Self hosted

Vaultwarden Setup with Traefik Self hosted deployment

With high-profile breaches in cloud-based password managers, many are looking to self-host their password solutions. While Bitwarden is an extremely popular solution, Vaultwarden is an alternative implementation to the official resource-heavy service of Bitwarden. Let’s look at Vaultwarden setup with Traefik and see how you can easily set this up.

What is Vaultwarden?

Vaultwarden is an alternative implementation of the Bitwarden server API written in Rust. As an open-source project, Vaultwarden benefits from a robust community of developers and enthusiasts contributing to its ongoing development. Users can expect timely updates and improvements, ensuring the software remains up-to-date and secure. It

Overall, Vaultwarden is an excellent option for individuals and businesses seeking a self-hosted password manager that is both lightweight and feature-rich. With its wide range of features and benefits, Vaultwarden is a worthy alternative to the official Bitwarden server, especially for those prioritizing control and customization in their password management solution.

Lightweight Alternative to Official Bitwarden Server

Vaultwarden is a popular choice among individuals and businesses seeking a resource-efficient password manager for their self-hosted deployments. As a lightweight alternative to the official Bitwarden server, Vaultwarden provides a full implementation of the Bitwarden server API, written in Rust. This efficient design allows Vaultwarden to consume fewer resources while offering the same functionality as its official counterpart.

Vaultwarden features

It provides the following features of the Bitwarden API:

  • Organizations support

  • Attachments and Send

  • Vault API support

  • Serving the static files for Vault interface

  • Website icons API

  • Authenticator and U2F support

  • YubiKey and Duo support

  • Emergency Access

Read the full feature documentation here: GitHub – dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs

Effortless Vaultwarden setup with Docker Support

Vaultwarden offers seamless deployment through the vaultwarden Docker image, enabling users to quickly deploy and manage the password manager on any host system with Docker installed.

To get started with a self-hosted deployment, simply pull the Vaultwarden image from the Docker upstream repository using the sudo docker command to spin up your Vaultwarden server:

docker pull vaultwarden/server:latest

If you already have the vaultwarden container image pulled, you can also run docker commands below to run the Docker container:

docker run -d --name vaultwarden -v /vw-data/:/data/ -p 80:80 vaultwarden/server:latest

You can verify the Vaultwarden container is running with the following:

docker ps

Secure Web Vault for Easy Access

The Web Vault is a vital component of Vaultwarden, providing users with a secure, user-friendly interface to access and manage their password vault. In self-hosted deployments, users can access the Web Vault through HTTPS connections, ensuring that their data remains protected. Vaultwarden also supports third-party reverse proxies for streamlined access management for added convenience.

You can use a third-party reverse proxy like caddy server, Traefik, or another solution for ingress and generate self-signed certificates for secure communications.

To install caddy image, you can do:

sudo docker pull caddy

These proxies automatically allow Vault interface on the Vaultwarden container using HTTPS certificates.

If you aren’t accessing Vaultwarden Server using HTTPS certificates, you will see this error:

This error is because most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like Cannot read property ‘importKey’. To solve this problem, you need to access the web vault via HTTPS or localhost.

Traefik with Vaultwarden Setup

If you want to use Traefik with Vaultwarden Server, you can do that easily with docker compose, using the following docker-compose.yml file. Replace the host in the Vaultwarden labels with your hostname.

version: '3.3'

services:
  traefik2:
    image: traefik:latest
    restart: always
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
    ports:
      - 80:80
      - 443:443
    networks:
      traefik:
        ipv4_address: 172.19.0.10
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    container_name: traefik

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    networks:
      traefik:
        ipv4_address: 172.19.0.11
    environment:
      - LOG_LEVEL=debug
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.example.com`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
    volumes:
      - ./vaultwarden-data:/data

networks:
  traefik:
    driver: bridge
    name: traefik
    ipam:
      driver: default
      config:
        - subnet: 172.19.0.0/16

Accessing the web interface

Once you have provisioned the Docker container, you can browse to the IP of the host the container listens on. You will see the Vaultwarden Server login screen. Click the Create account link.

Account creation

Once you click the link, you will see the form to fill in your information to create your new account.

After logging in with the new account, you will arrive at your Vaultwarden dashboard where you can start storing passwords.

Persistent Data and Storage

Vaultwarden is designed to provide persistent data storage, ensuring that your password vault remains intact even in the event of a container failure or other issues. By leveraging Docker, Vaultwarden offers persistent storage options that can be easily configured using Docker commands.

Customizable Security Features

Vaultwarden boasts a range of security features, allowing users to customize their password manager to meet their unique requirements. These features include:

  • Support for YubiKe

  • Ability to disable user registration

  • Option to use self-signed certificates for secure connections

Flexible Integration with Third-Party Services

As a versatile password manager, Vaultwarden is compatible with various third-party services, enabling users to seamlessly integrate it with their existing workflows. The Bitwarden server API, which Vaultwarden is built upon, provides a solid foundation for API support and third-party integration.

Streamlined Configuration and Management with Docker Compose

Vaultwarden offers streamlined configuration and management through Docker Compose, a powerful tool that simplifies multi-container application deployment. With Docker Compose, users can define and configure their entire Vaultwarden environment using a single configuration file. This makes it easier to manage and update the Vaultwarden instance as needed.

To get started with Docker Compose, users can follow these steps:

  1. Install Docker Compose on the host system.

  2. Create a docker-compose.yml file containing the necessary configuration settings for Vaultwarden.

  3. Run the sudo docker-compose up -d command to deploy the Vaultwarden instance.

By leveraging Docker Compose, users can efficiently manage their Vaultwarden deployments while reducing the complexity of manual configuration.

Robust Browser Extension Support

Vaultwarden offers robust support for various web browsers, ensuring that users can access and manage their password vault across multiple devices and platforms. With dedicated browser extensions for popular browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge, Vaultwarden provides a seamless and consistent user experience.

Secure Password Generation and Autofill Features

A key password manager feature is generating unique and secure passwords for each account. Vaultwarden’s built-in password generator tool allows users to create strong, unique passwords with just a few clicks. Additionally, Vaultwarden’s autofill and auto-login features help streamline the process of logging into websites and applications, reducing the need to remember complex passwords.

Regular Updates and Active Community Support

As an open-source project, Vaultwarden benefits from an active community of developers and users who contribute to its ongoing development and support. Users can expect regular updates, bug fixes, and new features, ensuring that their password manager remains secure and up-to-date. Additionally, official support channels and community forums provide a valuable resource for users seeking assistance or looking to contribute to the project.

Vaultwarden Setup FAQs

1. What is Vaultwarden, and how does it differ from the official Bitwarden server?

Vaultwarden is a lightweight, open-source, self-hosted password manager that serves as an alternative to the official Bitwarden server. While it provides a basically full implementation of the Bitwarden server API, Vaultwarden is designed to be more resource-efficient, making it ideal for limited hardware environments or users who prefer self-hosted deployments.

2. How do I install Vaultwarden?

Vaultwarden can be easily installed using Docker. Simply pull the Vaultwarden Docker image from the upstream repository using the sudo docker command: sudo docker pull vaultwarden/server:latest. You can also deploy Vaultwarden using Docker Compose for streamlined configuration and management.

3. Can I use Vaultwarden with my preferred web browser?

Vaultwarden supports various web browsers, including popular choices such as Google Chrome, Mozilla Firefox, and Microsoft Edge. Dedicated browser extensions are available to provide a seamless and consistent user experience across different platforms and devices.

4. Is Vaultwarden secure?

Vaultwarden is designed with security in mind, offering features such as support for YubiKey, self-signed certificates for secure connections, and the option to disable user registration. Additionally, the open-source nature of Vaultwarden means that it benefits from ongoing community contributions and updates, ensuring that the software remains secure and up-to-date.

5. How does Vaultwarden handle persistent data and storage?

Vaultwarden leverages Docker to provide persistent data storage, ensuring that your password vault remains intact even in the event of container failure or other issues. Users can configure persistent storage options for their Vaultwarden deployment using Docker commands.

6. Can I customize Vaultwarden to meet my unique requirements?

Yes, Vaultwarden offers a range of customizable security features, allowing users to tailor their password manager to their specific needs. These features include support for YubiKey, the ability to disable user registration, and the option to use self-signed certificates for secure connections.

7. Does Vaultwarden integrate with third-party services?

Vaultwarden is built upon the Bitwarden server API, which provides a solid foundation for API support and third-party integration. This compatibility allows users to seamlessly integrate Vaultwarden with various third-party services and their existing workflows.

8. What is the Web Vault, and how do I access it?

The Web Vault is a secure, user-friendly interface for accessing and managing your password vault within Vaultwarden. In self-hosted deployments, users can access the Web Vault through HTTPS connections, ensuring that their data remains protected. Vaultwarden also supports third-party reverse proxies for streamlined access management.

9. How do I generate unique and secure passwords with Vaultwarden?

Vaultwarden includes a built-in password generator tool that allows users to create strong, unique passwords with just a few clicks. Additionally, the software’s autofill and auto-login features help streamline the process of logging into websites and applications, reducing the need to remember complex passwords.

10. What kind of support is available for Vaultwarden users?

As an open-source project, Vaultwarden benefits from an active community of developers and users contributing to its ongoing development and support. Official support channels and community forums are available for users seeking assistance, troubleshooting advice, or looking to contribute to the project.

Wrapping up

If you want a lightweight and easy-to-spin-up self-hosted password solution, Vaultwarden is a great choice. With just a few lines in a Docker Compose file, you can have a fully functional Vaultwarden setup in no time.

It provides flexibility, control, and customization that a self-hosted password manager offers without sacrificing the security and convenience that they’ve come to expect from the official Bitwarden server.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

3 Comments

  1. Boy I wish it was this easy. I’ve been working on this for weeks. Have tried Nginx Proxy Manager, Caddy and now this. None of them work. I’m trying to keep it all in the local network for security reasons. And yet it seems like I have to open a port on my router in order to use https. I will not open a port on my router if I don’t have to.

    1. Hey Chris,

      Thank you for your comment! Hey did the method shown in the blog not work for you? I was able to get this to work in my home lab. Are you getting an specific error in your environment?

      Brandon

  2. Holy Sh…. this Tutorial is so Bad ! There is so much missing in this tutorial, no wonder this is not working once someone do the setup like described in this Tutorial !

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.