Security & Privacy

Vaultwarden Docker Compose: The Ultimate Self-Hosting Guide

J
James Eriksson
··15 min read
Step-by-step guide to deploying Vaultwarden with Docker Compose. Learn to set up SSL, manage backups, and configure your private password vault. Deploy now!
TL;DR
  • Docker Compose provides a structured, code-based way to deploy and manage Vaultwarden.
  • A reverse proxy like Caddy is essential for handling SSL (HTTPS) and WebSocket synchronization.
  • Persistent data must be stored in Docker volumes to prevent data loss during updates.
  • Security hardening involves disabling public signups and restricting access to the admin panel.
  • Regular offsite backups of the SQLite database are critical for a reliable self-hosted setup.

Deploying Vaultwarden using Docker Compose is the most reliable way to maintain a secure, private password management system on your own infrastructure. This method allows you to define your entire environment in a single YAML file, ensuring that your database, application logic, and reverse proxy work in perfect harmony. By self-hosting, you regain control over your most sensitive credentials while maintaining the seamless synchronization features that make Bitwarden-compatible clients so popular among power users.

Why Deploy Vaultwarden with Docker Compose?

Using Docker Compose for your Vaultwarden deployment streamlines configuration, dependency management, and updates for complex, multi-container setups. Instead of running long, error-prone terminal commands every time you want to start or update your server, Compose allows you to store your configuration as code. This infrastructure-as-code approach means you can version-control your setup, move it to a new server in minutes, and ensure that all environment variables are consistently applied across restarts.

Beyond simple convenience, Docker Compose provides a structured way to manage the relationship between Vaultwarden and its supporting services. For example, a production-ready vault requires a reverse proxy like Caddy or Nginx to handle HTTPS encryption. By defining both Vaultwarden and Caddy in the same docker-compose.yml file, you can create an internal bridge network. This allows the containers to communicate securely without exposing the raw Vaultwarden port (usually 80 or 8080) to the public internet, which is a critical security best practice.

Furthermore, Compose simplifies the management of persistent data volumes. Since Docker containers are ephemeral by nature, any data stored inside them is lost when the container is deleted or updated. Docker Compose makes it easy to map specific directories on your host machine to the /data folder inside the Vaultwarden container. This ensures that your SQLite database, icon cache, and encrypted attachments remain safe and accessible even after you pull a newer version of the image. For users looking for a LastPass alternative, this level of control and reliability is paramount.

Finally, the Compose workflow is the industry standard for small-to-medium self-hosted deployments. It provides a clean "single source of truth" for your stack. If you ever need to troubleshoot why your SMTP settings aren't working or why WebSockets are failing, you only have one file to check. This readability makes it much easier for the community to provide support and for you to maintain the system over the long term without needing a degree in DevOps.

Prerequisites for a Successful Deployment

Before you begin the installation, you need to ensure your environment meets the necessary hardware and software requirements for a stable Vaultwarden instance. While Vaultwarden is written in Rust and is incredibly resource-efficient, it still requires a reliable Linux-based host. A virtual private server (VPS) with 1GB of RAM and 1 CPU core is more than enough to handle dozens of users, though you should ensure you have at least 10GB of free SSD storage to account for growing attachment libraries and database backups.

Software-wise, you must have Docker and Docker Compose installed on your host machine. Modern versions of Docker include the Compose plugin by default, accessible via the docker compose command (no hyphen). It is highly recommended to use a stable distribution like Ubuntu 22.04 LTS or Debian 12. You should also have a basic understanding of the Linux command line, specifically how to navigate directories, create files with editors like Nano or Vim, and manage file permissions. Security is a shared responsibility, so ensure your host's firewall is active and only allowing traffic on ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).

A registered domain name is the final, non-negotiable prerequisite for a production setup. Vaultwarden, like the original Bitwarden, requires HTTPS to function correctly. Most modern browser extensions and mobile apps will refuse to connect to a password vault over an unencrypted HTTP connection or an IP address without a valid SSL certificate. You will need to create an 'A' record in your DNS provider's dashboard pointing your chosen subdomain (e.g., vault.example.com) to your server's public IP address. This allows your reverse proxy to automatically fetch and renew SSL certificates via Let's Encrypt.

If you find the technical overhead of managing your own VPS, Linux security updates, and DNS records to be daunting, you might consider a managed Vaultwarden solution. Professional hosting eliminates the burden of server maintenance while still giving you the privacy benefits of an isolated instance. However, if you are comfortable with the terminal, proceeding with the self-hosted route provides the ultimate level of technical freedom and cost savings.

Step-by-Step: Setting Up Your Docker Compose File

Setting up your docker-compose.yml file involves defining the Vaultwarden service, configuring its storage volumes, and mapping the necessary network ports. A standard file starts with the version declaration, followed by the services block. Inside this block, you specify the official vaultwarden/server:latest image. Using the latest tag is common for home labs, though pinning a specific version number is better for production environments to prevent unexpected breaking changes during automated updates.

Volumes are the most critical part of this configuration. You should map a local directory, such as ./vw-data, to /data inside the container. This /data folder houses the db.sqlite3 file, the attachments folder, and the config.json file. Without this mapping, your passwords would vanish every time you restarted the container. Additionally, you should set the restart: always or restart: unless-stopped policy. This ensures that if your server reboots due to a power outage or system update, the Vaultwarden service will automatically come back online without manual intervention.

Environment variables are used to customize Vaultwarden's behavior directly within the Compose file. Key variables include SIGNUPS_ALLOWED, which you should set to false after creating your initial account to prevent random strangers from using your server. You should also configure DOMAIN with your full URL (e.g., https://vault.yourdomain.com). This is essential for the server to generate correct links for invitation emails and password hints. For a self-hosted Bitwarden experience that matches the official cloud service, setting up these variables correctly is the difference between a broken install and a professional-grade tool.

Once your YAML file is ready, you initiate the deployment by running docker compose up -d. The -d flag runs the containers in detached mode, meaning they will continue to run in the background after you close your terminal session. You can monitor the progress by viewing the logs with docker compose logs -f. If everything is configured correctly, the logs will show the internal web server starting up on port 80. Note that while the container uses port 80 internally, you will likely keep it hidden behind a proxy rather than mapping it directly to your host's public port 80.

Configuring SSL and Networking for Security

Configuring a reverse proxy is the critical final step for securing your Vaultwarden instance and enabling HTTPS. A reverse proxy sits between the public internet and your Docker containers, acting as a gatekeeper that handles SSL termination. Caddy is the most popular choice for Vaultwarden users because it automatically manages SSL certificates via Let's Encrypt with zero configuration. Alternatively, Nginx Proxy Manager provides a user-friendly web interface for those who prefer not to edit configuration files manually.

The networking configuration must support WebSockets to ensure that real-time synchronization works across all your devices. When you change a password on your desktop, WebSockets allow the server to 'push' that update to your mobile phone immediately. Without proper WebSocket headers (like Upgrade and Connection), you will find yourself frequently needing to manually pull-to-refresh your vault. In a Docker Compose setup, you typically create a dedicated network (e.g., proxy-net) that both the Vaultwarden container and the reverse proxy container join, allowing them to communicate by service name instead of internal IP addresses.

Security hardening should also include limiting access to the /admin interface. Vaultwarden includes a powerful administrative portal where you can manage users and view server stats, but it is protected only by a token. You should generate a strong, random ADMIN_TOKEN and consider using your reverse proxy to restrict access to the /admin path to specific IP addresses or by adding an additional layer of basic authentication. This prevents brute-force attacks against your admin credentials even if a vulnerability is discovered in the software itself.

Finally, ensure that your Docker host is not leaking ports. By default, Docker may open ports in the system firewall via iptables. Always check that port 80 and 443 are handled by your proxy, and that the raw Vaultwarden port is only accessible via the internal Docker network. For users migrating due to LastPass pricing hikes, maintaining this level of security is vital to ensure that your move to a self-hosted solution doesn't result in a data breach caused by simple misconfiguration.

Managing Persistent Data and Backups

A robust strategy for managing persistent data and backups is what separates a hobbyist project from a production-ready password manager. Since Vaultwarden stores everything in a SQLite database by default, your backup procedure is relatively straightforward: you just need a consistent copy of that database file. However, simply copying the file while the server is running can lead to database corruption if a write operation is in progress. The safest way to backup is to use the SQLite .backup command or to briefly stop the container before copying the data directory.

Your backup routine should follow the 3-2-1 rule: three copies of your data, on two different media, with at least one copy offsite. You can automate this using a simple shell script and a cron job. The script should compress the /vw-data directory into a timestamped .tar.gz file and then use a tool like rclone to upload that archive to a secure cloud storage provider like AWS S3, Backblaze B2, or even a private Nextcloud instance. Encrypting these backups before they leave your server adds an extra layer of security, ensuring that even if your cloud storage is compromised, your encrypted vault remains unreadable.

Attachments and organization logos are stored as flat files in the attachments and icons subfolders. While these are less critical than the database itself, losing them can be a major inconvenience, especially if you store important documents or SSH keys as attachments in your vault. Ensure your backup script includes the entire data volume, not just the SQLite file. If you are using the PostgreSQL or MariaDB backends instead of SQLite, you will need to use pg_dump or mysqldump to export your data before archiving it.

Regularly testing your backups is just as important as creating them. Once a month, try to spin up a temporary Vaultwarden instance on a different machine using your latest backup file. If you can log in and see your passwords, your backup strategy is working. This peace of mind is invaluable. For many users, the realization that they are responsible for their own data recovery is the biggest hurdle to self-hosting, which is why many eventually opt for managed services where daily offsite backups are handled automatically by the provider.

Essential Vaultwarden Environment Variables

Fine-tuning your Vaultwarden instance requires a deep dive into the environment variables that control its most advanced features. The SIGNUPS_ALLOWED variable is the most important for security; setting it to false prevents unauthorized users from creating accounts on your instance. If you need to invite family members later, you can either temporarily set this to true or use the Admin Interface to send direct invitation emails, which bypasses the general registration restriction.

SMTP configuration is another essential area. Without SMTP, your server cannot send email confirmations, password hints, or emergency access notifications. You will need to provide variables like SMTP_HOST, SMTP_FROM, SMTP_PORT, and SMTP_PASSWORD. It is highly recommended to use a transactional email service like Postmark, SendGrid, or Mailgun rather than a personal Gmail account, as these services offer better deliverability and are less likely to flag your automated vault emails as spam.

For those who want to maximize privacy, the ICON_CACHE_TTL and DISABLE_ICON_DOWNLOAD variables are worth investigating. By default, Vaultwarden downloads website icons from a central service to make your vault look better. If you don't want your server making external requests to identify which services you use, you can disable this feature entirely. Furthermore, setting DOMAIN correctly ensures that all internal links generated by the server use the HTTPS protocol, which is required for the vault to work with the Bitwarden browser extension and mobile applications.

Lastly, consider the ADMIN_TOKEN. This variable enables the /admin panel. Instead of a simple password, it is best to use a long, randomly generated string. You can also use an Argon2 hashed version of a password for even greater security, preventing the plain-text token from being visible in your docker-compose.yml file or ps command output. Properly configuring these variables ensures that your instance is not only functional but also hardened against common attack vectors and privacy leaks.

Maintenance: Updating and Monitoring Your Container

Maintaining a Vaultwarden instance is a low-effort task, but it shouldn't be ignored entirely. Docker makes the update process remarkably simple compared to traditional software installations. To update to the latest version, you simply run docker compose pull to download the newest images and then docker compose up -d to recreate the containers with the new code. Docker is smart enough to only restart the services that have updated images, minimizing downtime to just a few seconds.

Monitoring your container's health and logs is vital for spotting issues before they become outages. The docker compose logs -f vaultwarden command allows you to watch the server's output in real-time. You should look for errors related to database locks or SMTP failures. If you want a more visual approach, tools like Portainer or Dozzle provide a web-based dashboard for managing containers and viewing logs. For professional setups, integrating Vaultwarden with a monitoring stack like Prometheus and Grafana can provide alerts if the server goes offline or if memory usage spikes unexpectedly.

Pruning old Docker images is a housecleaning task that prevents your server's disk from filling up over time. Every time you update Vaultwarden, the old image remains on your system as a "dangling" image. Running docker image prune occasionally will reclaim this lost space. Be careful not to run docker system prune -a unless you are sure you want to delete all unused images, including those for other services you might be running on the same host.

Finally, keep an eye on the Vaultwarden GitHub repository for security advisories and major release notes. While the project is very stable, breaking changes do occasionally occur, especially regarding database migrations or changes to the Bitwarden API. By spending just five minutes a month on these maintenance tasks, you ensure that your password manager remains a fast, secure, and reliable tool for your digital life. If this cycle of manual updates feels like a chore, exploring a managed hosting plan can provide a "set it and forget it" experience with automated patching.

Frequently Asked Questions

Is it safe to run Vaultwarden with Docker Compose?

Yes, it is highly secure when configured correctly. By using Docker Compose, you can isolate the Vaultwarden service within a private network and use a reverse proxy to handle encrypted HTTPS traffic. As long as you disable public signups and use a strong admin token, your self-hosted instance is as secure as most commercial alternatives, with the added benefit that you own the underlying data.

Do I need a separate reverse proxy container?

While Vaultwarden has a built-in web server, using a separate reverse proxy like Caddy or Nginx is strongly recommended. A reverse proxy simplifies SSL certificate management (HTTPS) and correctly handles WebSockets, which are required for real-time syncing between your devices. It also allows you to run multiple services on the same server using different subdomains.

How do I backup my Vaultwarden data?

The most important file to back up is db.sqlite3 located in your mapped data volume. You should also back up the attachments and config.json files. The safest method is to stop the container or use the SQLite backup API to create a consistent snapshot of the database, then archive the entire directory and move it to an offsite location.

Can I run Vaultwarden without a domain name?

Technically, you can run Vaultwarden using only an IP address, but it is not recommended. Most Bitwarden clients (mobile apps and browser extensions) require a secure HTTPS connection to function. Obtaining a valid SSL certificate is significantly easier and more automated if you use a domain name with a reverse proxy like Caddy.

How do I update Vaultwarden?

Updating is a simple two-step process with Docker Compose. First, run docker compose pull to fetch the latest version of the image from Docker Hub. Then, run docker compose up -d to restart the container using the new image. Your data will remain intact because it is stored in a persistent volume outside the container.

Conclusion

Deploying Vaultwarden via Docker Compose offers the perfect balance of simplicity, security, and control for anyone looking to take charge of their password management. By following the steps outlined in this guide--from setting up your YAML file to configuring a secure reverse proxy and establishing a backup routine--you can build a professional-grade vault that rivals any commercial service. Self-hosting is a journey toward digital sovereignty, ensuring that your most private information remains under your own lock and key. However, if you prefer to skip the technical setup and server maintenance, you can always transition to a managed Vaultwarden service to get all the benefits of this powerful tool with none of the operational overhead.

Ready to Secure Your Passwords?
Get a production-ready Vaultwarden instance in seconds without the terminal hassle.
Deploy Now

Ready to self-host your own apps?

One server. Multiple apps. No per-app fees.

Get started →
Vaultwarden Docker Compose Guide: Secure Self-Hosting