Security

Install Vaultwarden in 60 Seconds

Vaultwarden is the lightweight, Rust-based Bitwarden-compatible password manager server. Self-host your own vault and sync it across every Bitwarden app and browser extension - without handing your passwords to a SaaS or wrestling with Docker and TLS yourself.

Install Vaultwarden $3/mo - $10 credit when you add a card

The usual way to self-host Vaultwarden

Provision a VPS, harden SSH, and keep Ubuntu patched - all before you have stored a single password. This is the box your entire password vault lives on, so getting the security baseline right is not optional.
Run the Rust server by hand: `docker run -d -v /vw-data:/data -p 8080:80 vaultwarden/server`, then remember that the `/vw-data` volume holds your SQLite db, RSA keys, and attachments. Lose that volume and you lose every credential.
Stand up nginx or Caddy as a reverse proxy and issue a Let's Encrypt cert - Bitwarden clients flat-out refuse to connect to a server without valid HTTPS, so a self-signed cert or plain HTTP gets you nowhere.
Generate a secure `ADMIN_TOKEN`, set `SIGNUPS_ALLOWED=false` so the public internet cannot register on your vault, and figure out the `DOMAIN` env var (WebAuthn and email links break if it is wrong).
Babysit updates forever: pull the new image, restart, and pray the data volume migration went clean - on the one server that, if it goes down, locks you out of every account you own.

That is a lot of careful, security-critical setup for what should be a 60-second job. We did all of it once, baked it into the image, and turned it into one command.

Or install it in one click

$ instapods pods create my-vaultwarden --app vaultwarden

-> Provisioning server...

-> Installing Vaultwarden...

-> Generating admin token + disabling public signups...

✓ Live at https://my-vaultwarden.instapods.app

What you get

Recommended plan for Vaultwarden

Launch Plan

$3/mo

1 vCPU
512 MB RAM
10 GB storage
HTTPS included
Custom domain support
SSH & web terminal access

Install Vaultwarden

Vaultwarden requirements

Resource requirements

Vaultwarden is written in Rust and is genuinely tiny - it idles around 10-20MB of RAM and barely touches CPU. The Launch plan is plenty for a personal or family vault and even a small team. We run it on the static preset behind nginx; the app itself listens on port 8080 inside the pod and we auto-wire HTTPS in front of it.

Config and the admin token

There are no env vars for you to fill in. On deploy we generate a strong `ADMIN_TOKEN`, write it to the pod's env file at /opt/vaultwarden/.env, and set `SIGNUPS_ALLOWED=false` so nobody can register on your vault from the open internet. Your token is shown right after install - visit /admin with it to invite yourself, then flip signups off again. The `DOMAIN` is set to your pod URL automatically so WebAuthn and email links just work.

Data persistence and custom domain

Your SQLite database, RSA keypair, and file attachments live on the pod's disk and survive restarts and updates - this is your data on your server, not a shared multi-tenant backend. Point any Bitwarden client (browser extension, desktop, iOS, Android) at your pod URL as the self-hosted server address. Add a custom domain like vault.yourdomain.com from the dashboard and we re-issue the cert for you.

Vaultwarden install FAQ

Is Vaultwarden the same as Bitwarden?

Vaultwarden is an independent, Rust-based server that implements the Bitwarden API, so every official Bitwarden client - the browser extensions, desktop apps, and iOS/Android apps - connects to it natively. You get the Bitwarden experience you know without running Bitwarden's heavier official self-hosted stack. It is lighter on resources, which is exactly why it runs comfortably on our $3 Launch plan.

How do I create my account if signups are disabled?

We disable public signups by default so nobody can register on your vault from the internet. After deploy we show you an auto-generated admin token. Open https://your-pod.instapods.app/admin, log in with that token, and either invite your own email under Users or temporarily enable signups in General Settings to create your account - then turn signups back off. From there you log in at the main URL and connect your Bitwarden apps.

Where is my password data stored and is it safe if a pod restarts?

Everything - the SQLite database, the RSA keypair, and any file attachments - lives on your pod's own disk and persists across restarts, updates, and reboots. Your vault is encrypted client-side before it ever reaches the server, so even we cannot read it. This is your data on your server, not a shared backend, and we never have your master password.

Do I need to set up HTTPS or a reverse proxy myself?

No. Bitwarden clients refuse to talk to a server without valid TLS, which is the usual stumbling block when self-hosting Vaultwarden by hand. We put nginx in front of the app, terminate HTTPS with a real certificate on your *.instapods.app subdomain, and renew it automatically. You get a working, client-ready URL the moment the deploy finishes.

Can I use my own domain like vault.mycompany.com?

Yes. Add a custom domain from the dashboard, point a CNAME at your pod, and we issue and renew the certificate for it. Because Vaultwarden's DOMAIN setting affects WebAuthn and email links, we update that environment value to match your custom domain automatically so two-factor and invite emails keep working correctly.