Most password managers ask you to trust a company with the one dataset that unlocks your entire digital life. Vaultwarden is the quiet exception: an open-source server you run yourself, compatible with the official Bitwarden apps and browser extensions, so your phone, laptop, and browser all sync against your machine instead of someone else’s cloud.
It is not a fork of Bitwarden and it is not a reimplementation of the apps. It is a standalone server written in Rust that speaks the same API the Bitwarden clients expect. That distinction is the entire reason it works at all — you keep Bitwarden’s polished clients and swap only the backend.
What Vaultwarden actually is
Vaultwarden (formerly bitwarden_rs) is an unofficial Bitwarden-compatible server. The project sits at roughly 63,500 GitHub stars as of July 2026 and the repository was last pushed on 2026-07-08, so it is actively maintained. The current stable release is 1.36.0, published 2026-05-03 (see the release notes).
The clients — the Bitwarden iOS/Android apps, the desktop app, and the browser extension — connect to whichever server URL you configure. Point them at vault.bitwarden.com and you are on Bitwarden’s hosted service. Point them at your Vaultwarden URL and the same app now talks to your server. Your vault entries, the autofill, the TOTP generator, the breach reports — all of it behaves identically from the user’s seat.
Why people run it
The appeal is not “free instead of paid,” though that is true. The appeal is tenancy and control. Bitwarden’s free tier caps you at two users and hides some features behind a family/organization plan. Vaultwarden has no such ceiling: you can create unlimited users and organizations on hardware you own. A household, a small team, or a club can share vaults without a per-seat bill.
It is also dramatically lighter than the official Bitwarden server, which is a collection of .NET microservices. Vaultwarden is a single small binary plus a database (SQLite by default, with optional MySQL/PostgreSQL). On a Raspberry Pi it idles at a fraction of the RAM the full Bitwarden stack would demand, which is why it dominates the self-hosting community’s password category.
The moving parts
A working install is three things:
- The server — a Docker container (the
vaultwarden/serverimage on Docker Hub) or a compiled binary. - A reverse proxy — Caddy or Nginx Proxy Manager in front of it, terminating HTTPS. You do not expose the raw container port; you expose a real domain over TLS.
- A database — SQLite ships default and is fine for most homes; larger setups point it at Postgres.
The clients reach the proxy over https://vault.yourdomain.com, the proxy forwards to the container, the container reads and writes the database. That is the whole topology. No external service is in the path.
Who should — and shouldn’t — do this
Self-hosting your password store is a different risk calculation than self-hosting a photo album. If your server is down, you can still open the Bitwarden app and read cached credentials offline, but syncing stops until it is back. If you have no off-site backup and the SD card in your Pi dies, the vault dies with it. The Vaultwarden documentation is explicit that backups are your responsibility.
So the honest framing: this is for people who already run a homelab or are comfortable with Docker, DNS, and TLS, and who would rather own the failure modes than hand them to a vendor. If “my password vault is unavailable because I broke a Docker Compose file at 1 a.m.” sounds like a nightmare, the hosted Bitwarden free tier is the more sensible default. You are trading convenience for sovereignty.
Security posture you inherit
Because Vaultwarden is the backend, the encryption model is Bitwarden’s: secrets are encrypted on the device before they ever leave it, and the server stores ciphertext it cannot read. That part is unchanged from hosted Bitwarden. What changes is operational security. Release 1.36.0 is almost entirely security fixes — SSO login CSRF, user/organization enumeration, an SSRF via the icon-fetch endpoint, and SSO existing-user binding (all detailed in the GitHub security advisories). The takeaway is not “it is unsafe” — it is that you are now the one who must apply those updates. A hosted provider patches for you; here, you watch the releases.
The trade-off in one line
Vaultwarden gives you a private, unlimited, Bitwarden-compatible password server on a $35 computer. In exchange you accept backup duty, update duty, and the occasional 1 a.m. troubleshooting session. For the right person, that is a bargain. For everyone else, it is exactly the kind of freedom you pay a vendor to take off your plate.