Vaultwarden Hosting on a VPS - Self-Hosted Bitwarden

Why self-host

Your passwords belong on your server.

Bitwarden Cloud is fine. LastPass was fine, until it wasn't. SaaS password managers are juicy targets because they store everyone's vault in one place - even if encrypted, the attacker has all the time in the world to crack what they took.

Vaultwarden runs your vault on a host nobody's enumerating. Same Bitwarden apps on every device. Same end-to-end encryption. But the database lives on a VPS only you know about.

E2E encrypted

Your master password never leaves your device. The server stores only the encrypted blob - same as upstream Bitwarden.

Bitwarden apps work

Official browser extensions, iOS, Android, desktop - all point at your VPS. Point your Bitwarden client at vault.you.com and go.

Tiny resource needs

The Rust binary uses single-digit megabytes. Pulsar Nano runs Vaultwarden + a reverse proxy with room to spare.

Premium for free

TOTP, attachments, organizations, emergency access - all unlocked by default in Vaultwarden.

Recommended plan

Vaultwarden barely registers on the box.

Even with attachments and a few users, you'll be at low single-digit RAM.

Best for Vaultwarden

Pulsar Nano

Personal vault, 1-5 users

$3/mo

1 vCPU
1 GB RAM
20 GB SAS SSD
Family-sized vault, easy

Order Nano

Pulsar Starter

Vaultwarden + other selfhosted stuff

$5/mo

1 vCPU
2 GB RAM
40 GB SAS SSD
Stack with Pi-hole, WireGuard, etc.

Order Starter

Pulsar Pro

Small team / org

$15/mo

4 vCPU
8 GB RAM
160 GB SAS SSD
20-50 users, organizations, attachments

Order Pro

What you'll need

From order to working vault: ~30 minutes.

Most of that is DNS propagation. The actual setup is one Docker command.

A Pulsar67 VPS (Pulsar Nano is fine for personal use)
Ubuntu 22.04 or Debian 12
Docker + docker-compose (one-line install on either distro)
The official Docker image: docker pull vaultwarden/server:latest
A domain name pointed at your VPS (Bitwarden mobile apps require HTTPS - no IP-only logins)
Caddy or nginx + Let's Encrypt cert (Caddy auto-renews; nginx needs certbot)
An SMTP relay (Postmark, AWS SES, or your own mail server) for email-based 2FA
A backup plan - Vaultwarden's whole database is a single SQLite file. Snapshot nightly, copy off-host weekly

Why Pulsar67

Where your passwords actually deserve to live.

Daily snapshots

Pulsar Pro+ includes daily snapshots. If your vault corrupts, roll back to last night.

Uptime that matters

99.9% SLA. Because the one time you need a password is the time you can't reach your vault.

We don't peek

Your data is encrypted client-side anyway, but we also don't scan, profile, or analyze it.

Engineers, not bots

If your reverse proxy is misbehaving, we'll actually look at the logs with you.

Field notes

Vaultwarden deployment notes

Concrete setup details for the first deploy, the firewall, and the first thing to check when something acts strange.

Ports

Expose only HTTPS on 443 through a reverse proxy. Keep the admin token private and do not expose it casually.

RAM

Nano is enough for personal and family vaults. Starter gives extra room for attachments and a reverse proxy stack.

Config

Use Docker Compose, mount /data persistently, enable regular SQLite backups, and store backups off-host.

First check

If mobile apps fail login, check HTTPS, websocket support, DOMAIN, and whether the reverse proxy preserves headers.

Vaultwarden hosting,
your password vault on your VPS.