Six months ago I moved off Bitwarden's cloud and onto a self-hosted instance running on a small VPS. The trigger was nothing dramatic. I had not been hacked. Bitwarden had not done anything wrong. I just kept thinking about the fact that the most sensitive vault of secrets I owned was sitting on infrastructure I did not control, and one day I decided to try it the other way.
Here is what happened.
The setup, as actually installed
The official Bitwarden self-hosted install is a Docker stack that includes a SQL Server instance, an admin panel, an attachments server, and various microservices. It works, but it is heavy. On a 1GB-RAM VPS it is at the edge of usable.
What most people actually run is Vaultwarden, an unofficial reimplementation of the Bitwarden server in Rust. It is a single binary, uses SQLite by default, idles at 30MB of RAM, and speaks the Bitwarden API protocol so that the official Bitwarden clients (browser extension, mobile app, desktop) connect to it without modification.
Vaultwarden is not affiliated with Bitwarden. The Bitwarden company has been mostly tolerant of it (they have not sent a cease-and-desist), and the project has been around since 2018, so the relationship is stable enough that running it for personal use feels safe. For a business, you should pay Bitwarden directly.
My setup looks like this:
- VPS: Hetzner CX22, 2 vCPU, 4GB RAM, Debian 12, around $5/month
- Server: Vaultwarden in a Docker container, behind Caddy as a reverse proxy
- TLS: Caddy handles Let's Encrypt automatically
- Backups: A nightly cron job that snapshots the SQLite file plus the attachments directory and rsyncs them to my home server
- Domain: A subdomain on a domain I already own, behind a Cloudflare proxy
The whole thing took about ninety minutes to stand up the first time, including the Caddyfile and the backup script.
What was easy
The migration. Bitwarden has a built-in JSON export. Vaultwarden imports the same format. I exported, imported, logged in on every device, and was done. No data loss, no friction.
The browser extension. The official Bitwarden extension has a "self-hosted" option in its settings. You point it at your domain, sign in, and it works exactly like the cloud version. Same autofill, same UI, same everything.
The mobile apps. Same story. Add a self-hosted server URL in settings, log in, your vault appears.
The cost. Hetzner is $5/month. Bitwarden Premium is $10/year for the family plan, so I am genuinely losing money on the move if I count just the VPS. But I am running a bunch of other services on the same box, so amortized across those, password management is basically free.
What was painful
Email. Bitwarden uses email for password reset, account verification, and two-factor backup codes. That means your Vaultwarden instance needs SMTP credentials. I burned an afternoon trying to use my own mail server, gave up, and switched to AWS SES, which is the path most self-hosters end up on.
Backups, the hard kind. The easy kind is "rsync the SQLite file." The hard kind is "what happens if my house burns down." I now have offsite copies in two different cloud providers, encrypted with a key that is itself stored in three places. The backup design took longer than the install. This is not a Vaultwarden problem; it is a self-hosting problem.
The 2FA bootstrap. The first time you set up Vaultwarden, you have to register an admin account before you can disable open registration. There is a small window during which someone could create their own account on your instance if they happened to know the URL. I closed it within a minute, but the window exists. I disabled open registration in the env file before pointing my domain at the instance, which is the right way.
Push notifications. The official Bitwarden mobile app uses Bitwarden's push servers for instant sync. On a self-hosted setup, this does not work without a separate config. The vault still syncs, just on a delay, when you open the app. I have not bothered to fix this and it has been fine.
What surprised me
It has been more reliable than I expected. The VPS has had zero downtime in six months. Vaultwarden has not crashed once. The container restarts on reboot. There is genuinely nothing to do.
Performance is better than the cloud version. Sync is faster, autofill is faster, the admin panel loads instantly. The cloud Bitwarden is fine, but the self-hosted version is noticeably snappier because the round trip is to a server in the same general region as me, not to wherever Bitwarden's primary datacenter happens to be.
Should you do this?
Honestly, no, unless you really want to. Bitwarden's cloud is excellent. They have professional security, professional uptime, and professional incident response, which is more than I can offer on my own VPS. For most people, paying $10/year for the family plan is the correct answer.
The reason to self-host is not security or cost. It is control. You own the data, you own the server, and nobody can shut your account off. If that matters to you (because of a privacy stance, because of a homelab hobby, because of a regulatory requirement), Vaultwarden is the cleanest path I have found. If it does not matter, just pay Bitwarden.
I am six months in and I have not gone back. The setup was a weekend project, the maintenance has been zero, and the password vault is now sitting on a box I personally own and back up. That is the value I bought, and so far I have not regretted it.
