Vaultwarden on Raspberry Pi, secure self hosted passwords
Introduction
If you’ve ever searched for a way to host your own password manager, you’ve probably run into Vaultwarden on Raspberry Pi. I went that route myself after yet another “data breach notification” email hit my inbox. You know the ones—“We take your privacy seriously,” right before they tell you someone ran off with your info.
So I grabbed a spare Raspberry Pi, fired up some Docker containers, and made my own setup using Vaultwarden. It runs on my network, stays updated, and doesn’t ask for a subscription. It stores my password database locally, uses HTTPS for secure access, and encrypts everything with strong ciphers like AES-256. I control the server, the database, and who gets in.
This guide shows you how to do the same thing—no fluff, just working parts. Whether you’re a first-timer or just tired of renting your privacy from cloud services, it’s all here.
Key Takeaways
- Vaultwarden gives you full control of your password vault
- Raspberry Pi offers a reliable and affordable hosting option
- Docker simplifies setup, updates, and recovery
- HTTPS, fail2ban, and backups keep your data safe
- With proper setup, this stack works just as well as commercial options
Why Vaultwarden?
Vaultwarden is a lightweight, self-hosted server that’s compatible with the official Bitwarden clients. It’s built using Rust, which makes it fast and low on system resources. That’s why it runs smoothly on small devices like the Raspberry Pi.
Bitwarden Inc. runs a great hosted service, but if you want full control of your data, Vaultwarden steps in as the self-hosted alternative. It skips all the extra features that eat up memory or require big servers. You still get secure storage, end-to-end encryption, and access across devices—without depending on the cloud.
Now, I know some of you are thinking, “But why not just use KeePass?” Sure, KeePassXC is great for local-only setups. But Vaultwarden works through your browser and syncs across devices automatically, just like Bitwarden cloud—except you host it yourself.
And here’s the kicker: you can run Vaultwarden using Docker, which means easier setup, cleaner updates, and fewer headaches. You mount your config and database in volumes, lock down access with HTTPS, and run it behind a reverse proxy like Nginx or Caddy.
So if you’re looking for a secure, private, low-maintenance password vault you can access anywhere, Vaultwarden on a Raspberry Pi hits that sweet spot between control and convenience.
Choosing the Right Raspberry Pi Model
Raspberry Pi boards come in different shapes and horsepower levels, and not all of them handle Vaultwarden the same way. This isn’t a game of raw power, but you do want enough memory and reliability to keep things smooth.
Pi 4 Model B is your best bet. With up to 8GB RAM, USB 3.0, and gigabit Ethernet, it runs Vaultwarden without breaking a sweat. If you’ve got a Pi 3B+, that’ll work too—just expect slower web UI loading and longer backup times. Skip the Zero W models unless you’re just trying to make your life harder.
You’ll also need solid storage. A 32GB Class 10 microSD card is the bare minimum, but if you’ve got a spare USB SSD, use it. You’ll get faster read/write speeds and better reliability. I used to run my setup off a card, but after a few corruptions, I made the switch.
Here’s a quick comparison:
| Pi Model | RAM | Network | USB Speed | Ideal For |
|---|---|---|---|---|
| Pi 4 (8GB) | 8GB | Gigabit | USB 3.0 | Best performance |
| Pi 4 (4GB) | 4GB | Gigabit | USB 3.0 | Very good |
| Pi 3B+ | 1GB | Fast Ethernet | USB 2.0 | Usable |
| Pi Zero W | 512MB | WiFi only | USB 2.0 | Not recommended |
Stick to what keeps your server reliable. Slowdowns and crashes aren’t fun when they’re locking you out of your password vault.
Prepping the OS
Before you install anything, your Raspberry Pi needs a clean, minimal operating system. I’d recommend Raspberry Pi OS Lite or DietPi. They skip the desktop junk and leave you with a lean system that’s perfect for servers.
Raspberry Pi Imager makes flashing easy. Select your OS, enter your WiFi and SSH settings if you want (under advanced options), and flash it to your microSD card or USB SSD. Once booted, do these basics:
sudo apt update && sudo apt upgrade -y
sudo raspi-config
In raspi-config, set your timezone, hostname, and enable SSH. You’ll manage the rest over your local network.
Next up—set a static IP. You don’t want your Pi changing addresses every time your router reboots. Here’s a simple example using dhcpcd.conf:
interface eth0
static ip_address=192.168.1.100/24
static routers=192.168.1.1
static domain_name_servers=1.1.1.1 8.8.8.8
Reboot when done. Now you can SSH in with:
ssh pi@192.168.1.100
You’re officially headless. Time to install Docker and move closer to Vaultwarden.
Installing Docker and Docker Compose
To run Vaultwarden smoothly on your Raspberry Pi, you’ll use Docker to handle the container and Docker Compose to manage the service. It’s cleaner, repeatable, and easier to back up or upgrade.
Start by installing Docker:
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
Then add your user to the Docker group so you’re not typing sudo every time:
sudo usermod -aG docker $USER
You’ll need to log out and back in for that to take effect.
Now install Docker Compose. The Python version works well on Pi OS:
sudo apt install python3-pip -y
pip3 install docker-compose
Verify it’s working:
docker --version
docker-compose --version
If both commands return a version, you’re good. Your system is now container-ready.
Set Docker to start on boot:
sudo systemctl enable docker
This way, your Vaultwarden container stays running even after a reboot.
Deploying Vaultwarden
With Docker and Docker Compose installed, it’s time to bring Vaultwarden to life. You’ll set up directories, write a configuration, and launch the container.
First, make a directory for Vaultwarden:
mkdir -p ~/vaultwarden/data
cd ~/vaultwarden
Now, create a docker-compose.yml file:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
WEBSOCKET_ENABLED: "true"
SIGNUPS_ALLOWED: "false"
ADMIN_TOKEN: "set_a_long_random_admin_token"
volumes:
- ./data:/data
ports:
- "8080:80"
Key environment variables:
ADMIN_TOKEN: Required to access the admin panel.SIGNUPS_ALLOWED: Set to “false” to prevent random registrations.WEBSOCKET_ENABLED: Enables better syncing with browser extensions.
Once that’s saved, launch Vaultwarden:
docker-compose up -d
Check that it’s running:
docker ps
Visit http://<your-pi-ip>:8080 in your browser. You should see the Vaultwarden login page. The container is now live, storing its SQLite database in your ~/vaultwarden/data folder.
From here, you’ll want to secure it with HTTPS, set up a reverse proxy, and lock it down.
Web Access and HTTPS
Right now, your Vaultwarden instance runs over plain HTTP. That’s fine for testing, but if you plan to access it from other devices—or remotely—you’ll want to encrypt it with HTTPS.
Step 1: Reverse Proxy with Caddy or Nginx
Pick one:
Caddy (automatic HTTPS, simpler for Pi users):
docker run -d \
--name caddy \
-p 80:80 -p 443:443 \
-v $PWD/Caddyfile:/etc/caddy/Caddyfile \
-v caddy_data:/data \
-v caddy_config:/config \
caddy
Example Caddyfile:
yourdomain.duckdns.org {
reverse_proxy localhost:8080
}
Nginx (more control, manual TLS):
sudo apt install nginx -y
Sample reverse proxy config:
server {
listen 443 ssl;
server_name yourdomain.duckdns.org;
ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Step 2: Get a Free Certificate
Use Let’s Encrypt with Certbot:
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx
It’ll prompt you to enter your domain, email, and set up SSL automatically.
Step 3: Port Forwarding
To access from outside your network:
- Forward ports 80 and 443 to your Pi’s IP in your router settings.
- Optional: use a Dynamic DNS service like DuckDNS.
Your server should now be reachable via https://yourdomain.duckdns.org.
Creating and Managing Your Account
Once Vaultwarden is running and protected by HTTPS, it’s time to get your admin credentials sorted and create your first user account.
Accessing the Admin Panel
To open the admin interface, go to:
https://yourdomain.duckdns.org/admin
You’ll need the ADMIN_TOKEN you set in the docker-compose.yml file. Without it, the page won’t even load. If you see a blank screen or a 403 error, double-check that the token was set and that the container was restarted after changing it.
If you forget the token, you’ll have to:
- Stop the container:
docker-compose down - Edit the token in
docker-compose.yml - Restart:
docker-compose up -d
Disabling Public Signups
In the admin panel, toggle “Allow Signups” to Off. This prevents strangers from registering accounts on your Vaultwarden instance. Only you (and whoever you add) will have access.
Creating Your Account
Head over to:
https://yourdomain.duckdns.org
Create a new user account using a strong, unique master password. This is the key to your entire vault. Don’t reuse an old password here.
Once you’re signed in, you can start adding login items, secure notes, and more.
Setting Security Defaults
From the admin panel:
- Enforce 2FA on accounts
- Set minimum password length
- Enable or disable email verification
- Control session timeout settings
These help reduce the chance of brute force attacks or account misuse.
Strengthening Security
Running your own password manager is great—but it’s only as strong as your setup. Vaultwarden on Raspberry Pi gives you control, and with that comes responsibility. Here’s how to lock things down properly.
Enable Two-Factor Authentication (2FA)
Once your account is created, go into Settings > Two-Step Login and set up TOTP (like Google Authenticator, Authy, or Aegis). This adds a second layer beyond your master password.
Make sure you save the recovery codes somewhere safe—offline.
Use a Strong Admin Token
That ADMIN_TOKEN you set earlier? Don’t make it something like admin123. Use a long, random string. Here’s an easy way to generate one:
openssl rand -hex 32
Put this new token into your docker-compose.yml, restart the container, and test it.
Limit Login Attempts
Vaultwarden supports brute-force protection. In the admin panel, you can:
- Set the number of allowed failed login attempts
- Define a lockout duration
- Whitelist trusted IPs if needed
This stops bots and bad actors from hammering your login page.
Run Vaultwarden in Rootless Mode
If you’re feeling extra careful, run the Vaultwarden container as a non-root user. It limits damage if the container gets compromised.
To do this:
- Create a dedicated Docker user
- Set correct volume permissions
- Adjust your
docker-compose.ymlto run as a non-root UID/GID
Enable a Firewall
If you haven’t already:
sudo apt install ufw -y
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable
UFW helps block unused ports and restrict access to the essentials.
Automating Backups
You’ve got Vaultwarden running and secure—great. But what happens if your Raspberry Pi dies, your SD card corrupts, or you just screw something up? Without a backup, all your passwords are gone.
Let’s avoid that.
Backup the Database File
Vaultwarden stores everything in an SQLite file located inside your mounted volume (./data). You only really need to back up this folder.
Create a backup folder:
mkdir -p ~/vaultwarden/backups
Now make a simple backup script:
#!/bin/bash
TIMESTAMP=$(date +"%Y%m%d-%H%M")
BACKUP_DIR=~/vaultwarden/backups
DATA_DIR=~/vaultwarden/data
tar -czf $BACKUP_DIR/vaultwarden-$TIMESTAMP.tar.gz -C $DATA_DIR .
Make it executable:
chmod +x ~/vaultwarden/backup.sh
Run it manually or on a schedule with cron:
crontab -e
Add this line to back up daily at 2am:
0 2 * * * /home/pi/vaultwarden/backup.sh
Use External or Remote Storage
Don’t just back up to the same Pi. That’s like hiding your spare key inside your locked car.
Options:
- USB drive mounted at
/mnt/usb - NAS device over SMB or NFS
- Remote server via
rsync
Example with USB:
sudo mount /dev/sda1 /mnt/usb
cp ~/vaultwarden/backups/*.tar.gz /mnt/usb/
Verify and Test Your Backups
Every once in a while, try restoring your backup to a separate test container. That’s the only way to know your backup actually works.
Secure Remote Access
If you want to access Vaultwarden outside your home—say, from work or your phone while traveling—you’ll need to do it right. Exposing your Raspberry Pi to the internet without protection is asking for trouble. Here’s how to do it safely.
Dynamic DNS (DDNS)
Most home internet setups have a changing public IP address. That’s where DuckDNS comes in. It gives you a free domain name that always points to your current IP.
Steps:
- Sign up at duckdns.org
- Choose a subdomain (like
mypivault.duckdns.org) - Set up a cron job or systemd timer on your Pi to update it regularly:
mkdir ~/duckdns
cd ~/duckdns
nano duck.sh
Paste:
echo url="https://www.duckdns.org/update?domains=yourdomain&token=your-token&ip=" | curl -k -o ~/duckdns/duck.log -K -
Then make it executable:
chmod 700 duck.sh
And schedule it:
crontab -e
*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1
Router Port Forwarding
Login to your router and forward:
- Port 443 → 443 on your Pi (HTTPS)
- Optional: Port 80 → 80 on your Pi (for Let’s Encrypt renewals)
Make sure your Pi has a static IP so this doesn’t break later.
Use a VPN Instead (Recommended)
If you’re paranoid (like me), set up a VPN instead of exposing Vaultwarden directly.
Install PiVPN on the same Raspberry Pi:
curl -L https://install.pivpn.io | bash
Choose WireGuard or OpenVPN. Then connect through the VPN and access Vaultwarden as if you’re on your home network.
It’s more secure and doesn’t need open ports on your firewall—just one.
Keeping the System Healthy
Your Vaultwarden setup is only as good as its long-term stability. A flaky container or overloaded Pi can quickly turn into a lockout disaster. Here’s how to keep your system running clean and steady.
Check Container Status
Make sure Vaultwarden is running:
docker ps
If it’s not listed, check logs:
docker-compose logs vaultwarden
Look for errors like permission issues, database locks, or port conflicts. Most of the time, a quick restart helps:
docker-compose restart
Use Restart Policies
You don’t want to manually restart Vaultwarden after a reboot or crash. In your docker-compose.yml, you should already have:
restart: unless-stopped
That brings the container back up automatically unless you intentionally shut it down.
Enable System Monitoring
Install htop to keep an eye on memory and CPU usage:
sudo apt install htop -y
htop
If Vaultwarden starts using too much memory, you might have a memory leak or too many clients syncing at once.
For more detailed monitoring, try:
- Netdata for real-time system stats
- Prometheus + Grafana for dashboards (if you’re fancy)
Enable Email Alerts
Vaultwarden supports SMTP settings to notify you of failed logins or new devices. Set this up in the admin panel using your SMTP provider credentials (like Gmail, Mailgun, or your own SMTP relay).
Monitor SSL Expiry
Let’s Encrypt certs expire every 90 days. If you’re using Certbot with cron or systemd timers, test the renewal:
sudo certbot renew --dry-run
You don’t want to find out your cert expired the hard way.
Updating Vaultwarden Safely
Vaultwarden updates often include security patches, performance boosts, and new features. Since you’re running it in a Docker container, updates are fairly painless—but you still want to do them right.
Step 1: Pull the Latest Image
This downloads the newest version of Vaultwarden without touching your current container:
docker pull vaultwarden/server:latest
Step 2: Stop the Running Container
Bring the container down cleanly:
docker-compose down
This doesn’t delete any data. It just stops the service.
Step 3: Start with the Updated Image
Spin it back up using the updated image:
docker-compose up -d
You’re now running the latest version. Your data volume (./data) remains untouched.
Optional: Verify the Update
Log in to the admin page and check the version number at the bottom. You can compare it with the official release notes.
Step 4: Roll Back (If Needed)
If something breaks:
- Stop the container again
- Edit the
docker-compose.ymlto point to an older image tag (likevaultwarden/server:1.29.2) - Start it back up
That’s the nice part about containers: you don’t nuke your setup every time there’s a version bump.
Troubleshooting Vaultwarden
Even with a clean setup, things can go sideways. Here’s how to diagnose and fix common problems without pulling your hair out.
Container Doesn’t Start
Run:
docker-compose logs
Common errors:
- Port conflict: Something else is using port 80 or 443
- Volume permission issue: Fix it with
sudo chown -R $USER:$USER ./data - Syntax error in docker-compose.yml: YAML is picky—spaces, not tabs
Admin Page Is Inaccessible
- Double-check that
ADMIN_TOKENis set - Try accessing from a private browser window
- Restart the container:
docker-compose down
docker-compose up -d
Database Locked
Vaultwarden uses SQLite, which can get locked if two processes access it at once. Usually, it resolves on its own. If not:
- Make sure no backup is running
- Check for leftover
.db-walor.db-shmfiles - Restart the container
SSL Certificate Issues
If your site says “Not Secure”:
- Confirm your domain resolves to your Pi’s IP
- Check that port 443 is forwarded in your router
- Run a manual certbot renew:
sudo certbot renew --force-renewal
Can’t Log In After Restart
Your admin token or environment settings may have changed. Look in your docker-compose.yml, and make sure you didn’t accidentally erase the volumes directory. Your login data is stored in:
./data/db.sqlite3
If that’s gone, you’re restoring from backup.
Comparing Other Solutions
If you’re going through all this setup, you’ve probably looked at other password managers. Here’s how Vaultwarden on Raspberry Pi stacks up against the usual suspects.
Vaultwarden vs Bitwarden Cloud
| Feature | Vaultwarden (Self-hosted) | Bitwarden Cloud |
|---|---|---|
| Control | Full | Limited to account |
| Cost | Free | Subscription required |
| Data storage | Local | Hosted remotely |
| Setup complexity | Medium | None |
| Updates | Manual | Automatic |
Bitwarden Cloud is easier and managed for you—but you’re trusting a third party with your entire password database. Some folks are fine with that. Others prefer to keep things in their own hands.
Vaultwarden vs KeePassXC
| Feature | Vaultwarden | KeePassXC |
|---|---|---|
| Browser integration | Yes | Add-ons only |
| Syncing | Built-in (via browser) | Manual or with Syncthing |
| Web UI | Yes | No |
| Multi-user support | Yes | No |
KeePassXC is awesome if you’re just managing your own passwords on one or two devices. But if you want syncing, sharing, or browser-based access, Vaultwarden wins.
Why Use a Raspberry Pi?
You could run Vaultwarden on a full-blown PC or cloud server. But:
- Pi uses almost no power
- Costs less than $50
- Runs headless 24/7
- Easy to replace or rebuild
It’s just a good fit for this kind of quiet, persistent service.
Ongoing Maintenance Tips
Keeping your Vaultwarden on Raspberry Pi setup running smoothly isn’t a full-time job, but you should check in once in a while. Here’s what to keep on your radar.
Check for Image Updates Regularly
Every few weeks, run:
docker pull vaultwarden/server:latest
Follow it with a container restart. Even if nothing breaks, new features and security patches show up often.
System Updates
Keep the Raspberry Pi OS current:
sudo apt update && sudo apt upgrade -y
Set a monthly reminder. Old packages are how exploits sneak in.
Backup Schedule
Verify your backup script is:
- Running automatically (via cron)
- Producing files with today’s date
- Storing them somewhere safe (USB, cloud, NAS)
Do a test restore every few months just to make sure you’re not saving garbage.
Rotate Tokens and Passwords
- Change your
ADMIN_TOKENoccasionally - Rotate master passwords if you’ve reused one
- Replace recovery codes if you’ve printed them and lost them in a drawer somewhere
Prune Docker Images and Logs
Save disk space with:
docker image prune -a
docker volume prune
Log files can grow too. Clean them out or use logrotate for automation.
Final Thoughts
Running Vaultwarden on a Raspberry Pi is one of those setups that starts small and ends up being a core part of your home network. You’re not just storing passwords—you’re claiming control over them. No ads, no cloud sync surprises, no subscriptions.
It’s not hard, but it does take some patience. You learn Docker, deal with HTTPS certificates, maybe wrestle with a firewall. But what you get in return is a fast, secure, and private password manager that’s always there when you need it—and one you actually own.
It’s not for everyone. If you don’t want to patch your own software or read a log file now and then, Bitwarden’s hosted plan might make more sense. But if you like knowing where your data lives, how it’s protected, and who can touch it—this project’s a no-brainer.
FAQ
Q: Can I use Vaultwarden without Docker?
A: Yes, but Docker makes updates and isolation much easier, especially on Raspberry Pi. Without it, you’ll need to manage Rust builds and dependencies manually.
Q: Is Vaultwarden safe for sensitive data?
A: Yes, it uses strong encryption (AES-256, Argon2, HTTPS). Just be sure to keep it updated, use a strong master password, and enable 2FA.
Q: What happens if my Pi dies?
A: If you’ve been running backups of your data directory, you can restore everything on a new device quickly. No backup = starting over.
Q: Can I use Vaultwarden with the Bitwarden mobile app?
A: Yes, all official Bitwarden clients (web, desktop, mobile, browser) work with Vaultwarden. Just point them to your Pi’s domain/IP.
Q: Is this setup suitable for teams or businesses?
A: Technically yes, but for more than a few users, you’d want more power than a Pi and better reliability measures like RAID storage and offsite backups.
