Deployment of Vaultwarden as Self-Hosted in Cloud

Posted on December 15, 2025 • 4 minutes • 693 words

Table of contents

Vaultwarden: Password Manager
Admin Panel Access:
Reports
Conclusion

Vaultwarden: Password Manager

Vaultwarden is an unofficial Bitwarden compatible server, an project initiated by Daniel García. In that technical guideline, I’ll list the steps for deployment of it in a Cloud Service Provider’s Virtual Machine, Ubuntu OS.

Cover Image Credits: Notebook LLM

Creating the VM Which CSP you prefer, a simple VM is enough to run. A public IP will be needed to connect.
Installation of Docker Docker is a containarization platform which will run the Vaultwarden. After installing the Docker into the related OS:

sudo install -m 0755 -d /etc/apt/keyrings  
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc  
sudo chmod a+r /etc/apt/keyrings/docker.asc  
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null  
sudo apt-get update 
sudo snap install docker

Creating compose.yml file.

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      DOMAIN: "https://vaultwarden.mydomain.com"
      SIGNUPS_ALLOWED: "true"
    volumes:
      - ./vw-data:/data

  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80
      - 443:443
      - 443:443/udp
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
      DOMAIN: "https://vaultwarden.mydomain.com"
      EMAIL: "email@mydomain.com"  # The email address to use for ACME registration.
      LOG_FILE: "/data/access.log"

After creatint the file, running deployment command in the same folder with compose.yml

docker compose up -d

If everything went well, vaultwarden.mydomain.com should serve the login page. Otherwise, it’s best to get an LLM’s support via sharing related logs.

Admin Panel Access:

vaultwarden.mydomain.com/admin address will be the portal of it. First, there needs to be a token generated as explained here.

After adding the argon2 generated token into the compose.yml, rebuild the containers:

docker compose down && docker compose up -d --build

After submitting the Password, that generated with the argon2 token, settings will be seen:

Some compose.yml settings can be overridden within that page.

SMTP Settings

A personal Gmail account can be used for that purpose. The point is that, within the Google, there is a need to generate an Application Password. In Security and sign-in page, search for App passwords and create a password for vaultwarden.

Host: smtp.gmail.com
Secure SMTP: starttls
From Address: email@gmail.com
Password: {16 character app password, different than regular Google Account password.}

After submitting those details, Save and Test SMTP via sending an email to an address.

Received test email:

Some Useful Admin Settings

In General Setttings:

Require email verification on signups If that is enabled, user need to verify its email via OTP before registering.
Email domain whitelist It will provide registering with only certain email domains.

In Email 2FA Settings: It’s possible to enforce and configure 2FA via email.

Browser Extension and Mobile Application Access

Vaultwarden is an unofficial Bitwarden compatiable server. That provides, using Bitwarden applications as Browser extension or mobile app to access self-hosted vaultwarden deployments.

Browser Add-on Access Steps

After installing the extension in any browser:

In accessing, Self-hosted should be selected:
Self-hosted domain should be submitted. e.g. https://vaultwarden.mydomain.com
After login with the credentials, it will sync the related items with browser extension:

Mobile Application

After downloading, logging in on “Self-hosted”
Using the same user credentials to access the item:

Reports

There are six different repots that can be accessed:

Exposed passwords
Reused passwords
Weak paswords
Unsecure websites
Inactive two-steplogin
Data breach

Conclusion

Shortly speaking, I think it’s a good idea to have a central vault for credentials and secrets for SMEs especially with limited budgets. That will be much more easier and effective than using local password vaults, e.g. KeePass. After the deployment, Vaultwarden can be configured to compete with enterprise-grade password managers. Especially built-in 2FA is really useful for end user experience from my perspective.

Domain name whitelisting and email 2FA enforcement for logins, browser extension and mobile application options provide enough mobility for professionals.

If there is a need for a cental password manager, Vaultwarden is a good alternative. It can be deployed into a current web server etc. There will be less than 100mb ran requirements for the container.

Of course, there are also more straightforward models with one-click-deployments with no need for infrastructure, server., e.g. in Repo Cloud.

I would like to thank specially to the initiator of Vaultwarden project Daniel García, and every contributor to the project for their contributions to the defense in cyberspace.