How to self-host Vaultwarden in 2026: Bitwarden alternative

What Vaultwarden is and why people self-host it

Vaultwarden is a lightweight, open-source reimplementation of the Bitwarden server, written in Rust. 46,000+ GitHub stars in 2026. Compatible with every official Bitwarden client — the iOS and Android apps, browser extensions, desktop apps. From a user's perspective, it looks and behaves identically to Bitwarden; the difference is the server.

Three reasons people self-host Vaultwarden instead of using Bitwarden's hosted service or the official self-hosted server.

Lighter than official Bitwarden. Official Bitwarden self-host needs multiple containers including Microsoft SQL Server, eats 2–4 GB RAM, and is genuinely heavy to manage. Vaultwarden runs the whole stack in under 50 MB of RAM — fine on a Raspberry Pi, fine on a $5 VPS.

Premium features unlocked for free. Bitwarden hosted gates TOTP storage, file attachments, password history, advanced reports behind the Premium tier ($10/year individuals, $40/year family). Vaultwarden enables all of those by default at no cost.

Full data ownership. Your vault never leaves your server. Important for security-paranoid users, important for compliance, and important for anyone uneasy about cloud password managers in general.

The trade-off: you're now responsible for the server's security, the admin token, SMTP, and backups. The rest of this guide is how to do all that without leaking your passwords.

Three ways to self-host Vaultwarden

Path A: Docker Compose on your own VPS

The most common path. Spin up a $5–10/month VPS, install Docker, drop a docker-compose.yml that pulls vaultwarden/server:latest. Configure environment variables. Set up Caddy or nginx as reverse proxy with free SSL certificate SSL.

Realistic time-to-first-deploy: 1–3 hours including SSL, SMTP, and the admin panel setup.

Path B: Managed Docker host (Coolify, Dokploy)

Vaultwarden is a clean one-click template on both Coolify and Dokploy. SSL and reverse proxy handled. You still configure ADMIN_TOKEN and SMTP yourself.

Path C: livemy.app one-click deploy

Pick the Vaultwarden template, point your domain, ship. livemy.app handles SSL, persistent volume for the vault database, daily backups.

The good. Three-minute deploy. $25/month flat ($20 Maker + $5 backups). Backups are non-negotiable for a password vault — lose the volume, lose every password.

From zero to Vaultwarden on livemy.app (about 3 minutes)

Step 1: Sign up at livemy.app, pick Maker

Go to livemy.app, click Start free, pick Maker ($20/month). Always-on is required — sync between your phone and laptop fails if the server is asleep.

Step 2: Deploy from the Vaultwarden template

In the dashboard: New project → Template → Vaultwarden. livemy.app pulls the latest vaultwarden/server image and mounts a persistent volume for the database.

Step 3: Generate and set the ADMIN_TOKEN

The admin token is the single most security-critical setting. Anyone with this token can read every user's encrypted vault.

Generate a 64-character hex string: openssl rand -hex 32 on any Mac/Linux machine. Or use the Argon2 hash variant for added protection: run docker run --rm -it vaultwarden/server /vaultwarden hash, type your desired admin password, copy the resulting Argon2 string.

Under Project Settings → Environment Variables on livemy.app:

• ADMIN_TOKEN — your 64-char hex or Argon2 hash

• DOMAIN — the full public URL with https:// (e.g., https://vault.yourdomain.com)

• SIGNUPS_ALLOWED — set to false immediately; you'll invite yourself via the admin panel instead

Step 4: Configure SMTP

Vaultwarden needs SMTP for email verification, invitation emails, and password reset. Add:

• SMTP_HOST, SMTP_PORT (typically 587), SMTP_SECURITY (set to starttls), SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD

Mailgun, Postmark, Resend, SendGrid, or even Gmail SMTP (with an app password) all work.

Step 5: Point your domain, redeploy with the final DOMAIN

Add custom domain, update DNS, wait for SSL. Update the DOMAIN environment variable to the final URL and redeploy. Vaultwarden uses DOMAIN to build links in invitation emails and the websocket sync URL.

Step 6: Invite yourself via the admin panel

Visit https://vault.yourdomain.com/admin, log in with the ADMIN_TOKEN. Click Users → Invite User, enter your email. Check inbox, follow the invitation link, set a strong master password.

Confirm SIGNUPS_ALLOWED is still false. Add a Bitwarden client (iOS app, browser extension), enter the custom server URL in settings, sign in.

Five things that quietly break self-hosted Vaultwarden

1. ADMIN_TOKEN too short or never rotated

Anything shorter than 64 characters is vulnerable to brute force given enough time. A 16-character token can be cracked in days against a leaked installation.

Fix. Use 64+ characters via openssl rand -hex 32 minimum. Better: the Argon2 hash variant. Rotate yearly.

2. SIGNUPS_ALLOWED left at the default true

If signups are allowed and someone finds your public Vaultwarden URL, they can create an account on your server. Not a vault compromise (they can't read your vault), but they're now using your storage and you're hosting an unknown user.

Fix. Set SIGNUPS_ALLOWED=false immediately. Invite users via the admin panel. Re-enable signups only when temporarily inviting a new family member, then disable again.

3. SMTP misconfigured — no email verification, no invites

Bitwarden clients refuse to register accounts that haven't verified their email. If SMTP isn't working, you (or your family member) can't complete the invitation flow.

Fix. Test SMTP from the admin panel's "Send Test Email" button. Check Docker logs for SMTP errors. Authentication errors = wrong username/password; connection errors = your VPS IP is blocked by the SMTP provider (common for self-hosted Gmail SMTP — use Mailgun or Postmark instead).

4. Websocket sync needs HTTP/2 or websockets enabled on your reverse proxy

Vaultwarden uses websockets for real-time sync between clients (vault change on phone, immediately reflected on laptop). If your reverse proxy doesn't proxy websockets correctly, sync still works but slowly — every client polls instead of pushing.

Fix. livemy.app handles this automatically. On a manual Caddy or nginx setup, ensure proxy_set_header Upgrade $http_upgrade; and proxy_set_header Connection "upgrade"; are set, plus the WEBSOCKET_ENABLED=true environment variable on Vaultwarden.

5. No backups = total vault loss on disk failure

Vaultwarden's database holds every password, every TOTP code, every secure note. A failed disk and no backup means every credential is gone. Recovery requires resetting every password on every service.

Fix. Daily backups, non-negotiable. livemy.app's $5/month backups add-on covers the entire Vaultwarden volume automatically, 30-day retention, one-click restore. For manual setups, schedule a daily snapshot of the data/ directory to off-server storage (S3, B2, or just a different VPS).

Cost: Bitwarden hosted vs self-hosted Vaultwarden

Real numbers for a family of 4 with shared passwords.

Bitwarden Families: $40/year ($3.33/month) for 6 users with shared collections. Honestly cheap if you're fine using their hosting.

Bitwarden Premium individual: $10/year per person; for 4 people that's $40/year if you don't want the shared family vault.

Self-hosted Vaultwarden on a $5 VPS: $60/year for the server, free for unlimited users, all premium features unlocked.

Self-hosted on livemy.app: $300/year ($25/month with backups), unlimited users, all premium features.

For a family of 4, Bitwarden Families is actually cheaper than self-hosting if you trust their hosting. Self-hosting is the right move when: you want full data sovereignty, you have more than 6 users, you're a tinkerer who wanted a Vaultwarden anyway, or you're already self-hosting other things and Vaultwarden is one more container.

FAQ

Is Vaultwarden as secure as Bitwarden?

The encryption and client-side cryptography are identical — Vaultwarden uses the same protocol, so the same end-to-end encryption applies. Your vault is encrypted on your device before it ever touches the server. The server can't read your passwords even if compromised. Where Vaultwarden differs is the server-side code (different language, different maintainer); the Bitwarden security team has audited Vaultwarden multiple times and reported no protocol-level concerns.

Will Vaultwarden work with Bitwarden's official apps?

Yes — fully compatible with the iOS app, Android app, browser extensions (Chrome, Firefox, Safari, Edge), and desktop apps. You change one setting in each client (server URL pointing to your Vaultwarden instance) and everything else behaves identically.

Can I migrate from Bitwarden hosted to Vaultwarden?

Yes. Export your vault from Bitwarden as JSON, import into Vaultwarden. The format is identical. Plan for 15–30 minutes including reconnecting all your clients to the new server URL.

What about 2FA?

Vaultwarden supports TOTP, U2F/WebAuthn, Duo, and YubiKey — the full 2FA stack. Bitwarden hosted gates the premium 2FA methods (Duo, YubiKey) behind Premium tier; Vaultwarden enables all of them for free.

What's the cheapest way to self-host Vaultwarden?

A $5/month VPS (Hetzner, Vultr, DigitalOcean) running Docker Compose. Vaultwarden's 50 MB RAM footprint fits on the smallest tier of any VPS provider. Realistic total cost: $5/month server + $0 for SSL (Let's Encrypt) + $0–10/month for SMTP (Mailgun free tier covers small setups).

Will it auto-update?

On livemy.app, opt-in auto-update or pin to a specific version. Vaultwarden releases roughly monthly. For a password vault, you want updates promptly — security patches matter.

Self-host Vaultwarden — lightweight, full premium features

If you're paying for Bitwarden Premium or considering it for a larger team, Vaultwarden gives you the same client experience at a flat self-hosted cost with every premium feature unlocked. The cheapest path is a $5 VPS. The fastest path is livemy.app's Vaultwarden template — just budget the admin token + SMTP + backups setup.

→ Start free on livemy.app · Vaultwarden template, persistent volume, custom domain, SSL, backups, all on Maker at $20/month flat.

Migrating from Bitwarden hosted or 1Password? Email hello@livemy.app — we'll walk through the import. Replies inside one business day.

Read next

• How to self-host n8n in 2026: the complete guide

• How to self-host Cal.com in 2026: own your scheduling

• How to self-host Uptime Kuma in 2026: free monitoring + status page

• How to self-host Outline wiki in 2026: Notion alternative