Categories: Raspberry Pi

Self-hosting free password manager : Vaultwarden

Bitwarden is an open-source password manager that helps individuals and organizations securely store, manage, and share sensitive information such as passwords, passkeys, and credit card details—all within an encrypted vault. While Bitwarden offers a robust free tier, premium features like TOTP (time-based one-time password) generation for two-factor authentication (2FA) are reserved for paid plans.

Bitwarden also offers a self-hosting option that includes its core password management features for free. However, this option comes with some notable limitations:

  • Certain advanced features still require a paid subscription.
  • Hardware requirements are relatively high, typically needing a x64 CPU and at least 2GB of RAM.
  • This can be a barrier for enthusiasts or hobbyists who want to host it on low-power devices or can’t run servers 24/7.

Enter Vaultwarden


Vaultwarden is a lightweight, community-maintained, and fully self-hosted alternative that is API-compatible with official Bitwarden clients. Originally known as “bitwarden_rs”, it was designed to be much more resource-efficient while supporting nearly all Bitwarden features—including many of the paid ones—for free.

Key advantages of Vaultwarden:

  • Low hardware requirements: Runs smoothly on devices like Raspberry Pi, Synology DiskStation, or other minimal setups.
  • Easy to deploy using Docker.
  • Fast, reliable, and regularly updated by the community.

Deploying Vaultwarden with Docker on Raspberry Pi


In this guide, I’ll show you how to install and configure Vaultwarden on a Raspberry Pi using Docker. We’ll also cover how to make it accessible over the internet using a Cloudflare Tunnel, so you can securely access your password vault from anywhere. I am going to assume that docker is already installed, and you have basic idea of docker commands.

First lets create docker network, and needed directories.


sudo docker network create --subnet=10.5.0.0/16 net_localapps
sudo docker network list
sudo mkdir /var/log/vaultwarden
sudo mkdir /mnt/docker/vaultwarden/
sudo mkdir -p /mnt/docker/vaultwarden/

Next, let add logrotate config, this is completely optional. Add the following to /etc/logrotate.d/vaultwarden

/var/log/vaultwarden/*.log {
  # Run as root (default), since logs are owned by root
  daily
  size 5M
  compress
  rotate 4
  copytruncate
  missingok
  notifempty
  dateext
  dateformat -%Y-%m-%d-%s
}

Next we need to generate a hash of your admin password. Vaultwarden’s admin panel token should be secure and hashed, preventing someone from easily discovering or misusing it—even if they access your environment variables or config. Run the following command, which will give you an hash, we will need that in the next step.

sudo docker run --rm vaultwarden/server:latest hash

It will prompt you to enter a password (your desired admin token):

Admin token (hidden input):
Re-enter admin token:
Hashed token:
$argon2id$v=19$m=19456,t=2,p=1$….

Now, lets use this to launch our vaultwarden docker container.

sudo docker run -d --name bitwarden --restart=always -v /mnt/docker/vaultwarden/:/data/ -v /var/log/vaultwarden:/data/logs/ -e TZ=Asia/Kolkata -e LOG_LEVEL=error -e LOG_FILE=/data/logs/access.log -e EXTENDED_LOGGING=true -e ADMIN_TOKEN='<ADD_YOUR_ADMIN_TOKEN>'  --net net_localapps --ip 10.5.0.2 -p 127.0.0.1:8082:80 -p 127.0.0.1:3012:3012 vaultwarden/server:latest

I have chosen a fixed IP, you may change it. Next, lets configure Cloudflare tunnel to provide access from the internet.

Install cloudflared

sudo apt install wget
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
sudo dpkg -i cloudflared-linux-arm64.deb

Authenticate Cloudflared

cloudflared tunnel login

Create the Tunnel

cloudflared tunnel create vaultwarden-tunnel

This will generate a tunnel ID (needed in the next) and credentials file (saved locally).

Create Tunnel Configuration

mkdir -p ~/.cloudflared
nano ~/.cloudflared/config.yml
Config 
tunnel: vaultwarden-tunnel
credentials-file: /home/pi/.cloudflared/<YOUR_TUNNEL_ID>.json

ingress:
  - hostname: vault.yourdomain.com
    service: http://10.5.0.2:80
  - service: http_status:404

Cloudflare will handle SSL certificates for your domain.

Happy secure password management!

Do not forget to share if you like:
Pradeep

Share
Published by
Pradeep
6 months ago

Recent Posts

Get Started with IPTV: Free and Paid Options for All Devices

In today's digital age, traditional cable TV is steadily being replaced by more flexible and…

7 months ago

Installing Log2RAM utility on your Raspberry Pi

log2ram is a utility specifically designed for Linux-based systems, particularly single-board computers like the Raspberry…

7 months ago

ChatGPT Voice Shortcut on iOS, Android

How to Add a ChatGPT Voice Shortcut on iOS and Android With voice commands and…

8 months ago

Proxy Through SSH Tunnel

For occasional VPN or proxy, you do not always need to pay for a reliable…

9 months ago

Unlocking the Power of Time Machine: The Easiest Way to Back Up Your Mac

When it comes to protecting your Mac, Time Machine offers an effortless and powerful way to keep…

9 months ago

Block Advertisements on iPhones or any iOS Devices

In today’s mobile-first world, ads can be intrusive and slow down your browsing experience. Whether…

9 months ago