Why Self-Host Your Password Manager?
Cloud-hosted password managers (1Password, LastPass, Dashlane) hold the encrypted vault for you. That's fine until they get breached — as LastPass demonstrated in 2022 — or until their pricing model changes. Self-hosting means your encrypted vault lives on hardware you control, and you choose the backup strategy.
Both Bitwarden and Vaultwarden use the same client apps (browser extensions, iOS/Android/desktop), the same API protocol, and end-to-end encryption. The server is the difference.
Bitwarden: The Official Server
Bitwarden's self-hosted server is the official, open-source implementation (AGPL-3.0). It consists of several microservices: API, Identity, Admin, Notifications, and a Postgres database. The full stack requires roughly 2 GB RAM minimum, making it suitable for a dedicated server or beefy home lab.
Pros
- Maintained by the Bitwarden company — guaranteed compatibility with all clients.
- Premium features (TOTP authenticator, file attachments, emergency access) available via a self-hosted license.
- Official support and security audits.
Cons
- Resource-heavy: multiple containers, Postgres, MSSql (optional).
- More complex to update — migration scripts required between major versions.
# docker-compose.yml (simplified — official installer is recommended)
services:
bitwarden:
image: bitwarden/self-host:2026.x.x
# ... full config at https://bitwarden.com/help/install-on-premise/
Vaultwarden: The Lightweight Alternative
Vaultwarden is a community-maintained, Rust-based reimplementation of the Bitwarden server API. It is compatible with all official Bitwarden clients and runs comfortably in under 100 MB RAM.
Pros
- Minimal resource footprint — runs on a Raspberry Pi Zero 2W.
- All premium features unlocked for free (TOTP, file attachments, emergency access, organizations).
- Simple single-container deployment with SQLite (or Postgres/MySQL).
- Active community and frequent releases.
Cons
- Not official — theoretically could fall behind the API after a client update.
- No formal security audit from the Bitwarden company (though the Rust codebase is well-reviewed by the community).
services:
vaultwarden:
image: vaultwarden/server:latest
restart: unless-stopped
environment:
DOMAIN: "https://vault.yourdomain.com"
SIGNUPS_ALLOWED: "false" # disable after registering your accounts
WEBSOCKET_ENABLED: "true"
ADMIN_TOKEN: "your-secret-token-here"
volumes:
- ./vw-data:/data
ports:
- "8080:80"
- "3012:3012" # WebSocket notifications
Feature Comparison
Multi-Device Sync
Both solutions sync in real time via WebSocket notifications. Configuration on all devices is identical: point the "Server URL" field in the Bitwarden client to your self-hosted domain.
Browser extension: Settings → Server → Custom → https://vault.yourdomain.com
After that, logins and registrations work identically to the cloud version.
Backup Strategy
Since the vault is the most critical data you own:
# Vaultwarden SQLite backup (add to daily cron)
sqlite3 /path/to/vw-data/db.sqlite3 ".backup /backups/vault-$(date +%Y%m%d).sqlite3"
# Encrypt and upload to off-site storage restic -r b2:mybucket:vault backup /backups/
For Bitwarden official, use the built-in backup mechanism in the admin portal.
Recommendation
For a home lab or small team (1–10 people): Vaultwarden. The resource savings are significant, the feature set exceeds what most individuals need, and the migration path to the official server remains straightforward if your needs grow.
For an organization with compliance requirements or large user counts: Bitwarden Official, with the self-hosted license.
The WEDC member library includes a complete Vaultwarden deployment configuration — Docker Compose, Caddy gateway config, backup scripts, and a restore-verification playbook — ready to deploy in under 30 minutes.