Services
Solutions
Use cases
Industries
Tools
Pricing
Book a call
Tool in production

Vaultwarden

The password manager on your own server. A single container, compatible with every Bitwarden app for iOS, Android, browser and desktop — a concrete alternative to 1Password Business and LastPass Enterprise for SMBs.

Project profile

Vaultwarden

Unofficial Bitwarden-compatible server in Rust

As of: June 1, 2026

GitHub stars

62k

Forks

2.9k

Open issues

43

License

AGPL-3.0

Latest version

v1.36.0

Language

Rust

First release
February 17, 2018
Last commit
May 17, 2026
→ GitHub repository→ Official website→ Documentation

Third-party source · Wikidata (CC0)

Wikidata profile

Bitwarden

Q56319818

License

AGPL-3.0

Initial release

2016-08-10

→ Wikidata entry

What is Vaultwarden?

Vaultwarden is an unofficial server reimplementation of Bitwarden written in Rust by the Spanish developer Daniel García. It speaks the same dialect as the official Bitwarden server — every official Bitwarden app (iOS, Android, browser extension, desktop) connects to a Vaultwarden server without noticing the difference.

The crucial difference: the official Bitwarden server is an 11-container stack with Microsoft SQL Server, designed for enterprise setups. Vaultwarden is a single container, roughly 50 MB RAM, with SQLite or optionally /MariaDB. For an SMB with 5–500 users, Vaultwarden is the pragmatic choice — same apps, a fraction of the effort.

Why an architecture firm uses Vaultwarden

A modern architecture firm runs 50–100 active building projects in parallel. Per project: the local building authority portal, the energy utility login, the client cloud folder, the German GAEB tender portal, a hazardous-materials database, energy-performance tooling. Multiply by twelve staff and eighty projects — and you are quickly managing 1,800+ logins.

A SaaS vault like 1Password or LastPass would solve the task, but it means: client addresses, project references and contact persons sit with a US vendor. Vaultwarden offers the same UX with full data sovereignty — every password in your own container, every app still officially supported.

Client case study

Architecture firm Hartmann + Voß

Twelve staff — two partners, six architects, two site managers, two paralegals. Eighty active building projects, each staff member has roughly 150 distinct logins. Two years ago they migrated from an Excel list of passwords (!) to Vaultwarden. Today: browser extension on every desktop, Bitwarden app on every phone.

Data sovereignty over client logins

Client cloud logins, GAEB portals, insurance logins are sensitive — they reveal contact persons and active projects. The vault database must live on a server you control, not at a SaaS provider in a third country.

Shared vault folders per project

Per project a folder with every relevant login — building authority, energy utility, client cloud. All architects involved in the project see the folder, those not involved do not.

Smartphone sync for site visits

Site managers spend a lot of time on site or at clients. They need the energy utility portal or building-authority logins on their phone — without a separate VPN, with Face-ID protection.

Secure password sharing

An external structural engineer needs one-time access to the GAEB portal. Vaultwarden Send issues the password with an expiry date, automatic deletion and an optional password lock.

TOTP generator in the same vault

More and more authority portals require 2FA. Having the TOTP generator in the same app as the password saves the back-and-forth between an authenticator app and the browser.

Self-hosted for GDPR reasons

Architects' data is personal too (client addresses, connection diagrams, energy passes). A SaaS vault would be processing in a third country — is the clean answer.

What the staff actually use

Eight typical usage patterns from the firm's Vaultwarden everyday. Each replaces either a SaaS reflex or a poor practice (Excel list, sticky note, shared master password).

Personal vault per staff member

Every staff member has their own vault — own logins, own secure notes, own 2FA codes. Nobody but the person themselves sees the contents. On departure: delete the account, personal logins disappear, shared ones remain.

Organisation vault (shared)

Authority portals, shared tools (GAEB software, professional insurance, tax-advisor portal) live in the organisation vault. All staff with the 'Architect' role see them, paralegals only see the paralegal-relevant ones.

Project folders with permissions

One folder per building project: 'Project 2026-053 — School refurbishment Hannover'. Contents: City of Hannover building authority login, utility login, school cloud login, GAEB tender login. Visible only to the three project architects + a partner.

TOTP codes for 2FA

Building authority login → Vaultwarden auto-fills password + TOTP code. No separate authenticator app, no SMS TANs, no USB tokens. Fast, secure, integrated.

Secure notes

Wi-Fi passwords for city offices, PIN codes for site locks, configuration notes for the GAEB software. Not every secret is a login — secure notes are encrypted and searchable.

SSH keys and API tokens

The two IT-affine architects keep SSH keys for the building-phase photo server and tokens for the drone-flight platform in the vault. Searchable, copyable, centralised. No more keys scattered across twelve laptops.

Password sharing via Vaultwarden Send

An external structural engineer needs the GAEB portal password for three days. Vaultwarden Send creates a link with an expiry date, max. three views and an optional sub-password. After three days the link is dead.

Browser extension + mobile

On every desktop: Bitwarden browser extension, configured against vault.architects.com. On every phone: Bitwarden app, same server. Auto-fill, Face-ID, offline mode — everything like the SaaS original.

Core capabilities of Vaultwarden

What Vaultwarden delivers technically — and which capabilities actually carry the architecture firm setup.

Bitwarden-compatible API

Vaultwarden speaks the official Bitwarden server . Every official Bitwarden app (iOS, Android, Chrome/Firefox/Safari extension, desktop) connects to your own server URL and works identically.

Personal + organisation vaults

One personal vault per user, plus one or more organisation vaults with their own membership and fine-grained access rights — Read, Edit, Manage. Folder structure freely choosable.

Integrated TOTP generator

2FA codes (time-based one-time passwords) are part of the vault entry. Auto-fill sets password + TOTP at the same time — no separate authenticator app needed, no switching between apps.

Self-hosted in a Rust container

One container, one volume, around 50 MB RAM. SQLite is enough for several hundred users; /MariaDB for larger setups. Updates via compose pull, backup via the data directory.

Vaultwarden Send

Secure file and text dispatch with expiry date, view limit and optional password protection. Classic uses: one-off password handover to external partners, secure contract documents to clients.

AGPL-3.0 — real open source

AGPL-3.0: source code public, modifications to services must also be published. Unproblematic for SMB own use without modifications, guarantees long-term availability of the software.

Honest alternatives

If Vaultwarden is not a fit — what else?

Three alternatives — one official variant, one file-based solution and a SaaS heavyweight. Each with its own profile.

Official self-hosted

Bitwarden Self-Hosted

Bitwarden Inc., GPL-3.0

  • + Official server implementation
  • + Identical features to SaaS
  • − 11 containers + Microsoft SQL Server
  • − Significantly higher RAM and maintenance load

File based

KeePassXC + Sync

KeePassXC team, GPL-3.0

  • + No server needed, .kdbx file
  • + Very lightweight, offline-capable
  • − Sync manual (Nextcloud, NAS)
  • − Conflict handling on parallel edits

SaaS

1Password Business

AgileBits, USA

  • + Excellent UX, best mobile apps
  • + Travel Mode, Watchtower audit
  • − US cloud, data transfer obligations
  • − From €8/user/month, cumulative

Rule of thumb: 5–500 users on a Linux server are up and running on Vaultwarden in 30 minutes. 1,000+ users on a Microsoft stack may consider the official Bitwarden server. Working without any server at all: KeePassXC + sync via a NAS. SaaS is the fastest answer when data sovereignty does not matter.

Pricing

AGPL-3.0. Real open source. One container.

License

AGPL-3.0 — strong-copyleft OSI open source. Own use without strings. Anyone modifying Vaultwarden and offering it as a service to third parties must also publish their modifications under AGPL. For SMB own operation without modifications: fully unproblematic.

Running costs

One container on the existing Docker host. RAM footprint around 50 MB, can run alongside other stacks. No per-user license, no cloud fees, no hidden costs.

Effort

Installation: 15 minutes (start container, set admin token, put behind Caddy). Initial setup for a 12-person architecture firm including training, browser extensions and migration from Excel/LastPass: 1–2 consulting days.

Important: Vaultwarden is NOT from the official Bitwarden team. It is an independent Rust reimplementation by Daniel García, tolerated benevolently by the Bitwarden team. The official Bitwarden apps remain fully compatible. For SMB setups, by far the most pragmatic choice compared to the official 11-container Bitwarden server.

Caddy reverse proxy for vault.firm.com

vault.architects.com {
  reverse_proxy vaultwarden:80 {
    header_up X-Real-IP {remote_host}
    header_up X-Forwarded-Proto {scheme}
  }

  header {
    Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    X-Frame-Options DENY
    X-Content-Type-Options nosniff
    Referrer-Policy strict-origin-when-cross-origin
    Permissions-Policy "interest-cohort=()"
  }

  encode gzip zstd
}
HTTPS endpoint with enforced security headers and WebSocket pass-through for real-time sync of the mobile apps. Source: own practice, public domain.

Vaultwarden setup as a Docker container

services:
  vaultwarden:
    image: vaultwarden/server:1.36.0
    container_name: vaultwarden
    restart: always
    environment:
      - DOMAIN=https://vault.architects.com
      - SIGNUPS_ALLOWED=false
      - INVITATIONS_ALLOWED=true
      - WEB_VAULT_ENABLED=true
      - WEBSOCKET_ENABLED=true
      - SMTP_HOST=mail.architects.com
      - SMTP_FROM=vault@architects.com
      - SMTP_SECURITY=starttls
      - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
    volumes:
      - ./vw-data:/data
    networks:
      - frontend

networks:
  frontend:
    external: true
One container, a persistent SQLite database, behind a Caddy reverse proxy. Nothing more is needed for a full SMB setup with up to several hundred users. Source: own practice, AGPL-3.0.

Related topics

Vaultwarden is the first self-hosted app

Vaultwarden needs as a platform and Caddy as the HTTPS layer in front. It is one of several apps that replace a cloud vault:

→ Docker (container engine)→ Caddy (HTTPS layer for vault.firm.com)→ Cluster: Self-hosted apps

Ready for the next step?

Free intro call, no strings attached. In 30 minutes you'll know whether and how AI can help your business.

Book a callCheck eligibility
Book a callBAFA funding