How to Install Vaultwarden on Ubuntu 24.04 VPS for Self-Hosted Password Management

Trusting a third-party service with every password you own is a significant leap of faith. Cloud-based password managers are convenient, but they also mean your credentials sit on someone else's servers, subject to their security practices, data retention policies, and potential breaches. Self-hosting your own password manager puts you back in control, giving you full ownership of your data without sacrificing the convenience of browser extensions and mobile app sync.

Vaultwarden is a lightweight, Bitwarden-compatible server written in Rust that makes self-hosting a password manager surprisingly accessible. It runs comfortably on a low-resource VPS, supports all official Bitwarden clients, and delivers a fully featured experience at a fraction of the resource cost of the official Bitwarden server. In this guide, you will deploy Vaultwarden on an Ubuntu 24.04 VPS using Docker, secure it with Nginx and a free SSL certificate, and connect it to your browser and mobile apps.

Prerequisites

Before you begin, make sure you have the following in place:

• An Ubuntu 24.04 VPS with at least 512 MB of RAM (1 GB recommended for comfort). A Ryzen VPS from ByteHosting works perfectly for this setup.
• A registered domain name pointed to your VPS IP address via an A record.
• Root or sudo access to the server.
• Basic familiarity with the Linux command line, including navigating directories and editing files.
• Docker and Docker Compose installed (covered in Step 2).
• Ports 80 and 443 open in your server firewall.

What Is Vaultwarden

Vaultwarden (formerly known as bitwarden_rs) is an unofficial, community-maintained server implementation of the Bitwarden API. It is written in Rust, which gives it exceptional performance and a tiny memory footprint. Unlike the official Bitwarden server, which requires multiple Docker containers and significantly more resources, Vaultwarden runs as a single container and can operate comfortably on modest hardware.

Because it implements the full Bitwarden API, Vaultwarden is compatible with all official Bitwarden clients, including browser extensions for Chrome, Firefox, and Edge, as well as mobile apps for iOS and Android. Features such as organizations, collections, the web vault UI, TOTP generation, and secure notes are all supported. It is the go-to choice for privacy-conscious individuals and small teams who want a self-hosted password manager without the overhead of the official stack.

Step 1 , Update Your Ubuntu 24.04 VPS

Start by refreshing your package list and applying any pending updates. This ensures your system has the latest security patches before you install new software.

sudo apt update && sudo apt upgrade -y

After the upgrade completes, install a few essential utilities that will be used throughout this guide:

sudo apt install -y curl wget ufw git

Now configure the firewall to allow SSH, HTTP, and HTTPS traffic:

sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Confirm the firewall status with sudo ufw status and verify that the three rules are active before moving on.

Step 2 , Install Docker and Docker Compose on Ubuntu 24.04

Vaultwarden is distributed and run as a Docker image, so Docker is a hard requirement. Ubuntu 24.04 makes this straightforward using the official Docker installation script.

First, remove any older Docker packages that might conflict:

sudo apt remove -y docker docker-engine docker.io containerd runc

Add Docker's official GPG key and repository:

sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
  sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
  https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install Docker Engine and the Compose plugin:

sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Add your user to the Docker group so you can run Docker commands without sudo:

sudo usermod -aG docker $USER
newgrp docker

Verify the installation with:

docker --version
docker compose version

Step 3 , Set Up the Vaultwarden Docker Container

Create a dedicated directory for the Vaultwarden project and navigate into it:

mkdir -p ~/vaultwarden && cd ~/vaultwarden

Create a Docker Compose file. This defines the Vaultwarden container, its environment variables, and persistent data storage:

version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.yourdomain.com"
      SIGNUPS_ALLOWED: "true"
      ADMIN_TOKEN: "your_secure_admin_token_here"
      WEBSOCKET_ENABLED: "true"
      LOG_LEVEL: "warn"
    volumes:
      - ./vw-data:/data
    ports:
      - "127.0.0.1:8080:80"
      - "127.0.0.1:3012:3012"

A few important notes on these settings:

• Replace vault.yourdomain.com with your actual domain name.
• Generate a strong ADMIN_TOKEN using openssl rand -base64 48 and paste the result into the compose file. This token protects the admin panel.
• Setting SIGNUPS_ALLOWED to true lets anyone register. After you create your account, set it to false and restart the container to lock down registrations.
• Port 3012 is used for WebSocket notifications, which enable real-time vault sync across devices.

Start the container:

docker compose up -d

Check that it is running with docker ps. You should see vaultwarden listed with status Up.

Step 4 , Install and Configure Nginx as a Reverse Proxy

Vaultwarden listens locally on port 8080. Nginx will sit in front of it, accepting external HTTPS traffic and forwarding requests to the container. Install Nginx:

sudo apt install -y nginx

Create a new Nginx server block for Vaultwarden:

sudo nano /etc/nginx/sites-available/vaultwarden

Paste the following configuration, replacing vault.yourdomain.com with your domain:

server {
    listen 80;
    server_name vault.yourdomain.com;

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name vault.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.com/chain.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;

    client_max_body_size 525M;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
        proxy_pass http://127.0.0.1:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
        proxy_pass http://127.0.0.1:8080;
    }
}

Enable the site and test the configuration:

sudo ln -s /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled/
sudo nginx -t

If the test passes, reload Nginx:

sudo systemctl reload nginx

Step 5 , Secure Vaultwarden with a Free SSL Certificate Using Certbot

Bitwarden clients require HTTPS to connect to any server. Certbot from Let's Encrypt makes obtaining a trusted SSL certificate free and automatic. Install Certbot with the Nginx plugin:

sudo apt install -y certbot python3-certbot-nginx

Request a certificate for your domain:

sudo certbot --nginx -d vault.yourdomain.com

Certbot will prompt you for an email address and ask you to agree to the terms of service. It will then automatically obtain the certificate and update your Nginx configuration. When prompted about redirects, choose the option to redirect all HTTP traffic to HTTPS.

Verify automatic renewal is working:

sudo certbot renew --dry-run

Certbot installs a systemd timer that renews certificates automatically before they expire. You do not need to manage this manually.

Reload Nginx one more time to apply the final SSL configuration:

sudo systemctl reload nginx

Step 6 , Create Your Vaultwarden Admin Account and First Login

Open your browser and navigate to https://vault.yourdomain.com. You should see the Vaultwarden web vault interface, which is visually identical to the hosted Bitwarden web app.

Click Create Account and fill in your email address, name, and a strong master password. This master password encrypts all your vault data locally before it is sent to the server. Choose carefully and store it somewhere safe because there is no way to recover it.

After registering, log in and explore the interface. You can start adding passwords, secure notes, identities, and credit card entries immediately.

Next, access the Vaultwarden admin panel at https://vault.yourdomain.com/admin. Enter the ADMIN_TOKEN you set in the Docker Compose file. From here you can manage users, configure SMTP for email invitations, review diagnostics, and adjust global settings.

Once your account is created, it is strongly recommended to disable new registrations. Edit the Docker Compose file and change SIGNUPS_ALLOWED to false, then restart the container:

cd ~/vaultwarden
docker compose down && docker compose up -d

Connecting Browser Extensions and Mobile Apps

One of Vaultwarden's biggest strengths is full compatibility with the official Bitwarden clients. No special or unofficial apps are needed.

For each client, the self-hosted server URL is simply https://vault.yourdomain.com. After pointing the client to your server, log in with the same credentials you created in the web vault. Your vault will sync in real time across all connected devices thanks to the WebSocket configuration set up in Nginx.

Security Tips for Your Self-Hosted Vaultwarden Instance

Running your own password manager is empowering, but it also means you are responsible for keeping it secure. Follow these practices to protect your instance:

• Disable signups after setup. Set SIGNUPS_ALLOWED to false as described above to prevent unauthorized account creation.
• Use a strong admin token. Generate a long random token with openssl rand -base64 48 and never share it. Consider disabling the admin panel entirely in production by removing the ADMIN_TOKEN variable once initial configuration is complete.
• Enable two-factor authentication. Vaultwarden supports TOTP-based 2FA. Enable it for your account through the web vault security settings.
• Keep Docker images updated. Regularly pull the latest Vaultwarden image and recreate the container to get security patches: docker compose pull && docker compose up -d.
• Back up your data directory. The ./vw-data folder contains your entire encrypted vault database. Set up automated backups to a remote location or object storage.
• Restrict the admin panel by IP. If your server environment allows it, use Nginx to restrict access to /admin to specific IP addresses only.
• Monitor logs. Use docker logs vaultwarden --follow to watch for unusual activity and failed login attempts.

Conclusion

You now have a fully functional, self-hosted password manager running on your Ubuntu 24.04 VPS. Vaultwarden gives you the polished Bitwarden experience with complete data sovereignty, and the entire stack runs comfortably on minimal hardware. From Docker and Nginx to Certbot and browser extensions, every piece of the puzzle is in place for a production-ready deployment.

If you are looking for the right server to host your Vaultwarden instance, ByteHosting's Ryzen VPS plans are hosted in Frankfurt with NVMe storage and low latency across Europe. They offer excellent performance for lightweight workloads like this one. Browse the affordable VPS plans to find a tier that fits your needs, and keep an eye on the limited-time deals page for discounted options. Your passwords deserve a fast, reliable, and private home.