EZ-Homelab/docs/service-docs/vaultwarden.md

Vaultwarden - Password Manager

Table of Contents

• Overview
• What is Vaultwarden?
• Why Use Vaultwarden?
• Configuration in AI-Homelab
• Official Resources
• Educational Resources
• Docker Configuration
• Setup
• Troubleshooting

Overview

Category: Password Management
Docker Image: vaultwarden/server
Default Stack: utilities.yml
Web UI: https://vaultwarden.${DOMAIN} or http://SERVER_IP:8343
Client Apps: Bitwarden apps (iOS, Android, desktop, browser extensions)
Ports: 8343

What is Vaultwarden?

Vaultwarden (formerly Bitwarden_RS) is an unofficial Bitwarden server implementation written in Rust. It's fully compatible with official Bitwarden clients but designed for self-hosting with much lower resource requirements. Store all your passwords, credit cards, secure notes, and identities encrypted on your own server.

Key Features

• Bitwarden Compatible: Use official apps
• End-to-End Encryption: Zero-knowledge
• Cross-Platform: Windows, Mac, Linux, iOS, Android
• Browser Extensions: Chrome, Firefox, Safari, Edge
• Password Generator: Strong password creation
• 2FA Support: TOTP, U2F, Duo
• Secure Notes: Encrypted notes storage
• File Attachments: Store encrypted files
• Collections: Organize passwords
• Organizations: Family/team sharing
• Low Resource: <100MB RAM
• Free & Open Source: No premium required

Why Use Vaultwarden?

1. Self-Hosted: Control your passwords
2. Free Premium Features: All features included
3. Privacy: Passwords never leave your server
4. Zero-Knowledge: Only you can decrypt
5. Lightweight: Runs on anything
6. Bitwarden Apps: Use official clients
7. Family Sharing: Free organizations
8. Open Source: Auditable security

Configuration in AI-Homelab

/opt/stacks/utilities/vaultwarden/data/
  db.sqlite3          # Password database (encrypted)
  attachments/        # File attachments
  sends/             # Bitwarden Send files
  config.json        # Configuration

Official Resources

• GitHub: https://github.com/dani-garcia/vaultwarden
• Wiki: https://github.com/dani-garcia/vaultwarden/wiki
• Bitwarden Apps: https://bitwarden.com/download/

Educational Resources

YouTube Videos

1. Techno Tim - Vaultwarden Setup

   • https://www.youtube.com/watch?v=yzjgD3hIPtE
   • Complete setup guide
   • Browser extension configuration
   • Organization setup

2. DB Tech - Bitwarden RS (Vaultwarden)

   • https://www.youtube.com/watch?v=2IceFM4BZqk
   • Docker deployment
   • App configuration
   • Security best practices

3. Wolfgang's Channel - Vaultwarden Security

   • https://www.youtube.com/watch?v=ViR021iiR5Y
   • Security hardening
   • 2FA setup
   • Backup strategies

Articles

1. Official Wiki: https://github.com/dani-garcia/vaultwarden/wiki
2. Comparison: https://github.com/dani-garcia/vaultwarden/wiki/Which-container-image-to-use

Docker Configuration

vaultwarden:
  image: vaultwarden/server:latest
  container_name: vaultwarden
  restart: unless-stopped
  networks:
    - traefik-network
  ports:
    - "8343:80"
  environment:
    - DOMAIN=https://vaultwarden.${DOMAIN}
    - SIGNUPS_ALLOWED=true  # Disable after creating accounts
    - INVITATIONS_ALLOWED=true
    - SHOW_PASSWORD_HINT=false
    - WEBSOCKET_ENABLED=true
    - SENDS_ALLOWED=true
    - EMERGENCY_ACCESS_ALLOWED=true
  volumes:
    - /opt/stacks/utilities/vaultwarden/data:/data
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.${DOMAIN}`)"
    - "traefik.http.routers.vaultwarden.entrypoints=websecure"
    - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
    - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"

Setup

1. Start Container:

   docker compose up -d vaultwarden
   

2. Access Web Vault: https://vaultwarden.yourdomain.com

3. Create Account:

   • Click "Create Account"
   • Email (for account identification)
   • Strong master password (REMEMBER THIS!)
   • Master password cannot be recovered!
   • Hint (optional, stored in server)

4. Disable Public Signups: After creating accounts, edit docker-compose.yml:

   - SIGNUPS_ALLOWED=false
   

   Then: docker compose up -d vaultwarden

5. Setup Browser Extension:

   • Install Bitwarden extension
   • Settings → Server URL → Custom
   • https://vaultwarden.yourdomain.com
   • Log in with your account

6. Setup Mobile Apps:

   • Download Bitwarden app
   • Before login, tap settings gear
   • Server URL → Custom
   • https://vaultwarden.yourdomain.com
   • Log in

7. Enable 2FA (Recommended):

   • Web Vault → Settings → Two-step Login
   • Authenticator App (Free) or
   • Duo, YubiKey, Email (all free in Vaultwarden)
   • Scan QR code with authenticator
   • Save recovery code!

Troubleshooting

Can't Connect from Apps

# Check domain is set
docker exec vaultwarden cat /data/config.json | grep domain

# Verify HTTPS working
curl -I https://vaultwarden.yourdomain.com

# Check logs
docker logs vaultwarden | tail -20

Forgot Master Password

There is NO recovery! Master password cannot be reset. Your vault is encrypted with your master password. Without it, the data cannot be decrypted.

Prevention:

• Write master password somewhere safe
• Use a memorable but strong passphrase
• Consider password hint (stored on server)
• Print recovery codes for 2FA

Websocket Issues

# Ensure websocket enabled
docker inspect vaultwarden | grep WEBSOCKET

# Should show: WEBSOCKET_ENABLED=true

Backup Vault

# Stop container
docker stop vaultwarden

# Backup data directory
tar -czf vaultwarden-backup-$(date +%Y%m%d).tar.gz \
  /opt/stacks/utilities/vaultwarden/data/

# Start container
docker start vaultwarden

# Or use Backrest (default) for automatic backups

Summary

Vaultwarden is your self-hosted password manager offering:

• Bitwarden-compatible server
• All premium features free
• End-to-end encryption
• Cross-platform apps
• Browser extensions
• Family/team organizations
• Secure note storage
• File attachments
• Very lightweight
• Free and open-source

Perfect for:

• Password management
• Family password sharing
• Self-hosted security
• Privacy-conscious users
• Replacing LastPass/1Password
• Secure note storage

Key Points:

• Compatible with Bitwarden clients
• Master password CANNOT be recovered
• Disable signups after creating accounts
• Enable 2FA for security
• Regular backups critical
• Set custom server URL in apps
• HTTPS required for full functionality

Remember:

• Master password = cannot recover
• Write it down somewhere safe
• Enable 2FA immediately
• Disable public signups
• Regular backups essential
• Use official Bitwarden apps
• HTTPS required for apps

Vaultwarden gives you control of your passwords!