Aug 30, 2024 3 min read

Vaultwarden: The Ultimate Guide to Self-Hosting

Vaultwarden: The Ultimate Guide to Self-Hosting
Table of Contents

Vaultwarden, a lightweight self-hosted password manager compatible with Bitwarden clients, empowers users with complete data control, privacy, and customization. Designed to run efficiently on minimal resources, it’s an excellent choice for developers, sysadmins, and privacy-conscious users. This guide covers every essential step to deploy, configure, and manage Vaultwarden, from installation to leveraging its advanced features.

Installing Vaultwarden

πŸ“¦ Docker/Docker Compose Setup

Using Docker is the most popular method to deploy Vaultwarden due to its simplicity and portability. Here's how to get started:

  1. Create a directory for your Vaultwarden deployment:

mkdir -p ~/vaultwarden && cd ~/vaultwarden

  1. Create a docker-compose.yml file with the following configuration:

version: "3.9"

services:

vaultwarden:

image: vaultwarden/server:latest

container_name: vaultwarden

restart: unless-stopped

ports:

- "8080:80"

volumes:

- ./data:/data

environment:

WEBSOCKET_ENABLED: "true" # Enable WebSocket notifications

  1. Deploy the container:

docker-compose up -d

  1. Verify the container is running:

docker ps | grep vaultwarden

Your Vaultwarden instance should now be accessible via http://<your-server-ip>:8080.

πŸš€ Manual Installation

For users who prefer direct installation on Linux, follow these steps:

  1. Install Rust and other dependencies:

sudo apt update

sudo apt install -y build-essential libssl-dev pkg-config sqlite3

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

source $HOME/.cargo/env

  1. Clone the Vaultwarden repository and build the binary:

git clone https://github.com/dani-garcia/vaultwarden.git

cd vaultwarden

cargo build --release

  1. Create a directory for Vaultwarden data and run the server:

mkdir -p ~/vaultwarden-data

./target/release/vaultwarden --data-dir ~/vaultwarden-data

By default, Vaultwarden will start on port 80. Use a reverse proxy to secure and enable access on custom domains.

Configuring Nginx as a Reverse Proxy

🌐 Nginx Configuration

To serve Vaultwarden via Nginx, create a server block to route traffic to your instance:

  1. Create a new Nginx configuration file:

sudo nano /etc/nginx/sites-available/vaultwarden

  1. Add the following server block:

server {

listen 80;

server_name vaultwarden.example.com;

location / {

proxy_pass http://localhost:8080;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

}

  1. Enable the configuration and restart Nginx:

sudo ln -s /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled/

sudo nginx -t

sudo systemctl restart nginx

πŸ”’ SSL/TLS Setup

Secure your instance with Let's Encrypt:

  1. Install Certbot:

sudo apt install -y certbot python3-certbot-nginx

  1. Obtain and apply SSL certificates:

sudo certbot --nginx -d vaultwarden.example.com

  1. Automate certificate renewals:

sudo systemctl enable certbot.timer

Your Vaultwarden instance is now accessible securely via HTTPS.

Logging and Debugging Vaultwarden

πŸ—ƒοΈ Enabling Debug Logs

Enable debug-level logging to troubleshoot issues:

  1. Add the following environment variable in your docker-compose.yml or systemd configuration:

environment:

RUST_LOG: debug

  1. Restart the Vaultwarden service to apply changes:

docker-compose restart

πŸ“„ Viewing Logs

Access logs to monitor Vaultwarden:

  • For Docker deployments:

docker logs vaultwarden

  • For manual installations:

tail -f /path/to/log/file.log

πŸ› οΈ Troubleshooting Common Issues

Use logs to identify errors such as database connection problems or reverse proxy misconfigurations. For example:

  • Database errors may indicate permission issues. Ensure the data directory is writable:

sudo chown -R 1000:1000 ~/vaultwarden/data

Backup and Restore

πŸ—‚οΈ File-Based Backups

Backup Vaultwarden's data directory to preserve configurations and database:

  1. Create a compressed archive of the data directory:

tar -czvf vaultwarden-backup-$(date +%F).tar.gz ~/vaultwarden/data

πŸ”„ Database Backups

Export the SQLite database for standalone backups:


sqlite3 ~/vaultwarden/data/db.sqlite3 ".backup 'vaultwarden-db-backup.sqlite3'"

πŸ“… Automated Backup Scripts

Automate periodic backups with a cron job:

  1. Create a backup script:

nano ~/vaultwarden-backup.sh

  1. Add the following content:

#!/bin/bash

tar -czvf /opt/backups/vaultwarden-backup-$(date +%F).tar.gz ~/vaultwarden/data

  1. Make the script executable and schedule it:

chmod +x ~/vaultwarden-backup.sh

crontab -e

Add this line to run the script daily:


0 2 * * * ~/vaultwarden-backup.sh

Updating and Upgrading Vaultwarden

⬆️ Updating Docker Images

Pull the latest Docker image and redeploy containers:


docker-compose pull

docker-compose up -d

πŸ› οΈ Manual Updates

For manual installations, pull the latest repository changes and rebuild:


cd vaultwarden

git pull

cargo build --release

πŸ” Checking for Updates

Visit the Vaultwarden GitHub releases page to check for the latest updates.

Leveraging Vaultwarden’s Unique Features

πŸ”§ Enabling APIs

Enable Vaultwarden’s API to interact programmatically:

  1. Add the following environment variable:

environment:

ENABLE_API: "true"

  1. Test the API with a curl request:

curl -X GET http://localhost:8080/api/info

🌟 Advanced Configurations

Enable WebSocket notifications for real-time updates:


environment:

WEBSOCKET_ENABLED: "true"

Restart the service to apply changes:


docker-compose restart

Wrapping Up

In this guide, we’ve covered the end-to-end process of deploying, configuring, and managing Vaultwarden, from installation to advanced configurations. By self-hosting Vaultwarden, you gain complete control and flexibility over your password management system. Start implementing these steps today to leverage Vaultwarden’s powerful features and secure your digital life.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Selfhosted Ninja.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.