Published on

How to host your own private password manager using Vault Warden


Disclaimer: This article is for educational purposes only. If you plan to use this in production, we suggest that you consult with a security expert to ensure that your setup is secure. Please use at your own risk.

Step 1 - Create a VM on Azure

  • The first step is to create a virtual machine where the Vaul Warden server will be hosted

  • This can be done with the Azure CLI as follows: (Use Azure portal or Powershell if you prefer)

az group create -n myvault-rg -l westeurope
az vm create -n myvaultvm01 \
     -g myvault-rg \
     --image ubuntults \
    --size Standard_Ds2_v2 \
    --ssh-key-values ~/.ssh/id_rsa.pub \
    --public-ip-address-dns-name myvault01

Step 2: Install docker

ssh your-host-username@myvault01.westeurope.cloudapp.azure.net 

# i. Install docker
sudo apt update -y
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

# ii. Install docker compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

# iii. Configure permissions - allow user to run docker commands without sudo
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker

Step 3: Set up your domain

  • If you have not yet done so, add an A record in your personal domain DNS settings

  • For example, on Namecheap you would do something like this:

  • Replace the value with the public IP address of your VM or the DNS name of your VM

Step 4: Setup Reverse Proxy Server

  • It is recommended that you serve the vault warden web client via a reverse proxy

  • In this tutorial we will use Caddy (you can also use Nginx or any other appropriate tool)

  • Start by creating a config file called /etc/Caddyfile inside your VM

your-domain-or-subdomain.com {
  encode gzip
  # Define which server should handle requests on different URL paths
  reverse_proxy /notifications/hub/negotiate
  reverse_proxy /notifications/hub

  • Finally edit your /etc/hosts file inside your VM as follows
# .............

# NB: Change the ip address to match the public IP of your VM
306.00.0.00  your-domain-or-subdomain.com

# .............

Step 4: Start the vaultwarden server


sudo mkdir -pv /srv/vaultwarden
sudo chmod go-rwx /srv/vaultwarden

docker run -d --name $SERVICE_NAME -v $DATA_VOLUME:/data -p -p --restart on-failure -e WEBSOCKET_ENABLED=true vaultwarden/server:latest

Step 5: Start the reverse proxy

# Create a configuration directory that will be used as a persistent volume to store caddy configurations
sudo mkdir -p /etc/caddy
sudo chmod go-rwx /etc/caddy

# Run the reverse proxy container in dameon mode(-d)
# --network host : tells the container to use the host network
# Finally we use -v to map host directories to the container to ensure that data is persisted when the container stops
docker run --network host -d --restart on-failure --name caddy -v /etc/Caddyfile:/etc/caddy/Caddyfile -v /etc/caddy:/root/.local/share/caddy caddy:2

  • Thats it! If you navigate to your-domain-or-subdomain.com you should be presented with the bitwarden login screen.


  • In this article we looked a t how you can setup a self hosted password manager using Vault Warden

  • This setup can be greatly simplified by using docker-compose as shown here.

  • We recommend that you go further to learn how to enhance the security of your system here and here

  • Thanks for reading!