Vaultwarden vs Bitwarden: Own Your Passwords Before Someone Else Does

Your Passwords Are Living in Someone Else’s House. Let’s Fix That.

Let’s set the scene. It’s 2022. You’ve been a loyal LastPass user for years. You trusted them with the keys to your entire digital life — banking passwords, email logins, the password to that forum you signed up for in 2009 and definitely don’t want anyone to find. Then you get an email. LastPass had a breach. Not just any breach — attackers got encrypted vault data, billing information, and a smattering of metadata that would make a threat actor very, very happy.

“But the vaults were encrypted!” the PR team reassured you. Sure. Encrypted with your master password. Which, if it was weak or reused anywhere, is now being cracked on a GPU farm somewhere. And did I mention LastPass was also storing password reminder hints in plain text? Like, your vault is locked behind AES-256, but there’s a sticky note on the front door that says “it’s your dog’s name + your birth year.”

This is why we self-host.

The Case for Self-Hosting Your Password Manager

Password managers are arguably the most sensitive piece of software you use. Every secret you have — every account, every service, every thing you’d be upset to lose — lives in there. Trusting that to a third-party cloud service is a legitimate risk. Not a paranoid-tin-foil-hat risk. An actual, documented, “this happened multiple times” risk.

When you self-host, you control:

Where the data lives (your server, your drive, your backup)
Who has access (just you, unless you set up sharing)
When updates happen (you decide, not a vendor’s release cycle)
What happens to your data if the company folds, pivots, or gets acquired

The tradeoff is you’re now the sysadmin. But honestly, if you’re reading a blog that lives under the tagline “the art of wasting time,” you’re probably fine with that.

Enter Bitwarden — The Good Guy of Password Managers

Bitwarden is open source, audited, and genuinely one of the best password managers available. The client apps are excellent — browser extensions, mobile apps, desktop clients, CLI — all of it is polished and cross-platform. The code is public, which means the security community can (and does) poke at it.

Bitwarden offers a hosted service if you want that, but critically, they also let you self-host. The official self-hosted option gives you the full stack running on your own hardware. That’s the real Bitwarden server, written by Bitwarden, doing exactly what the cloud version does — minus the monthly subscription fee.

There’s just one catch: the official self-hosted stack is… a lot.

Bitwarden Self-Hosted: The Real Thing, Heavy and Proud

The official Bitwarden self-hosted installation is not lightweight. It’s a Docker Compose stack with somewhere around 10+ containers, including its own MSSQL database (yes, Microsoft SQL Server — on your Linux home server, just sitting there), nginx, an admin portal, API services, identity services, and more.

This isn’t a criticism exactly — it’s the actual production architecture, so of course it has all the pieces. If you’re running a small business, deploying for a team, or need enterprise features like SSO integration, directory sync, or SCIM provisioning, this is your jam. The official stack supports all of that.

But if you’re a home user who just wants to stop using LastPass and store your own passwords safely? Running MSSQL for one person feels like arriving at a backyard BBQ in a catering van.

Minimum specs for Bitwarden official: 2GB RAM recommended, a couple of GB of disk just for the containers, and a server that can actually handle it. Possible on a VPS or a beefier home server, but it’s not something you’re spinning up on a Raspberry Pi Zero.

When to choose official Bitwarden self-hosted:

You need enterprise features (SSO, SCIM, policies)
You’re deploying for a team or organization
You want the exact same codebase as the cloud version
You have the resources (RAM, disk) to run the full stack

Vaultwarden: The Scrappy Rust Reimplementation That Runs on Anything

Here’s where it gets fun. A developer decided to reimplement the Bitwarden server API in Rust. Not the clients — those are still official Bitwarden clients, unchanged. Just the server side. The result is Vaultwarden (formerly known as bitwarden_rs), and it is an absolute unit of a small application.

We’re talking roughly 10MB of RAM at idle. A single Docker container. SQLite by default (with PostgreSQL/MySQL support if you want it). Full compatibility with all official Bitwarden clients — browser extensions, mobile apps, desktop clients, the CLI. Everything just works because it speaks the same API.

Vaultwarden isn’t an official Bitwarden project. It’s a community project, reverse-engineered from the API. That comes with a caveat: it may lag behind when Bitwarden pushes new features. But in practice, it’s kept up very well, and for the features most people actually use day-to-day, it’s completely solid.

What Vaultwarden supports:

Password storage and management (obviously)
Organizations and shared collections
TOTP/authenticator integration
Emergency access
Sends (encrypted file/text sharing)
Admin panel via web UI
Email notifications
Admin token authentication

What it doesn’t support (at least not without a Bitwarden Premium license workaround):

Some premium features like hardware key (FIDO2) support requires Bitwarden Premium on the client side, though Vaultwarden can override this for self-hosted users

For most self-hosters, Vaultwarden is the obvious choice. It’s the Nginx of the password manager world — lean, fast, does the job, and you can actually run it on the same VPS as three other services without everything falling over.

Setting Up Vaultwarden with Docker Compose

Here’s a working Compose setup to get you going:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - ./vaultwarden-data:/data
    environment:
      DOMAIN: "https://vault.yourdomain.com"
      SIGNUPS_ALLOWED: "false"        # disable after you create your account
      ADMIN_TOKEN: "your-very-secret-admin-token"
      SMTP_HOST: "smtp.yourmailprovider.com"
      SMTP_FROM: "vault@yourdomain.com"
      SMTP_PORT: "587"
      SMTP_SECURITY: "starttls"
      SMTP_USERNAME: "your-smtp-user"
      SMTP_PASSWORD: "your-smtp-password"
    ports:
      - "127.0.0.1:8080:80"

  # Pair with your reverse proxy of choice (Caddy, nginx, Traefik)

A few important notes on this config:

Set SIGNUPS_ALLOWED: "false" after you create your account. Leaving open signups on a public server means anyone who finds your URL can create a vault. You don’t want that.

The admin panel is at /admin with your ADMIN_TOKEN. From there you can manage users, invite people by email, view diagnostics, and override premium features for your users.

DOMAIN matters. Vaultwarden uses it to construct links in emails and for proper HTTPS validation. Get it right.

SSL Is Not Optional

This is non-negotiable. Bitwarden clients (including Vaultwarden-compatible ones) require HTTPS. The browser extension will flat-out refuse to connect to an HTTP server. This is a feature, not a bug — you’re storing passwords here.

If you’re exposing this to the internet: put it behind a reverse proxy with a real TLS cert. Caddy makes this trivially easy with automatic Let’s Encrypt. Nginx Proxy Manager has a UI if you prefer that. Traefik is there if you enjoy configuring things indefinitely.

If you’re keeping it local-only: use Tailscale or a VPN to reach it, and either set up a local CA or use split-horizon DNS with a real cert. The “just use HTTP locally” approach will get you nowhere with the official clients.

Backups: The Part Everyone Skips Until They’re Crying

Your self-hosted password manager is only as good as your backup strategy. If your server dies and you have no backup, you have lost access to everything.

Vaultwarden backup is simple because it’s just files. The /data directory contains everything:

db.sqlite3 — your entire password database
attachments/ — any file attachments
config.json — server configuration
rsa_key* — encryption keys (back these up too)

Automate this. Seriously. A simple cron job that copies /data to a different location (another drive, a cloud backup, a different machine) is enough. Run it daily at minimum.

# Simple daily backup example
0 2 * * * tar -czf /backup/vaultwarden-$(date +%Y%m%d).tar.gz /path/to/vaultwarden-data/

Official Bitwarden self-hosted has a ./bitwarden.sh backup command that dumps the MSSQL database and important files. Point those backups somewhere safe and test restoring from them at least once.

General rule: 3-2-1 backup strategy. Three copies, on two different media, with one off-site. For a home lab, “off-site” can mean Backblaze B2 or even a secondary VPS in a different region.

The Comparison You Came For

Feature	Vaultwarden	Bitwarden Official
RAM usage	~10MB idle	~2GB+ recommended
Containers	1	10+
Database	SQLite (default)	MSSQL
Client compatibility	Full Bitwarden clients	Full Bitwarden clients
Setup complexity	Low	Medium-High
Backup simplicity	Copy a folder	`bitwarden.sh backup`
Enterprise SSO/SCIM	No	Yes
Organization support	Yes	Yes
Emergency access	Yes	Yes
Sends	Yes	Yes
Official support	Community	Official
Cost	Free	Free (self-hosted)
Suitable for teams	Small teams, yes	Small to large teams
Suitable for home use	Perfect	Overkill, but works

So Which One Should You Run?

Run Vaultwarden if:

You’re a home user or a small family/friend group
You’re running on a VPS, Raspberry Pi, or shared home server
You want to be up and running in 20 minutes
You don’t need enterprise SSO or directory sync

Run official Bitwarden self-hosted if:

You’re deploying for an organization with IT requirements
You need SSO integration, SCIM, or compliance features
You have dedicated server resources and want the official stack
You want to stay on the exact same codebase as the cloud version

For the vast majority of people reading this, Vaultwarden is the answer. It’s fast to set up, light on resources, and handles everything you’ll actually use. The Bitwarden clients are polished and work identically — your browser extension doesn’t know or care whether it’s talking to official Bitwarden or Vaultwarden.

One More Thing About LastPass

The thing about the LastPass breach wasn’t just that it happened. It’s that it happened, and then they downplayed it, and then more details came out, and then they admitted it was worse than initially disclosed, and then security researchers found that their PBKDF2 iteration counts were embarrassingly low for many users, meaning vaults were crackable faster than they should be.

When you self-host, you control the security parameters. Vaultwarden uses solid defaults. You control who can create accounts. You control backups. If something goes wrong, it’s your screwup on your hardware — not a third party’s screwup affecting millions of users, with a PR timeline you have no visibility into.

That’s the whole point. Not paranoia. Ownership.

Go set up Vaultwarden this weekend. It’ll take less time than the average home lab rabbit hole, and you’ll sleep slightly better knowing your passwords aren’t living in someone else’s house.