by In this tutorial, we will show you how to install and run the Vaultwarden Docker Container.
Vaultwarden is a third-party alternative to the official Bitwarden server written in Rust. It is a lightweight alternative to the more heavyweight official server. Being lightweight makes it an excellent choice for devices such as a Raspberry Pi or a low-memory VPN.
For those who do not know, Bitwarden is an open-source password manager that allows you to self-host instead of relying on its cloud servers.
The Vaultwarden server attempts to maintain compatibility with the core functionality of the Bitwarden server. The official Vaultwarden Wiki lists missing features.
In this guide we are using Docker to run Vaultwarden as it makes the whole setup process incredibly simple. Outside of installing Docker, you don’t have to worry about installing any other software to run this password manager server.
Before proceeding, Vaultwarden works best when you have a domain name for your server. This is because the clients need a signed certificate to work correctly.
While it is possible to use a self-signed certificate, Bitwarden is incredibly difficult to use. You will have to add the certificate to every device you use.
Additionally, you must forward ports 80 and 443 and point your domain to your IP address so that Caddy can grab a signed certificate for your domain.
Running Vaultwarden using Docker
In the following sections, we will walk you through setting up and running Vaultwarden as a Docker container.
Installing the Docker Runtime
1. If you don’t already have the Docker runtime installed on your system, you can use the following command.
This simple one-liner will download and execute the install script from Docker. If you already have Docker installed, you can skip to step 4 of this guide.
curl -sSL https://get.docker.com | sh2. After installing Docker, you will want to add your current user to the “docker” group.
You will need to use the usermod command to add your user to this group.
sudo usermod -aG docker $USER3. Even though we have adjusted our user’s groups, we will need to log out or restart the system for the change to take effect.
If you are using a terminal session, you can use the following command to log out.
logoutAlternatively, you can restart your device by using the reboot command.
sudo rebootPreparing your System for the Vaultwarden Docker Container
4. We need to use the mkdir command to create a folder to store the Vaultwarden Docker containers compose file.
By using the “-p” option, the command will create all missing directories within the path.
sudo mkdir -p /opt/stacks/vaultwarden5. With the directory created, you will want to change into it by using the cd command.
cd /opt/stacks/vaultwardenWriting a Docker Compose file for Vaultwarden
6.Using the following command, you can begin writing the Docker Compose file for Vaultwarden.
We use the nano text editor as it is relatively straightforward for most users to pick up and use.
sudo nano compose.yaml7. Within this file you will want to enter the following lines. We have two separate blocks; the first one includes Caddy, which will operate as a reverse proxy and provide HTTPS.
<DOMAINNAME>: Replace this with the domain name you intend to use to interact with your Vaultwarden server.<EMAIL>: As we use Caddy to automatically fetch a signed certificate, you must provide an email address. The cert provider uses this email to inform you of any issues.
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
DOMAIN: "https://<DOMAINNAME>"
volumes:
- ./vw-data:/data
caddy:
image: caddy:2
container_name: caddy
restart: always
ports:
- 80:80
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy-config:/config
- ./caddy-data:/data
environment:
DOMAIN: "https://<DOMAINNAME>"
EMAIL: "<EMAIL>"
LOG_FILE: "/data/access.log"This second alternative block is the one you should use if you already have a reverse proxy that you want to use. The main change here is that we don’t include Caddy and expose port 80 from the container.
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
DOMAIN: "https://<DOMAINNAME>"
volumes:
- ./vw-data:/data
ports:
- 80:808. After filling out this file, save and quit by pressing CTRL + X, Y, and ENTER.
Writing a Caddyfile for Vaultwarden
9. If you choose to use the Caddy web server, you will need to write a simple Caddyfile.
To begin writing this file, run the command below within the terminal.
sudo nano Caddyfile10. Within this file, type out the following lines. These lines are relatively simple and set up Caddy to proxy all requests to the Vaultwarden Docker container.
You don’t have to replace any text within this file, as it is automatically filled in from the Docker environment variables.
{$DOMAIN}:443 {
log {
level INFO
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}
# Use the ACME HTTP-01 challenge to get a cert for the configured domain.
tls {$EMAIL}
encode gzip
reverse_proxy vaultwarden:80 {
header_up X-Real-IP {remote_host}
}
}11. After writing your Caddyfile, save and quit by pressing CTRL + X, Y, and then ENTER.
Starting up the Password Manager Server
12. With the Compose and Caddyfile written, we can start the Vaultwarden Docker container by running the command below.
This may take a few minutes as it must download both the Vaultwarden and Caddy containers. During start up, Caddy will automatically attempt to fetch an SSL certificate for your domain name.
We use the “-d” option so that Docker will detach from the current terminal session.
docker compose -dAccessing the Vaultwarden Docker Container Web Interface
13. In your favorite web browser, you will want to go to the following address.
Ensure you replace “<DOMAINNAME>” with the domain you specified earlier in this guide. For example, if we set up our domain name as “vaultwaden.pimylifeup.com” we would use that.
https://<DOMAINNAME>14. When you first access Vaultwarden, you must create your own account.
To begin this process, click the “Create account” link.
15. On this next screen, you will want to fill out the information you want to use for your account.
Ensure that you use a secure password, as this is where you will store passwords for all of your other accounts. Do not use a password that you have used before.
After filling out your information, click the “Create account” button.
16. With your account created, you can log in and use your new Vaultwarden installation.
Start the login process by entering the email you created the account for (1.) and then click the “Continue” button (2.).
17. On the next screen, enter your account password (1.) and then click the “Log in with master password” button (2.).
18. Thanks to the Docker container, you should now successfully have Vaultwarden running on your device.
Now is an excellent time to start connecting with the various Bitwarden-compatible clients.
Disabling Sign Ups
19. Once you have created your account, you may want to disable sign-ups. By default, Vaultwarden will let anybody sign up for your installation.
You will want to use the command below to get Docker to turn off the Vaultwarden container.
docker compose down20. Our next step is to begin modifying the Compose file. In particular, we need to add a new environment variable.
sudo nano compose.yaml21. With your Compose file open, look for the “environment” section next to where Vaultwarden is defined. The block should look similar to what we have shown below.
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:Underneath the “environment” header you will want to add the following. This line sets the “SIGNUPS_ALLOWED” option and to “false“.
- SIGNUPS_ALLOWED=false22. After you have made this change, save and quit by pressing CTRL + X, Y, and then ENTER.
23. Start the Vaultwarden Docker container again by running the command below.
docker compose up -dUpdating the Vaultwarden Docker Container
One key advantage of using Docker to run Vaultwarden on your system is that it makes updating very simple.
This quick section will walk you through the simple steps of updating Vaultwarden.
1. First you must change into the directory where we wrote the Compose file earlier in this guide.
You can change to this directory by using the following command.
cd /opt/stacks/vaultwarden2. Once we are in the right place, we can get Docker to pull the latest version of the Vaultwarden image.
If you use Caddy, this command will also download a new version of that container if one is available.
docker compose pull3. If new versions of your images were downloaded, you can get Docker to start using them by using the command below.
Docker will check if a new version of the Vaultwarden image is available and restart the container using it if it is.
docker compose up -dConclusion
Hopefully, at this stage in the tutorial, you will have successfully started the Vaultwarden Docker container.
Vaultwarden is a lightweight alternative to the official server. It is great for those who are trying to run it on devices with little memory or a relatively weak CPU.
Please comment below if you have any questions about setting up this service using Docker.
If you found this guide helpful, we highly recommend checking out our many other Docker guides.
