Vaultwarden, a lightweight self-hosted password manager compatible with Bitwarden clients, empowers users with complete data control, privacy, and customization. Designed to run efficiently on minimal resources, itβs an excellent choice for developers, sysadmins, and privacy-conscious users. This guide covers every essential step to deploy, configure, and manage Vaultwarden, from installation to leveraging its advanced features.
Installing Vaultwarden
π¦ Docker/Docker Compose Setup
Using Docker is the most popular method to deploy Vaultwarden due to its simplicity and portability. Here's how to get started:
- Create a directory for your Vaultwarden deployment:
mkdir -p ~/vaultwarden && cd ~/vaultwarden
- Create a
docker-compose.yml
file with the following configuration:
version: "3.9"
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
ports:
- "8080:80"
volumes:
- ./data:/data
environment:
WEBSOCKET_ENABLED: "true" # Enable WebSocket notifications
- Deploy the container:
docker-compose up -d
- Verify the container is running:
docker ps | grep vaultwarden
Your Vaultwarden instance should now be accessible via http://<your-server-ip>:8080
.
π Manual Installation
For users who prefer direct installation on Linux, follow these steps:
- Install Rust and other dependencies:
sudo apt update
sudo apt install -y build-essential libssl-dev pkg-config sqlite3
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
- Clone the Vaultwarden repository and build the binary:
git clone https://github.com/dani-garcia/vaultwarden.git
cd vaultwarden
cargo build --release
- Create a directory for Vaultwarden data and run the server:
mkdir -p ~/vaultwarden-data
./target/release/vaultwarden --data-dir ~/vaultwarden-data
By default, Vaultwarden will start on port 80
. Use a reverse proxy to secure and enable access on custom domains.
Configuring Nginx as a Reverse Proxy
π Nginx Configuration
To serve Vaultwarden via Nginx, create a server block to route traffic to your instance:
- Create a new Nginx configuration file:
sudo nano /etc/nginx/sites-available/vaultwarden
- Add the following server block:
server {
listen 80;
server_name vaultwarden.example.com;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
- Enable the configuration and restart Nginx:
sudo ln -s /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx
π SSL/TLS Setup
Secure your instance with Let's Encrypt:
- Install Certbot:
sudo apt install -y certbot python3-certbot-nginx
- Obtain and apply SSL certificates:
sudo certbot --nginx -d vaultwarden.example.com
- Automate certificate renewals:
sudo systemctl enable certbot.timer
Your Vaultwarden instance is now accessible securely via HTTPS.
Logging and Debugging Vaultwarden
ποΈ Enabling Debug Logs
Enable debug-level logging to troubleshoot issues:
- Add the following environment variable in your
docker-compose.yml
or systemd configuration:
environment:
RUST_LOG: debug
- Restart the Vaultwarden service to apply changes:
docker-compose restart
π Viewing Logs
Access logs to monitor Vaultwarden:
- For Docker deployments:
docker logs vaultwarden
- For manual installations:
tail -f /path/to/log/file.log
π οΈ Troubleshooting Common Issues
Use logs to identify errors such as database connection problems or reverse proxy misconfigurations. For example:
- Database errors may indicate permission issues. Ensure the
data
directory is writable:
sudo chown -R 1000:1000 ~/vaultwarden/data
Backup and Restore
ποΈ File-Based Backups
Backup Vaultwarden's data directory to preserve configurations and database:
- Create a compressed archive of the data directory:
tar -czvf vaultwarden-backup-$(date +%F).tar.gz ~/vaultwarden/data
π Database Backups
Export the SQLite database for standalone backups:
sqlite3 ~/vaultwarden/data/db.sqlite3 ".backup 'vaultwarden-db-backup.sqlite3'"
π Automated Backup Scripts
Automate periodic backups with a cron job:
- Create a backup script:
nano ~/vaultwarden-backup.sh
- Add the following content:
#!/bin/bash
tar -czvf /opt/backups/vaultwarden-backup-$(date +%F).tar.gz ~/vaultwarden/data
- Make the script executable and schedule it:
chmod +x ~/vaultwarden-backup.sh
crontab -e
Add this line to run the script daily:
0 2 * * * ~/vaultwarden-backup.sh
Updating and Upgrading Vaultwarden
β¬οΈ Updating Docker Images
Pull the latest Docker image and redeploy containers:
docker-compose pull
docker-compose up -d
π οΈ Manual Updates
For manual installations, pull the latest repository changes and rebuild:
cd vaultwarden
git pull
cargo build --release
π Checking for Updates
Visit the Vaultwarden GitHub releases page to check for the latest updates.
Leveraging Vaultwardenβs Unique Features
π§ Enabling APIs
Enable Vaultwardenβs API to interact programmatically:
- Add the following environment variable:
environment:
ENABLE_API: "true"
- Test the API with a
curl
request:
curl -X GET http://localhost:8080/api/info
π Advanced Configurations
Enable WebSocket notifications for real-time updates:
environment:
WEBSOCKET_ENABLED: "true"
Restart the service to apply changes:
docker-compose restart
Wrapping Up
In this guide, weβve covered the end-to-end process of deploying, configuring, and managing Vaultwarden, from installation to advanced configurations. By self-hosting Vaultwarden, you gain complete control and flexibility over your password management system. Start implementing these steps today to leverage Vaultwardenβs powerful features and secure your digital life.