TL;DR
Self-hosted Vaultwarden in 2026:
- Sizing: ~50 MB RAM, <5 GB disk. Runs on the smallest VPS available.
- Best provider: HostHatch IS entry tier (~$2/mo) — overkill for what Vaultwarden needs.
- Install: Docker container, 5 minutes. Pair with Caddy for auto-Let’s-Encrypt.
- Compatible with all Bitwarden clients (web, desktop, mobile, browser extensions).
Why self-host Vaultwarden
Bitwarden’s official hosted service is fine for most users, but self-hosting gives you:
- Your password vault is not on someone else’s server. Even with end-to-end encryption, the metadata (which sites you have credentials for, when you access them) is server-visible.
- No vendor lock-in / shutdown risk. Bitwarden could change pricing, terms, or get acquired.
- Premium features for free. Vaultwarden enables all paid Bitwarden features at no cost.
- Operate over Tor. A self-hosted vault can be onion-only, accessible only from your authenticated devices.
Step-by-step
1. Provision
The smallest available VPS is more than enough. HostHatch IS entry at $2/mo (annual prepay) is the recommended pick. BuyVM Luxembourg Slice at $2/mo also works.
Follow /guides/anonymous-vps-monero.
2. Install via Docker Compose
# docker-compose.yml
services:
vaultwarden:
image: vaultwarden/server:latest
restart: always
environment:
DOMAIN: "https://vault.yourdomain.com"
SIGNUPS_ALLOWED: "false" # set to true initially, then false after creating your account
ADMIN_TOKEN: "long-random-string-here"
volumes:
- ./vw-data:/data
ports:
- 127.0.0.1:8080:80
caddy:
image: caddy:latest
restart: always
ports:
- 80:80
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./caddy_data:/dataCreate Caddyfile:
vault.yourdomain.com {
reverse_proxy localhost:8080
}Start:
docker compose up -d3. First-time setup
- Visit
https://vault.yourdomain.com. - Create your account (with
SIGNUPS_ALLOWED=true). - Once registered, set
SIGNUPS_ALLOWED=falseand restart. - Enable two-factor authentication: Settings → Two-step Login → Authenticator App.
- Generate a backup of your master encryption key.
4. Connect clients
All Bitwarden clients work with Vaultwarden — just point the server URL to your domain:
- Bitwarden browser extension: Settings → Self-hosted → Server URL →
https://vault.yourdomain.com. - Bitwarden mobile / desktop: same setting in the app.
- CLI:
bw config server https://vault.yourdomain.com.
5. Hardening
- Disable signup after creating your account (
SIGNUPS_ALLOWED=false). - Enable 2FA for your account and admin panel.
- Restrict admin panel access by IP allowlist or via Tor onion.
- Backup: regular
tarofvw-data/to a different offshore VPS. - Disable web vault if you only use clients (
WEB_VAULT_ENABLED=false).
Tor-only deployment
For maximum privacy, run Vaultwarden as an onion-only service:
- Don’t expose ports 80/443 to clearnet.
- Configure Tor with
HiddenServicePort 80 127.0.0.1:8080. - Use the
.onionURL in your Bitwarden client (works with Tor Browser; mobile clients need Orbot).
Trade-off: slower initial sync; no fast push notifications.
Cost
| Component | Cost |
|---|---|
| HostHatch IS entry | $2 / month |
| Domain (Njalla .com) | $1.25 / month |
| Total | ~$3 / month |
Compare to Bitwarden Premium ($10/year for individual) or Bitwarden Families ($40/year for 6 users). Self-hosting wins on long-term cost for families and on data sovereignty for everyone.