Vaultwarden vs Bitwarden: Which Self-Hosted Password Manager Is Right for You?

Bitwarden is the most popular open source password manager. Vaultwarden is an unofficial, lightweight server implementation that's compatible with all Bitwarden clients. Both let you self-host your password vault — but they make very different trade-offs.

If you're deciding between them for self-hosting, this guide covers everything you need to know.

Quick Summary

Bitwarden is the official server, written in C#/.NET. It's feature-complete but resource-heavy and complex to self-host.

Vaultwarden (formerly bitwarden_rs) is a community-built Rust reimplementation that's lightweight, easy to deploy, and includes premium Bitwarden features for free.

Both use the same Bitwarden clients (browser extensions, mobile apps, desktop apps). Your vault data format is identical. The difference is entirely on the server side.

Feature Comparison

The headline: Vaultwarden gives you all Bitwarden Premium features (TOTP, attachments, emergency access, health reports) at zero cost, using a fraction of the resources.

Vaultwarden Setup

# docker-compose.yml
services:
  vaultwarden:
    image: vaultwarden/server:latest
    ports:
      - "8080:80"
    environment:
      DOMAIN: https://vault.yourdomain.com
      SIGNUPS_ALLOWED: false
      ADMIN_TOKEN: your-admin-token-here
      WEBSOCKET_ENABLED: true
    volumes:
      - ./vw-data:/data
    restart: unless-stopped

That's the entire deployment. One container, one volume, minimal configuration. Start it:

docker compose up -d

Generate a secure admin token:

openssl rand -hex 32

First-Time Setup

1. Visit https://vault.yourdomain.com
2. Create your account (set SIGNUPS_ALLOWED: true temporarily, or use the admin panel)
3. Disable signups after creating your account
4. Access the admin panel at /admin with your admin token
5. Configure email (SMTP) for password reset and 2FA notifications

Recommended Environment Variables

environment:
  DOMAIN: https://vault.yourdomain.com
  SIGNUPS_ALLOWED: false
  ADMIN_TOKEN: your-admin-token
  WEBSOCKET_ENABLED: true

  # Email (required for account recovery)
  SMTP_HOST: smtp.fastmail.com
  SMTP_PORT: 587
  SMTP_SECURITY: starttls
  SMTP_FROM: [email protected]
  SMTP_USERNAME: your-email
  SMTP_PASSWORD: your-app-password

  # Security
  LOGIN_RATELIMIT_MAX_BURST: 5
  LOGIN_RATELIMIT_SECONDS: 60
  ADMIN_RATELIMIT_MAX_BURST: 3
  ADMIN_RATELIMIT_SECONDS: 60

  # Disable features you don't need
  SENDS_ALLOWED: true
  EMERGENCY_ACCESS_ALLOWED: true
  ORG_CREATION_USERS: [email protected]

Official Bitwarden Setup

The official Bitwarden server uses a multi-container architecture:

# Official installation script
curl -Lso bitwarden.sh https://func.bitwarden.com/api/dl/?app=self-host&platform=linux
chmod 700 bitwarden.sh
./bitwarden.sh install
./bitwarden.sh start

This deploys approximately 10 Docker containers:

• Web vault
• API
• Identity
• Admin
• Icons
• Notifications
• Events
• MSSQL database
• Nginx reverse proxy
• Attachments

Resource Requirements

The resource difference is dramatic. Vaultwarden runs comfortably on a Raspberry Pi. Official Bitwarden needs a dedicated VPS with at least 4 GB RAM.

Security Considerations

This is the most important section. You're self-hosting your passwords — the keys to your entire digital life.

Vaultwarden Security

Pros:

• Written in Rust (memory-safe language, fewer buffer overflow vulnerabilities)
• Smaller attack surface (one binary, one container)
• Simpler architecture means fewer things that can go wrong
• Active security-conscious development

Cons:

• Community project — not backed by a security company
• No formal security audits (Bitwarden has had multiple)
• Single maintainer risk (though the project has multiple contributors)
• Not officially supported by Bitwarden Inc.

Official Bitwarden Security

Pros:

• Backed by a security company with full-time engineers
• Regular third-party security audits (SOC 2, annual penetration tests)
• Bug bounty program
• Enterprise security features (audit logs, SSO, directory sync)

Cons:

• Larger attack surface (more containers, more code)
• MSSQL adds another attack vector
• More complex infrastructure means more configuration to get right

The Practical Reality

For most self-hosters, Vaultwarden is secure enough. The vault encryption happens client-side — your master password never reaches the server. Even if the server were compromised, attackers would only get encrypted blobs that require your master password to decrypt.

The real security risks are:

1. Weak master password — same for both options
2. No 2FA on your vault — enable it regardless of which server you use
3. Unencrypted connections — always use HTTPS (both options require this)
4. Outdated software — keep your server updated

Migration Between Them

Bitwarden → Vaultwarden

Export from Bitwarden (Settings → Export Vault → .json format), import into Vaultwarden. All items, folders, and organizations transfer cleanly because they use the same data format.

Vaultwarden → Bitwarden

Same process in reverse. Export as .json, import into official Bitwarden. The client apps don't need to change — just point them to the new server URL.

Vaultwarden → Bitwarden Cloud

If you decide to stop self-hosting, export and import into vault.bitwarden.com. Your clients switch seamlessly.

When to Choose Vaultwarden

• Personal or family use — covers all features you need
• Limited server resources — runs on anything, including Raspberry Pi
• Simple deployment — one container, minimal maintenance
• Cost-sensitive — all premium features included for free
• Already self-hosting other services — fits into your existing Docker setup

When to Choose Official Bitwarden

• Business/team use — need directory sync, SSO, audit logging
• Compliance requirements — need SOC 2, formal security audits
• Enterprise features — SCIM provisioning, custom roles, policies
• Commercial support — need SLAs and a support team
• Large organization — 50+ users with complex access control

Backup Strategy

Vaultwarden

The entire vault is in a single directory:

#!/bin/bash
# Stop the container briefly for consistent backup
docker compose stop vaultwarden
tar czf "/backups/vaultwarden-$(date +%Y%m%d).tar.gz" ./vw-data
docker compose start vaultwarden

For zero-downtime backups (SQLite):

sqlite3 ./vw-data/db.sqlite3 ".backup '/backups/vw-db-$(date +%Y%m%d).sqlite3'"

Client-Side Backup

Regardless of which server you use, periodically export your vault from a client app. Store the encrypted export somewhere safe (separate from your server). This protects you even if your server is completely lost.

Reverse Proxy Configuration

Caddy

vault.yourdomain.com {
    reverse_proxy vaultwarden:80
}

Nginx

server {
    server_name vault.yourdomain.com;

    location / {
        proxy_pass http://vaultwarden:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
        proxy_pass http://vaultwarden:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

The WebSocket endpoint (/notifications/hub) enables real-time sync between clients.

Verdict

For the vast majority of self-hosters — individuals and families — Vaultwarden is the better choice. It's dramatically easier to deploy, uses a fraction of the resources, and includes every feature most people need. The security model is sound because vault encryption is client-side regardless of the server implementation.

Choose official Bitwarden only if you need enterprise features (SSO, directory sync, audit logs) or if compliance requirements mandate formally audited software. For everyone else, Vaultwarden gives you a world-class password manager that runs on a Raspberry Pi.