Self-Host Bitwarden with Vaultwarden: UK Guide (2026)

Self-host Bitwarden via Vaultwarden on Raspberry Pi, Synology Docker, or Proxmox LXC. UK guide with reverse-proxy, Tailscale, and backup strategy.

Password manager security illustration for self-hosting Vaultwarden Bitwarden
Updated How we review →
Rob
By Rob4 June 2026 · 9 min read

Vaultwarden is the most popular self-hosting alternative to Bitwarden's official cloud (or Bitwarden's self-host server which has heavier requirements). It implements the same API in Rust with a small memory footprint - a Raspberry Pi 4 handles a 3-person household comfortably. This guide walks the UK-specific setup: hardware choices, Docker compose, HTTPS via Caddy or NGINX Proxy Manager, Tailscale for private access without exposing your home to the public internet, and the backup strategy that prevents one bad SD card from losing all your passwords.

What hardware do you need for self-hosting Vaultwarden?

Raspberry Pi 4 (4GB+)Synology Docker (existing NAS)Proxmox LXC container
TierMost-common self-host platformLowest-friction if you have a SynologyBest for existing homelab
Hardware cost (UK)£70-£90 (Pi 4 4GB) + £15 SD card + £8 power£0 incremental (uses existing NAS)£0 incremental (uses existing Proxmox host)
Power draw~5W idle, ~7W under loadNegligible incrementalNegligible incremental
Concurrent users5-10 (household scale)5-15 (depending on Synology model)10-50 (CPU + RAM allocation dependent)
Setup difficultyModerate (Pi OS install + Docker)Easy (Container Manager + docker-compose)Moderate (LXC create + Docker-in-LXC + reverse proxy)
Best forFirst-time self-hosters; minimal-impact household-only setupSynology owners with DSM 7.0+; family-scale setups with photo/video also on the NASExisting Proxmox/Promox VE homelab users; consolidation alongside other self-hosted services

Step-by-step: Vaultwarden on a Raspberry Pi

  1. Install Raspberry Pi OS Lite (64-bit)

    Use Raspberry Pi Imager to flash Pi OS Lite 64-bit to a 32GB+ SD card. In Imager's settings panel, enable SSH + set username/password + configure WiFi (or use Ethernet for stability). The 64-bit OS is required - 32-bit ARM Docker compatibility for Vaultwarden has stability issues.

  2. Install Docker + Docker Compose

    After first boot, SSH in and run: `curl -fsSL https://get.docker.com | sh` then `sudo usermod -aG docker $USER` then `sudo apt install docker-compose-plugin -y`. Log out and back in for the docker group to take effect. Verify with `docker --version` + `docker compose version`.

  3. Create the Vaultwarden docker-compose.yml

    Create `/home/$USER/vaultwarden/docker-compose.yml` with the standard Vaultwarden image config: image vaultwarden/server:latest, restart unless-stopped, environment vars for ADMIN_TOKEN (a long random string), DOMAIN (your eventual https URL), SIGNUPS_ALLOWED=false (after initial admin signup), volume mounts for ./data:/data. The official Vaultwarden wiki at github.com/dani-garcia/vaultwarden/wiki has the canonical example.

  4. Start Vaultwarden

    `cd ~/vaultwarden && docker compose up -d`. Vaultwarden listens on port 80 by default (you'll change this once Caddy/NGINX is in front). Verify with `docker compose logs -f` - look for 'Rocket has launched' confirming the server is up.

  5. Install Caddy as the reverse proxy (HTTPS)

    Vaultwarden requires HTTPS for browser-extension and mobile-app connections to work. Caddy is the lowest-friction option - install via `sudo apt install caddy -y` and configure /etc/caddy/Caddyfile with your domain + reverse-proxy to vaultwarden:80. Caddy auto-provisions Let's Encrypt certificates on first request, no manual cert work. Alternative: NGINX Proxy Manager (web UI for managing reverse proxies + certs).

  6. Add Tailscale for private access (recommended)

    Rather than exposing your home IP to the public internet, install Tailscale on the Pi + each device that needs Vaultwarden access. The Pi becomes accessible at https://vaultwarden.your-tailnet.ts.net from any device on your Tailnet. No port forwarding, no DDNS, no public exposure. Family-friendly: install Tailscale on each family member's phone + laptop and they get vault access transparently.

  7. Configure backup strategy

    The single failure mode for self-hosted Vaultwarden is SD-card death losing all your passwords. Set up nightly backups: rclone to encrypted cloud storage (Backblaze B2 at ~£0.05/month for typical vault size, or Cloudflare R2 free tier), borgbackup to a second drive for local copy, or both. Test restore quarterly. The data lives in ./data/db.sqlite3 - small enough that even paranoid hourly backups are negligible cost.

Tailscale-only vs public internet exposure

Two valid approaches to making your self-hosted Vaultwarden reachable. Most UK households should choose Tailscale-only.

Tailscale-only (recommended):

  • Vaultwarden listens only on the Tailscale network interface
  • Each device that needs vault access has Tailscale installed (free for up to 100 devices on the personal plan)
  • No public IP exposure, no port forwarding on your router, no DDNS needed
  • Compromised credentials still require Tailscale access to reach the vault
  • Trade-off: each new device needs Tailscale installed before it can access the vault

Public internet exposure:

  • Vaultwarden reachable at a public DNS name (e.g. vault.yourdomain.com) via your home router's port-forwarded HTTPS
  • Anyone on the internet can attempt access; relies on Vaultwarden's authentication + 2FA being correctly configured
  • No Tailscale install needed on each device
  • Trade-off: real attack surface that needs ongoing patching attention

For a family password manager, Tailscale-only is the right answer. The 'each device needs Tailscale' burden is small (one-time install per phone/laptop). The 'public internet is hostile' reality is worth avoiding.

Backup strategy

Self-host = self-backup. Your vault lives in two files: data/db.sqlite3 (the actual vault) + data/attachments/ (any uploaded file attachments). Total size for a typical household: 10-50MB. Small enough that backup costs are negligible; large enough that losing them is catastrophic.

The 3-2-1 rule applied to Vaultwarden:

  • 3 copies: production data on the Pi, plus 2 backups
  • 2 different storage media: SD card (production) + cloud storage + local-USB-drive copy
  • 1 offsite: cloud copy lives outside your house (fire/theft protection)

Practical UK setup:

  • Nightly rclone to Backblaze B2 (encrypted) - ~£0.05/month for a typical vault
  • Weekly rsync to a USB drive plugged into the Pi
  • Monthly manual export of the unencrypted vault to a password-protected ZIP, stored on a secondary device

Test restore quarterly. Set a calendar reminder. The worst time to discover backup failures is when you need them.

When self-hosting is the wrong choice

Three categories of UK user should NOT self-host their password manager:

Users who don't want infrastructure responsibility. Self-hosting means you handle updates, backups, uptime, security patches. If any of these worry you, the £9/year for Bitwarden Premium is genuinely cheap insurance. Bitwarden's official cloud is well-secured + properly backed up + regularly audited.

Users worried about lock-in if they fail at hosting. Vaultwarden uses the standard Bitwarden export format, so migration TO Bitwarden cloud (or Proton Pass, 1Password) is straightforward. But the practical reality of recovery during a failure (your Pi died, your backup didn't restore, you're locked out) is high-stress. If high-stress recovery isn't acceptable, stay on Bitwarden cloud.

Users sharing the vault with non-technical family members. If your partner/parent/teenager needs to access the vault and you're not available to help them when something breaks, hosting your own infrastructure is the wrong call. Use Bitwarden cloud's family plan (£40/year for 6 users) instead.

If none of these apply - if you want infrastructure responsibility, you're comfortable with technical recovery, and your users can handle a brief Vaultwarden outage - self-hosting via Vaultwarden is genuinely a great choice.

Frequently asked questions

Q01Is Vaultwarden compatible with official Bitwarden apps?
Yes. Vaultwarden implements the same API as Bitwarden's official server, so the official Bitwarden apps (browser extensions, mobile, desktop) connect to Vaultwarden without modification. Configure the official Bitwarden app to point at your Vaultwarden URL instead of vault.bitwarden.com - the rest of the experience is identical. Some premium-tier Bitwarden Enterprise features (SSO, directory connector, advanced compliance) aren't implemented in Vaultwarden, but the standard personal/family-use features all work.
Q02Can I migrate my existing Bitwarden vault to Vaultwarden?
Yes. Export your vault from official Bitwarden using the encrypted .json export, then import into your Vaultwarden instance via the Bitwarden client app pointed at your Vaultwarden URL. The encrypted export preserves all data (logins, secure notes, identities, cards) + the folder structure. Test the migration with a non-critical account first; once confident, migrate the main vault. Decommission the official Bitwarden account only after 30+ days of successful Vaultwarden use.
Q03What if my Raspberry Pi dies?
If you have working backups: restore data/db.sqlite3 + data/attachments/ to a new Pi (or any Docker host) and Vaultwarden picks up where it left off. The vault is portable. If you don't have working backups: you'll need to either find another vault export from a recent point in time, or rebuild your vault from scratch. The single failure mode self-hosting protects you from least is your own setup mistakes - hence the importance of testing the backup-restore quarterly.
Q04Is Tailscale free?
Free for personal use up to 100 devices + 3 users (sufficient for any household). Tailscale Business + Enterprise tiers exist for company-scale deployments. The free tier handles a typical UK home Vaultwarden setup without limitation - you can install on every family member's phone/laptop + the Pi without hitting any paid threshold.
Q05Self-hosted Vaultwarden vs Proton Pass - which?
Different products. Self-hosted Vaultwarden = maximum control + maximum responsibility. Proton Pass = polished consumer app + Swiss-based encrypted hosting + £4/month family plan. If you want infrastructure responsibility + the homelab-skills exercise, Vaultwarden. If you want a polished product with Swiss data sovereignty and don't want to maintain infrastructure, Proton Pass. Both are good answers to 'I don't want US-headquartered password managers'. See our UK password manager comparison.

Related guides

Smart Home Without the Internet

Smart Home Without the Internet

Vaultwarden + Home Assistant + Tailscale = the foundation of a local-first home tech stack.
Home Assistant 2026.6 Update Guide

Home Assistant 2026.6 Update Guide

The other major self-hosted service most UK homelabbers run. Same pi-or-NAS pattern as Vaultwarden.
Best Smart Locks Beginner Guide

Best Smart Locks Beginner Guide

If your home is self-hosted-first, smart locks integrate via Home Assistant + your Vaultwarden-stored API keys.
Smart Home Mistakes Beginners Make

Smart Home Mistakes Beginners Make

The most common self-hosting failure modes - including backup-strategy gaps that bite both Home Assistant and Vaultwarden users.