RamNode logo
    Sign UpLogin
    Security Guide

    Self-Hosted Vaultwarden

    Deploy your own password manager with Vaultwarden on RamNode VPS. Bitwarden-compatible, lightweight, and completely under your control.

    Ubuntu/Debian
    Vaultwarden + Docker
    ⏱️ 20-30 minutes

    Prerequisites & VPS Selection

    Personal Use

    • • 1GB RAM (min)
    • • 1 vCPU
    • • 1-5 users
    → View Plans

    Recommended

    • • 2GB RAM
    • • 2 vCPU
    • • 5-20 users
    → Recommended

    Enterprise

    • • 4GB+ RAM
    • • 4 vCPU
    • • 20+ users
    → Premium VPS
    2

    Initial Server Setup

    Update system and configure firewall:

    Update System
    sudo apt update && sudo apt upgrade -y
    Configure Firewall
    sudo apt install ufw -y
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status

    ⚠️ Warning: Ensure SSH (port 22) is allowed before enabling UFW!

    3

    Install Docker & Docker Compose

    Install Docker for container management:

    Install Docker
    sudo apt install apt-transport-https ca-certificates curl software-properties-common -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io -y
    Install Docker Compose & Setup User
    sudo apt install docker-compose-plugin -y
sudo usermod -aG docker $USER
newgrp docker
    4

    Install Nginx

    Install Nginx and Certbot
    sudo apt install nginx certbot python3-certbot-nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx
    5

    Deploy Vaultwarden with Docker

    Create Vaultwarden container:

    Create Directory and Docker Compose File
    mkdir -p ~/vaultwarden/data
cd ~/vaultwarden
nano docker-compose.yml
    Docker Compose Configuration
    version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - DOMAIN=https://vault.yourdomain.com
      - SIGNUPS_ALLOWED=true
      - INVITATIONS_ALLOWED=true
      - SHOW_PASSWORD_HINT=false
      - WEBSOCKET_ENABLED=true
    volumes:
      - ./data:/data
    ports:
      - "127.0.0.1:8080:80"
      - "127.0.0.1:3012:3012"

    ⚠️ Important: Replace vault.yourdomain.com with your actual domain!

    Start Vaultwarden
    docker compose up -d
docker ps
docker logs vaultwarden
    6

    Configure Nginx Reverse Proxy

    Setup Nginx to proxy requests:

    Create Nginx Config
    server {
    listen 80;
    listen [::]:80;
    server_name vault.yourdomain.com;

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name vault.yourdomain.com;

    client_max_body_size 128M;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
        proxy_pass http://127.0.0.1:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
        proxy_pass http://127.0.0.1:8080;
    }
}
    Enable Site
    sudo ln -s /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
    7

    Obtain SSL Certificate

    Get SSL with Certbot
    sudo certbot --nginx -d vault.yourdomain.com

    ✅ Follow prompts to complete SSL setup. Certbot will auto-configure Nginx.

    8

    Secure Your Installation

    Disable Signups (After Account Creation)

    Update Docker Compose
    nano ~/vaultwarden/docker-compose.yml
# Change SIGNUPS_ALLOWED=true to SIGNUPS_ALLOWED=false

docker compose down
docker compose up -d

    Enable Admin Panel (Optional)

    Generate Admin Token
    openssl rand -base64 48

    Add to docker-compose.yml environment:

    Add to Environment
    - ADMIN_TOKEN=your_generated_token_here
    Restart
    docker compose down
docker compose up -d
    9

    Setup Automated Backups

    Create backup script for data protection:

    Create Backup Script
    #!/bin/bash
BACKUP_DIR="/home/$USER/backups"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p $BACKUP_DIR

# Stop Vaultwarden
cd ~/vaultwarden
docker compose down

# Backup data
tar -czf $BACKUP_DIR/vaultwarden_backup_$DATE.tar.gz ./data

# Start Vaultwarden
docker compose up -d

# Keep only last 7 backups
find $BACKUP_DIR -name "vaultwarden_backup_*.tar.gz" -mtime +7 -delete

echo "Backup completed: vaultwarden_backup_$DATE.tar.gz"
    Make Executable and Schedule
    chmod +x ~/backup-vaultwarden.sh
crontab -e
# Add: 0 2 * * * /home/vaultwarden/backup-vaultwarden.sh

    Troubleshooting

    Container Won't Start

    Check Logs
    docker logs vaultwarden

    Can't Access Web Interface

    • • Check Nginx: sudo systemctl status nginx
    • • Verify firewall: sudo ufw status
    • • Confirm DNS points to server IP

    Security Best Practices

    • Use strong master password
    • Enable 2FA in account settings
    • Regular backups and test restoration
    • Keep software updated
    • Disable signups after account creation