Vaultwarden

Unofficial Bitwarden-compatible server in Rust — run the full Bitwarden ecosystem on a Raspberry Pi using every official client you already have, without the multi-container overhead.

63.3Kstars
3Kforks
GNU AGPLv3
Rust

Vaultwarden is an unofficial, community-built implementation of the Bitwarden server API written in Rust. Every official Bitwarden client — web vault, browser extensions, iOS and Android apps, and desktop applications — connects to it without any modifications. The entire Bitwarden password management experience works as-is; only the server behind it is different, and that difference is the point.

The official Bitwarden self-hosted server is a multi-container system requiring separate services for API, identity, admin, notifications, and more. Vaultwarden compresses all of that into a single Rust binary. It runs on hardware as modest as a Raspberry Pi with SQLite as the database, making self-hosted password management genuinely accessible to individuals and small teams who would find the official server’s resource requirements prohibitive.

Feature coverage is nearly complete: personal vaults, organizations with shared collections, multi-factor authentication via TOTP, FIDO2/WebAuthn, YubiKey and Duo, Bitwarden Send for encrypted file and text sharing, emergency access, event logs, directory connector support, and a web-based admin panel. The small set of unimplemented features — Secrets Manager and SCIM provisioning — are explicitly excluded because they require separate licensing in the official implementation that falls outside what an AGPL-licensed reimplementation can cover.

Despite being unofficial, Vaultwarden has over 62,000 GitHub stars and is actively maintained with consistent releases that track the evolving Bitwarden client API. Pre-built Docker images cover AMD64, ARM64, and ARMv7 targets.

What You Get

  • Full Bitwarden client compatibility — web vault, browser extensions, iOS, Android, and desktop apps connect without any client modifications
  • Organizations with shared collections, password sharing, member roles, groups, event logs, and admin password reset
  • Multi-factor authentication via TOTP, email OTP, FIDO2/WebAuthn hardware keys, YubiKey, and Duo
  • Bitwarden Send for encrypted sharing of text or files with optional passwords, view limits, and expiry dates
  • Emergency access allowing designated trusted contacts to request vault access after a configurable waiting period
  • Web-based admin panel for user management, organization oversight, and server configuration without SSH access

Common Use Cases

  • Personal password manager on a home server or cheap VPS — full Bitwarden experience without a SaaS subscription
  • Family or small team credential sharing via organizations and collections without per-user SaaS pricing
  • Privacy-conscious individuals who want end-to-end encrypted vault data stored only on hardware they personally own
  • Homelabbers adding Vaultwarden to a self-hosted stack alongside services like Nextcloud or Gitea
  • Regulated-environment teams where password manager data must stay entirely on-premise by policy

Under The Hood

Architecture Vaultwarden follows a handler-centric architecture anchored in Rocket’s request pipeline. The API surface is divided into self-contained handler modules — accounts, ciphers, organizations, sends, two-factor, emergency access — each exporting its routes via a standardized function and mirroring Bitwarden’s own API layout closely enough for the official clients to connect without modification. Request authentication is enforced through Rocket’s typed request guard mechanism: access credentials are extracted, validated, and materialized into typed guard structs before handler code runs, making unauthorized code paths structurally impossible to express. Database connections are injected as typed pool connections into handler functions, and a centralized error type — generated by a declarative macro — unifies all external error variants under a single type with consistent HTTP response mapping. The initialization sequence assembles routes, runs Diesel migrations, and launches background task loops for push notification purging and SSO context cleanup.

Tech Stack The backend is Rust built on the Rocket 0.5 async web framework with tokio as the async runtime. Diesel provides the ORM layer with r2d2 connection pooling; three database backends — SQLite, MySQL, and PostgreSQL — are selected at compile time through Cargo feature flags, with SQLite available as a fully statically-linked build for zero-dependency deployments. Serialization uses serde with serde_json, JWT handling uses jsonwebtoken, and email dispatch uses lettre. WebAuthn and FIDO2 hardware key support is provided by webauthn-rs. Attachment and file storage is abstracted via OpenDAL, enabling local filesystem, S3-compatible, or Azure Blob backends. The admin panel uses Handlebars templates. Docker images cover AMD64, ARM64, and ARMv7 targets, and an optional MiMalloc custom allocator is available as a compile-time performance feature.

Code Quality The codebase reflects a strong type-safety ethos throughout. The centralized error module uses a macro to generate exhaustive error conversions, Display formatting, and HTTP status mapping for a dozen external error types in a single declarative declaration — eliminating an entire category of missing conversion bugs. Rocket’s request guard mechanism encodes access control at the type level, preventing unauthorized handler invocation structurally rather than by convention. The test suite combines unit tests embedded in source modules with a Playwright-based end-to-end suite in a separate directory. Comment density is moderate, with handler comments focused on documenting deliberate divergences from the undocumented Bitwarden API. The primary quality gap is that unit test coverage is thinner than you’d want for a security-critical password manager, leaning on Rust’s compile-time guarantees rather than explicit behavioral assertions for correctness.

What Makes It Unique Vaultwarden’s distinguishing achievement is compressing a multi-service, enterprise-grade server system into a single Rust binary while maintaining complete API compatibility with official Bitwarden clients — none of which were written to be compatible with anything other than Bitwarden’s own backend. The Bitwarden server API is undocumented and evolves primarily through client inspection, yet the project tracks it closely enough that client updates rarely break compatibility. This sustained reverse-engineering effort is the project’s technical core. The consequence — running a full-featured password manager on a Raspberry Pi with a single process under 50MB of RAM, using the clients already installed on every user’s device — is a meaningful outcome that requires no compromise on the client experience.

Self-Hosting

Vaultwarden is licensed under AGPL-3.0 (“Affero GPL”), a copyleft license with one practical distinction from permissive licenses: if you modify Vaultwarden and provide it as a network service to third parties, you must make your source changes available under the same terms. For the vast majority of self-hosters — running their own instance for personal use, family, or their own team — this obligation is never triggered. You can deploy it commercially for internal use, integrate it into your own infrastructure, and run it for your organisation without publishing anything. The copyleft clause only applies if you were to build a hosted service on top of modified Vaultwarden and offer it to external users.

Running Vaultwarden means you own your password data completely, which is the point — and the responsibility. You need a server, a reverse proxy with a valid TLS certificate (the Bitwarden clients require HTTPS and will refuse plaintext connections), and a reliable, tested backup strategy. That last part is non-negotiable: a password manager that loses its data or goes down without a recovery path is worse than no password manager at all. Vaultwarden’s SQLite database is a single file you can back up with any tool, but you have to actually do it, on a schedule, and verify the restores. The server receives regular updates and you are responsible for applying them — no one will notify you when a security patch ships. That said, the upgrade process is simpler than almost any comparable self-hosted service: stop the container, pull the new image, start it.

Compared to Bitwarden’s own cloud service at bitwarden.com — which offers free personal tiers, family plans, and team pricing — Vaultwarden self-hosters trade managed backups, guaranteed uptime, and official support for complete data sovereignty and zero per-seat cost. A small set of Bitwarden features are absent: Secrets Manager and SCIM directory provisioning are not implemented because they require separate licensing in the official codebase. For individuals, families, and small teams, that gap is rarely relevant. For larger organisations that need SCIM-based provisioning or Secrets Manager integration, the official Bitwarden self-hosted server or cloud subscription is the better fit. Vaultwarden’s sweet spot is anyone willing to trade a few hours of setup for permanent ownership of their credentials.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search