In this tutorial, we'll learn how to Setup Vaultwarden on Ubuntu 24.04.
Securing our digital identities is more important than ever. Password managers like Bitwarden are popular for managing secrets, but many of us prefer self-hosting for privacy, control, and cost savings. That’s where Vaultwarden, a lightweight and community-maintained Bitwarden-compatible server, shines.
In this guide, we’ll walk step-by-step through setting up Vaultwarden on Ubuntu, using Docker for simplicity, HTTPS for secure access, and systemd for reliability. This setup is perfect for developers, IT professionals, and privacy-conscious individuals who want full control over their data.
Prerequisites
Before we begin, let’s ensure we have the following in place:
- A Ubuntu 24.04 dedicated server or KVM VPS.
- A basic programming knowledge.
- A domain name pointing to server IP
Setup Vaultwarden on Ubuntu 24.04
Step 1: Prepare the Ubuntu Server
Let’s begin with a fresh Ubuntu installation. This setup works well on Ubuntu 22.04 LTS or newer.
Update your system:
sudo apt update && sudo apt upgrade -y
Install essential packages:
sudo apt install curl gnupg lsb-release ca-certificates -y
Make sure your system is secure and has a static IP or DNS entry if you want external access.
Step 2: Install Docker and Docker Compose
Vaultwarden is best run inside a Docker container to simplify setup and maintenance.
Install Docker:
curl -fsSL https://get.docker.com | sh
Install Docker Compose plugin:
sudo apt install docker-compose-plugin -y
Enable and start Docker:
sudo systemctl enable docker
sudo systemctl start docker
To verify:
docker --version
docker compose version
Step 3: Create Vaultwarden Directory Structure
Now we’ll organize files for Vaultwarden deployment.
mkdir -p ~/vaultwarden/data
cd ~/vaultwarden
We’ll store persistent data and Docker configuration here.
Step 4: Create docker-compose.yml File
Let’s define the Vaultwarden service using Docker Compose.
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
WEBSOCKET_ENABLED: 'true'
SIGNUPS_ALLOWED: 'true'
volumes:
- ./data:/data
ports:
- '8080:80'
Save this as docker-compose.yml in your ~/vaultwarden folder.
- WEBSOCKET_ENABLED: Required for real-time sync.
- SIGNUPS_ALLOWED: We can enable or disable public signups for better security. Set to false if you don't want open registration initially.
Step 5: Start Vaultwarden
Now let’s bring up the service.
docker compose up -d
Vaultwarden is now running at http://<your-server-ip>:8080.
You can test it by visiting the URL in your browser. It should show a Bitwarden-compatible web interface.
Step 6: Secure Vaultwarden with HTTPS (Using Caddy)
We should never run a password manager over HTTP in production. Let’s use Caddy — a powerful web server with automatic HTTPS.
Install Caddy:
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
Configure firewall:
ufw allow 80/tcp
ufw allow 443/tcp
ufw reload
Configure a Caddyfile:
sudo nano /etc/caddy/Caddyfile
Add:
vault.example.com {
reverse_proxy 127.0.0.1:8080
}
Replace vault.example.com with your actual domain, and make sure it points to your server’s IP in DNS.
Restart Caddy:
sudo systemctl restart caddy
Caddy will automatically fetch and renew SSL certificates via Let’s Encrypt.
Now Vaultwarden is live at: https://vault.example.com
Step 7: Setup Admin Token (Optional)
To manage users or change settings, we can define an admin token.
Edit your Docker Compose file and add:
environment:
ADMIN_TOKEN: "generate_a_secure_token_here"
To generate a secure token:
openssl rand -base64 32
Then restart Vaultwarden:
docker compose down
docker compose up -d
Now access the admin panel at https://vault.example.com/admin using the token.
Step 8: Enable Backups (Recommended)
Backups are essential for any critical application.
You can backup the ~/vaultwarden/data folder periodically using rsync or cron jobs:
rsync -av --delete ~/vaultwarden/data /path/to/your/backup/location
Or use remote backups (e.g., Nextcloud, S3, NAS) depending on your setup.
Step 9: Connect with Bitwarden Clients
Vaultwarden is fully compatible with official Bitwarden clients:
- Bitwarden Desktop
- Mobile apps
- Browser extensions
- CLI tools
When prompted for the server URL, enter your domain:
https://vault.example.com
You now have your own secure, private password manager syncing across all devices.
Final Thoughts
By setting up Vaultwarden on Ubuntu, we’ve created a lightweight, fully self-hosted password manager that respects our privacy, gives us complete control, and eliminates third-party risks. Using Docker and Caddy simplifies deployment while ensuring robust HTTPS support and maintainability.
