Vaultwarden Organization Sharing: Password Management for Your Whole Household (or Team)

Everyone in Your House Needs Password Manager Access, Not Just You

You set up Vaultwarden. You migrated off LastPass (good call). Your passwords are encrypted, self-hosted, backed up. You’re feeling smug.

Then you get a call: “Hey, what’s the WiFi password? Also what’s that streaming service thing called? And do you have the insurance portal login?”

Password managers stop being a personal tool the moment you live with other people or work on a team. Vaultwarden’s organizations feature exists specifically for this — it’s how you share credentials without texting passwords or maintaining a shared “family passwords” text file on Google Drive (please stop doing that).

Vaultwarden vs Official Bitwarden Organizations

First, some context. Vaultwarden is an unofficial, compatible reimplementation of the Bitwarden server API. It runs on a fraction of the resources and unlocks features that Bitwarden officially charges for — including organizations with unlimited members.

With official Bitwarden cloud:

Free tier: organizations limited to 2 users
Teams plan: $4/user/month for larger teams
Enterprise: more, and you handle SSO

With Vaultwarden (self-hosted):

Organizations are free
Unlimited members
Same client apps (official Bitwarden apps work with Vaultwarden)
You own and manage the server

The trade-off: you’re responsible for uptime, backups, and updates. If your Vaultwarden instance goes down at 2 AM, that’s your problem to fix. Acceptable for a homelab; think twice before putting your whole company on it without redundancy.

Understanding the Data Model: Organizations, Collections, Items

Bitwarden’s sharing model has three layers:

Organization: The container for sharing. You create one, give it a name (e.g., “Household” or “Startup Team”), and invite members. An organization owns the shared vault.

Collections: Like folders inside the organization vault. You might have: “Home Services,” “Financial,” “Streaming,” “Work Shared.” Collections are what you grant permissions on.

Items: Individual credentials, secure notes, cards, or identities. Items live in collections.

Members get access to collections, not individual items. So “Jim can access the Streaming collection” — not “Jim can see Netflix but not Disney+.” If you need that granularity, make separate collections.

Setting Up an Organization

In Vaultwarden’s admin panel or through the Bitwarden app:

In the Bitwarden app: go to your vault, tap the Organizations section, “New Organization”
Give it a name. Set the billing plan to “Free” (Vaultwarden ignores billing limits)
You’re the owner.

Or via curl against the Vaultwarden API if you’re feeling programmatic:

# Login first to get access token
bw login --server https://vault.yourdomain.com

# Create org via Bitwarden CLI (you'll be prompted for details)
bw create organization --name "Household"

Inviting Family Members

In the Bitwarden app, go to the organization → Members → Invite Member → enter their email.

They’ll receive an email invite. They need to:

Accept the invite (click link in email)
You need to confirm them in the Members panel (two-step verification that you meant to invite them)

This two-step is intentional — it prevents someone accepting an invite you sent to a typo’d address from accessing your shared vault.

Roles available

Role	Can do
User	Access assigned collections, manage own items
Manager	Manage collections and items in assigned collections
Admin	Manage collections, members, and groups
Owner	Full control, billing (you)
Custom	Granular permission set

For household use: everyone else gets “User” access to the collections they need. No reason to give your partner Manager access unless they’re helping you admin the thing.

Creating and Assigning Collections

In the organization, go to Collections → New Collection. Create whatever groupings make sense:

Household - General (WiFi, router, home services)
Financial (bank, investment, tax accounts)
Streaming & Entertainment
Work - Shared (if it’s a team setup)

When you create or move an item, assign it to a collection. Items NOT in a collection are invisible to regular members — they stay in your personal “organizational vault” visible only to admins.

Assign members to collections:

Go to Collections → select a collection → Manage access
Add members or groups, set permission level (Read/Write or Read only)

Family member who just needs to look things up but shouldn’t be editing? Read only. Trusted co-admin? Read/Write.

The bw CLI: For When You Don’t Want to Click Things

The official Bitwarden CLI works with Vaultwarden. Install it:

# Debian/Ubuntu
wget "https://vault.bitwarden.com/download/?app=cli&platform=linux" -O bw.zip
unzip bw.zip && chmod +x bw && sudo mv bw /usr/local/bin/

# Set server to your Vaultwarden instance
bw config server https://vault.yourdomain.com
bw login
bw unlock  # Get a session key
export BW_SESSION="your-session-key"

Search and retrieve:

# Find an item
bw list items --search "netflix" | jq '.[0].login.password'

# Get organization items
bw list items --organizationid "your-org-id" | jq '.[] | {name: .name, username: .login.username}'

# Sync vault
bw sync

Create shared items via CLI:

# Create an item in JSON, then add to org collection
cat <<EOF | bw encode | bw create item
{
  "type": 1,
  "name": "Netflix",
  "login": {
    "username": "family@email.com",
    "password": "hunter2",
    "uris": [{"uri": "https://netflix.com"}]
  },
  "organizationId": "your-org-id",
  "collectionIds": ["your-collection-id"]
}
EOF

Useful in scripts — rotate a shared service credential, push the new one to Vaultwarden programmatically.

TOTP in Vaultwarden

Vaultwarden supports storing TOTP (2FA) secrets alongside passwords. This is controversial — some argue you shouldn’t store TOTP and password in the same place (if the vault is compromised, attacker has both factors).

That’s a valid concern. My take: for non-critical services (streaming, etc.) the convenience is worth it. For banking, email, and anything sensitive — store TOTP separately in a dedicated 2FA app (Aegis on Android, Raivo on iOS).

To add TOTP: when editing an item, there’s an “Authenticator key (TOTP)” field. Paste the TOTP secret there. Vaultwarden generates the 6-digit codes in the app.

Emergency Access

Vaultwarden supports Bitwarden’s Emergency Access feature. You can designate a trusted contact who can request access to your vault in an emergency. You set a wait period (14 days is standard) — if you don’t deny the request within that window, access is granted.

Enable it: Settings → Emergency Access → Add Emergency Contact → enter their email, set wait period, set access level (View or Takeover).

Useful for: making sure a spouse or trusted person can access everything if something happens to you. Slightly morbid to set up, genuinely important.

Admin Panel Tips

Vaultwarden has an admin panel at /admin (enable it by setting ADMIN_TOKEN env var):

environment:
  - ADMIN_TOKEN=your-secure-admin-token

Useful things in the admin panel:

Invite users without waiting for email (useful when email isn’t configured)
See all registered users
Disable registrations after you’ve set everyone up (important — don’t leave registration open on a public-facing instance)
View and delete organizations

Disable open registration immediately after onboarding everyone:

environment:
  - SIGNUPS_ALLOWED=false

Backup and Restore

Vaultwarden stores everything in a SQLite database (default) at /data/db.sqlite3. Back this up:

# Simple SQLite backup (safe to copy while running)
sqlite3 /data/db.sqlite3 ".backup '/backup/vaultwarden-$(date +%Y%m%d).sqlite3'"

Or back up the entire /data directory, which includes attachments and the database.

Restore: stop Vaultwarden, replace db.sqlite3 with your backup, restart. That’s it.

Test your restores occasionally. A backup you’ve never restored is a backup you don’t have.