All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to host your own Password Manager vault for free (or on the budget): Vaultwarden!
Let's be real, you have way too many passwords to remember. While services like LastPass or 1Password are great, why pay a subscription when you can get the ultimate in privacy and control by hosting your own?
We're going to set up Vaultwarden, a super lightweight, open-source version of a Bitwarden server that you can run on your locally on a virtual machine on your own PC or buy a cheap virtual server (VPS), that - in the end - will cost you WAAAAY less (~ €3/mo unlimited users) than up to €8.50 per user per month (lastpass).
Step 1: Get Your Server Ready
First things first. SSH into your server.
While not required (as system will auto-update required packages only when installing a new package) it's always a good idea to keep your server up-to-date. You can refer to this article on how to keep your systems updated automatically (the safe way).
For Debian/Ubuntu systems:
sudo apt update && sudo apt upgrade -y
For RHEL/CentOS/Rocky Linux systems:
sudo dnf update -y
Step 2: Get Docker Installed
We're going to use Docker because it keeps things clean and simple. The easiest way to get it on pretty much any Linux system is with their official script.
# This script handles setup for Debian and RHEL-based systems
curl -sSL https://get.docker.com/ | sh
# Now, let's start it up and make sure it runs on boot
sudo systemctl start docker
sudo systemctl enable docker
You'll also need the Docker Compose plugin, which lets us use simple config files.
For Debian/Ubuntu systems:
sudo apt-get install docker-compose-plugin -y
For RHEL/CentOS/Rocky Linux systems:
sudo dnf install docker-compose-plugin -y
Step 3: Install Vaultwarden
Okay, now for the fun part. Getting Vaultwarden itself up and running is surprisingly easy.
First, let's make a folder for it so our files aren't all over the place.
mkdir vaultwarden
cd vaultwarden
Now, we'll create a docker-compose.yml file. This is just a simple text file that tells Docker what to do.
nano docker-compose.yml
Paste this block of text in. It tells Docker to grab the latest Vaultwarden image, keep it running, save its data in a folder called vw-data, and open up a port for it.
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
volumes:
- ./vw-data:/data
ports:
- '8080:80'
Save and close the file (Ctrl+X, then Y, then Enter).
Now, just tell Docker to fire it up!
sudo docker compose up -d
Step 4: Don't Skip This! (Making it Secure)
Okay, this next part is super important. You absolutely cannot run a password manager over an unencrypted connection. That's just asking for trouble. We need to set it up with a proper domain name and an SSL certificate so everything is locked down with HTTPS.
A. Point Your Domain
Grab a domain if you don't have one. It's cheap and easy with any domain registration service. Then, hop into your DNS settings and create an 'A' record. Point a subdomain like vault.yourcoolname.com to your server's IP.
B. Install Nginx
We'll use Nginx as a reverse proxy. Think of it as a traffic cop that takes all the requests coming to your domain and securely forwards them to the Vaultwarden app running inside Docker.
For Debian/Ubuntu systems:
sudo apt install nginx -y
For RHEL/CentOS/Rocky Linux systems:
sudo dnf install nginx -y
C. Set up the Nginx Config
Let's create a config file for our vault site.
sudo nano /etc/nginx/sites-available/vaultwarden.conf
Paste this in, but make sure to change vault.yourdomain.com to whatever subdomain you're using.
server {
listen 80;
server_name vault.yourdomain.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Now, we just need to enable that config.
sudo ln -s /etc/nginx/sites-available/vaultwarden.conf /etc/nginx/sites-enabled/
D. Get a Free SSL Certificate
We'll use Certbot to get a free SSL cert from Let's Encrypt. It's awesome.
For Debian/Ubuntu systems:
sudo apt install certbot python3-certbot-nginx -y
For RHEL/CentOS/Rocky Linux systems:
sudo dnf install certbot python3-certbot-nginx -y
Now run Certbot and let it do its magic. It'll automatically find your Nginx config and handle everything.
sudo certbot --nginx
Just follow the prompts, and you'll be all set. You can now go to https://vault.yourdomain.com and create your account.
If messing with Nginx configs in the command line isn't your cup of tea, you can try using our one of our tools to make your life (a little bit) easier:
And that's it! Go create your account and start using your very own private, secure password manager.
Enjoy!
Comments
Feel like there's some Markdown that should not be there. :P
(also, the Cloudflare protection did not let me comment with the full command, goddamn)
EDIT:
Also missing a space there.
You do know LET uses nofollow right so SEO wont go up
Good guide though
Yeah... I'm not a very best friend of markdown syntax and I use bbcode2markdown converters. Those always screw up the links.
I do not place links for SEO. I could easily say: Go on our site and see, in the footer, you have links to our tools. But I find it more practical to put a link.
Fixed. Haters will say AI screwed it up.
Depending on the use case, I would have put it behind anything like CF but since I hate centralized services, I would suggest something like pangolin, WG or headscale. Also, make sure you add nginx repos and pin them, so that with every apt upgrade you will get the latest version of nginx. Same with caddy should you decide to use it. And potentially something like email logs app.
Well... yeah, you could do a lot more once there. You could even install a modsecurity module for nginx if you want to make it just a little bit more secure.
I personally would go against 3rd party proxy services (like CF you mentioned) just because:
1) It will help with almost nothing in this situation
2) will add a 3rd party to process your transmitted data (yes, I know it's encrypted - but are you going to trust just this this convention?!)
Me too but people here love CF for some reason.
Meh... People here like to get scammed with 22k via crypto also.
We should not do bad things tho'.
I've never been brave enough to selfhost pw manager. Used to swear by keepass local database but dealing with multiple device sync is a pain so now i used bw official. Email, 2fa and pw manager are the 3 things that i felt more comfortable letting experienced cloud provider handle.
So you have more trust in a 3rd party service (like lastpass) to host it for you? Livin' on a prayer.
Obviously not the freakin lastpass with their multiple noob breach over the years. Bitwarden is what i trust. Foss, audited, generous free plan. I also segregated password in bitwarden with totp 2fa in ente auth. Some people like to store totp 2fa in their pw manager for convenience autofill but i like to segregate, worse case scenario bitwarden getting breached ala lastpass they only got the password not 2fa.
Well... I guess it's a matter of personal preference. I would selfhost on a private LAN (+ multiple encryption layers & wireguard/ovpn) than on a public service, even if that service is bitwarden.
Yep all depends on threat model, technical ability and time spent. I would be a literal threat to myself if I'm to selfhost a pw manager lol. Plus don't have time to tinker anymore nowadays. If people got the ability and the time to setup and secure their own pw manager instances, sure more power to them but I'm too inexperienced and lazy.
Just a question that spawned in my mind from your reply:
If we (or other providers) were to offer a multi-layer encryption VPS ready to host Vaultwarden in a more secure (compared to default) way. Would such service be of interest to you?
PEN and PAPER is the best VAULT !
KeePassXC/KeePassDX + Syncthing all the way
Compared to lastpass, or whatever random cloud password manager out there, maybe. But since bitwarden exist i just don't see using anything else. I really, really put bitwarden inc on super high standard. They got millions of users, years of experience handling abuse by the general internet, foss code audited yearly, thousand stars on their github repo watching their every byte of commit. If they fck up i guess my trust on cloud password manager would be destroyed forever and I'd just go back to local keepass.
I would like to thank the municipality for making people and businesses sort their garbage, so dumpster diving for passwords is no longer a health risk.
Anyway, while i seems to shill for bitwarden, i don't 100% depends on their cloud instance. Nowadays i do prefer cloud offering than selfhost or local but i don't 100% rely on them be up and running always, I still practice 3-2-1 backup policy. If bitwarden down, I'm getting banned, i lose access to my account or whatever I'll just import my backup copy. 1 copy is just 1 source of failure regardless if its cloud, selfhost, or local. All my important data always got 3 copy on 2 different media with 1 offsite to minimise fuckup.
I have Vaultwarden running on a €1/month, (1c1g), VPS and that seems to be more than enough resources for it to run on Debian.
I also only have it bound to a Wireguard tunnel, rather than exposing it directly to the internet, with SSH only accessible via a jump box, and I'd trust my setup far more than any of the commercial services.
The main risk I can see is the Provider, but I just assume that stealing my passwords isn't worth the harm it could do to their business, (because they're very well-established), so I'm not really worried about that happening.
The critical thing is to take regular backups and keep them in a secure location, (ideally encrypted and offline), because whilst I'm certain my provider won't ever steal my passwords, I'm not naive enough to believe they wouldn't accidentally delete the entire VPS with a node failure or whatever.
Well,
1) You can always setup an extra OS encryption to avoid providers peeping around
2) If you use Bitwarden client for browser/local PC app, you already have a backup. You just sign up with a new server and it will re-sync everything up. However, extra backup won't hurt, as history showed.
KeePassXC / KeePass2Android / Dropbox (free tier) works for me.
I am doing my own backups of the folder with .kdbx files, in addition to Dropbox backups.
Bear in mind that the login data, including passwords, is encrypted/decrypted in the client (desktop app. or browser) the VW server never sees plaintext so there's nothing for the provider to steal. Assuming strong master passwords, you could give public read only access to your VW database with little risk.
The only risk of self hosting is that the provider 'could' install a back-doored version of the web vault for when you access the vault directly in the browser, but that requires some serious intent on their part.
100% agreed.
Thats the way