE: /data/vaultwarden.log
EXTENDED_LOGGING: "true"
EXTENDED_LOGGING_FILE: /data/vaultwarden-extended.log
DATABASE_URL: sqlite:///data/db.sqlite3
ADMIN_TOKEN: $(openssl rand -base64 32)
ICON_CACHE_TTL: 2592000
ICON_CACHE_NEGTTL: 259200
ICON_DOWNLOAD_TIMEOUT: 10
INCOMPLETE_2FA_TIME_LIMIT: 3
INCOMPLETE_2FA_TIME_LIMIT_MS: false
TRASH_AUTO_DELETE_DAYS: 30
TRASH_AUTO_DELETE_MS: false
DISABLE_ICON_DOWNLOAD: "false"
ICON_BLACKLIST_REGEX: "^https?://127\\.0|^https?://10\\.|^https?://172\\.(1[6-9]|2[0-9]|3[01])\\.|^https?://192\\.168\\.|^https?://localhost"
ALLOWED_IFRAME_ANCESTORS: ""
RELOAD_TEMPLATES: "false"
LOG_LEVEL_DB: "warning"
Create data directory:
mkdir -p /opt/vaultwarden/data
Start Vaultwarden container:
docker-compose up -d
Verify container is running:
docker-compose ps
docker-compose logs -f vaultwarden
Wait for initialization to complete.
Nginx Configuration
Install Nginx:
sudo apt install -y nginx
Create Nginx configuration:
sudo nano /etc/nginx/sites-available/vaultwarden
Add configuration:
upstream vaultwarden {
server localhost:80;
}
server {
listen 80;
listen [::]:80;
server_name vault.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vault.example.com;
ssl_certificate /etc/letsencrypt/live/vault.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vault.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
client_max_body_size 100M;
location / {
proxy_pass http://vaultwarden;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
location /notifications/hub {
proxy_pass http://vaultwarden;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /identity/connect/token {
proxy_pass http://vaultwarden;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Enable site:
sudo ln -s /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl start nginx
sudo systemctl enable nginx
SSL Certificate Setup
Install Certbot:
sudo apt install -y certbot python3-certbot-nginx
Obtain SSL certificate:
sudo certbot certonly --standalone -d vault.example.com
Verify certificate:
sudo openssl x509 -in /etc/letsencrypt/live/vault.example.com/fullchain.pem -noout -dates
Set up auto-renewal:
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
Admin Panel Setup
Generate admin token:
openssl rand -base64 32
Access admin panel:
Navigate to https://vault.example.com/admin
Log in with generated admin token.
Configure admin settings:
-
Organization
- Create organization
- Set organization name
-
Users
- Invite users
- Manage permissions
- Enable/disable accounts
-
Settings
- Configure signups policy
- Set password requirements
- Configure 2FA
User Management
Invite users to Vaultwarden:
- Admin Panel → Users
- Click "Invite User"
- Enter email address
- Send invitation
Users accept invitation:
- Click invitation link
- Create master password
- Activate account
Create organization:
- Admin Panel → Organizations
- Click "New Organization"
- Set organization details
- Invite members
Configure collection sharing:
- Organization → Collections
- Create collection
- Add items to collection
- Share with team members
Backup and Updates
Create backup script:
sudo nano /usr/local/bin/vaultwarden-backup.sh
Add:
#!/bin/bash
BACKUP_DIR="/backups/vaultwarden"
VAULTWARDEN_DIR="/opt/vaultwarden"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p $BACKUP_DIR
# Stop Vaultwarden
docker-compose -f $VAULTWARDEN_DIR/docker-compose.yml stop
# Data backup
tar -czf "$BACKUP_DIR/vaultwarden-data-$DATE.tar.gz" "$VAULTWARDEN_DIR/data"
# Start Vaultwarden
docker-compose -f $VAULTWARDEN_DIR/docker-compose.yml start
# Keep only 30 days
find $BACKUP_DIR -type f -mtime +30 -delete
echo "Backup completed: $DATE"
Make executable:
sudo chmod +x /usr/local/bin/vaultwarden-backup.sh
Schedule daily backups:
sudo crontab -e
Add:
0 2 * * * /usr/local/bin/vaultwarden-backup.sh >> /var/log/vaultwarden-backup.log 2>&1
Update Vaultwarden:
cd /opt/vaultwarden
docker-compose pull
docker-compose down
docker-compose up -d
Monitor logs:
docker-compose logs -f vaultwarden
Troubleshooting
Check container status:
docker-compose ps
View container logs:
docker-compose logs vaultwarden
docker-compose logs -f vaultwarden
Restart container:
docker-compose restart vaultwarden
Test connectivity:
curl -s https://vault.example.com | head -20
Check Nginx configuration:
sudo nginx -t
sudo systemctl status nginx
Conclusion
Vaultwarden is now deployed as a lightweight, self-hosted password manager. With minimal resource consumption, Nginx reverse proxy, SSL encryption, and full Bitwarden compatibility, you have an efficient password vault solution. Create organizations, manage users, and maintain strong password policies. Regular backups ensure password recovery and data protection. Vaultwarden's low resource footprint makes it perfect for small teams and resource-constrained environments.