1VPS.com
Best VPS for Vaultwarden 2026: Self-Host Your Password Manager
REVIEW 10 min read fordnox

Best VPS for Vaultwarden 2026: Self-Host Your Password Manager

Find the best VPS for hosting Vaultwarden, the self-hosted Bitwarden alternative. Complete setup guide with Docker, SSL, and backup strategy.

Best VPS for Vaultwarden in 2026

Vaultwarden is a lightweight, self-hosted Bitwarden server. Store all your passwords on your own VPS — no monthly fees, full data ownership, works with all Bitwarden apps.

Why Self-Host Vaultwarden?

Factor Bitwarden Cloud Vaultwarden VPS
Cost $10+/mo (premium) ~$5/mo (VPS only)
Data Location Their servers Your server
Premium Features Paid Free
Customization Limited Full
Dependency Bitwarden Inc You

Vaultwarden includes all Bitwarden premium features (TOTP, attachments, organizations) for free.

VPS Requirements

Vaultwarden is incredibly lightweight:

Minimum:

Recommended:

For Organizations (10+ users):

It's one of the lightest self-hosted apps — runs happily alongside other services.

Best VPS for Vaultwarden

1. Hetzner CX11 (Best Value)

€3.79/mo | 1 vCPU, 2GB RAM, 20GB NVMe

Way more than needed. 2GB RAM leaves room for other services. German data centers for EU compliance.

2. Hostinger KVM1 (Best Budget)

$4.99/mo | 1 vCPU, 4GB RAM, 50GB NVMe

4GB RAM is overkill for just Vaultwarden, but great if you add more services later.

3. Oracle Cloud Free (Best Free)

$0/mo | 1 vCPU, 1GB RAM, 50GB

Yes, completely free. Oracle's Always Free tier runs Vaultwarden perfectly.

4. Vultr (Best Locations)

$6/mo | 1 vCPU, 1GB RAM, 25GB

32 locations worldwide. Put your passwords close to where you live.

Complete Setup Guide

Step 1: Create Your VPS

Using Hetzner as example:

  1. Sign up at Hetzner Cloud
  2. Create server → Ubuntu 22.04 → CX11
  3. Add SSH key
  4. Note the IP address

Step 2: DNS Setup

Point your domain:

A    vault.yourdomain.com → your-server-ip

Step 3: Initial Server Setup

ssh root@your-server-ip

# Update system
apt update && apt upgrade -y

# Install Docker
curl -fsSL https://get.docker.com | sh

# Create user for Vaultwarden
adduser vaultwarden
usermod -aG docker vaultwarden

# Setup firewall
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

Step 4: Deploy Vaultwarden

su - vaultwarden
mkdir vaultwarden && cd vaultwarden

Create docker-compose.yml:

version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=https://vault.yourdomain.com
      - SIGNUPS_ALLOWED=false
      - ADMIN_TOKEN=your-secure-admin-token
      - SMTP_HOST=smtp.gmail.com
      - SMTP_FROM=you@gmail.com
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - SMTP_USERNAME=you@gmail.com
      - SMTP_PASSWORD=your-app-password
    volumes:
      - ./data:/data
    ports:
      - 8080:80

  caddy:
    image: caddy:alpine
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config

volumes:
  caddy_data:
  caddy_config:

Create Caddyfile:

vault.yourdomain.com {
    reverse_proxy vaultwarden:80
    
    encode gzip
    
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
    }
}

Step 5: Generate Secure Admin Token

# Generate random token
openssl rand -base64 48
# Example output: K7a8x9...long-string...

# Or use argon2 hash for better security
echo -n "your-admin-password" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4

Replace your-secure-admin-token in docker-compose.yml with the output.

Step 6: Launch

docker compose up -d

Wait 30 seconds for SSL provisioning.

Step 7: Create Your Account

  1. Open https://vault.yourdomain.com
  2. Click "Create Account"
  3. Register with your email and master password

Important: After creating your account, disable signups:

SIGNUPS_ALLOWED=false

Then: docker compose up -d

Step 8: Access Admin Panel

Go to: https://vault.yourdomain.com/admin

Enter your admin token. Here you can:

Connect Bitwarden Apps

Vaultwarden works with all official Bitwarden clients:

Browser Extension

  1. Install Bitwarden extension
  2. Click settings (gear icon)
  3. Set "Server URL" to https://vault.yourdomain.com
  4. Log in

Mobile App

  1. Install Bitwarden from App Store/Play Store
  2. Tap settings before logging in
  3. Enter self-hosted URL
  4. Log in

Desktop App

  1. Download from bitwarden.com
  2. Settings → Self-hosted environment
  3. Enter your URL
  4. Log in

Security Hardening

1. Disable Registration

After creating your account:

SIGNUPS_ALLOWED=false

Or use invitations:

INVITATIONS_ALLOWED=true
SIGNUPS_ALLOWED=false

2. Disable Admin Page (After Setup)

Remove or comment out ADMIN_TOKEN once configured:

# ADMIN_TOKEN=...

3. Enable 2FA

In Vaultwarden web vault:

  1. Settings → Two-step Login
  2. Enable TOTP authenticator
  3. Save recovery codes somewhere safe (not in Vaultwarden!)

4. Fail2Ban Integration

Protect against brute force:

# Install fail2ban
apt install fail2ban

# Create filter
cat > /etc/fail2ban/filter.d/vaultwarden.conf << 'EOF'
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\..*$
ignoreregex =
EOF

# Create jail
cat > /etc/fail2ban/jail.d/vaultwarden.local << 'EOF'
[vaultwarden]
enabled = true
port = 80,443
filter = vaultwarden
logpath = /home/vaultwarden/vaultwarden/data/vaultwarden.log
maxretry = 5
bantime = 1h
findtime = 15m
EOF

systemctl restart fail2ban

5. Use Tailscale (Optional)

For maximum security, access only via Tailscale:

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Close public ports
ufw deny 80/tcp
ufw deny 443/tcp

Access via http://vps-tailscale-ip:8080 (no public exposure).

Backup Strategy

Password data is critical. Backup religiously.

Automated Backups

Create backup.sh:

#!/bin/bash
BACKUP_DIR="/home/vaultwarden/backups"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR

# Stop Vaultwarden briefly for consistent backup
docker compose -f /home/vaultwarden/vaultwarden/docker-compose.yml stop vaultwarden

# Backup data directory
tar czf $BACKUP_DIR/vaultwarden_$DATE.tar.gz \
  /home/vaultwarden/vaultwarden/data

# Restart
docker compose -f /home/vaultwarden/vaultwarden/docker-compose.yml start vaultwarden

# Keep only last 30 backups
ls -t $BACKUP_DIR/vaultwarden_*.tar.gz | tail -n +31 | xargs -r rm

# Optional: Upload to remote storage
# rclone copy $BACKUP_DIR/vaultwarden_$DATE.tar.gz remote:vaultwarden-backup/

Schedule with cron:

crontab -e
# Add:
0 3 * * * /home/vaultwarden/backup.sh

Manual Export

In web vault:

  1. Tools → Export Vault
  2. Choose format (JSON recommended)
  3. Store securely offline

Important: Exports are unencrypted! Store in encrypted location.

Email Configuration

Password reset requires email. Options:

Gmail

SMTP_HOST=smtp.gmail.com
SMTP_FROM=you@gmail.com
SMTP_PORT=587
SMTP_SECURITY=starttls
SMTP_USERNAME=you@gmail.com
SMTP_PASSWORD=app-password  # Not your regular password!

Create app password at: myaccount.google.com/apppasswords

Resend

SMTP_HOST=smtp.resend.com
SMTP_FROM=noreply@yourdomain.com
SMTP_PORT=587
SMTP_SECURITY=starttls
SMTP_USERNAME=resend
SMTP_PASSWORD=re_xxxxx

Mailgun

SMTP_HOST=smtp.mailgun.org
SMTP_FROM=noreply@yourdomain.com
SMTP_PORT=587
SMTP_SECURITY=starttls
SMTP_USERNAME=postmaster@yourdomain.com
SMTP_PASSWORD=your-mailgun-password

Resource Usage

Typical Vaultwarden footprint:

Metric Value
RAM 30-80 MB
CPU <1% idle
Disk ~100 MB (data grows slowly)
Bandwidth Minimal

You can run many other services alongside Vaultwarden on the same VPS.

Updating Vaultwarden

Stay secure with regular updates:

cd /home/vaultwarden/vaultwarden

# Pull latest image
docker compose pull

# Restart with new image
docker compose up -d

# Clean old images
docker image prune -f

Or use Watchtower for automatic updates:

services:
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: --cleanup --schedule "0 0 4 * * *"

Updates daily at 4 AM.

Organizations & Sharing

Vaultwarden supports Bitwarden organizations:

  1. Admin panel → Organizations → Create
  2. Invite family/team members
  3. Create collections to organize shared passwords

Free features (unlike Bitwarden Cloud):

FAQ

Is Vaultwarden safe?

Yes. It's a well-maintained, audited project. Your data is encrypted with your master password before storage.

Can I migrate from Bitwarden Cloud?

Yes. Export from Bitwarden (JSON format), import into Vaultwarden.

What if my VPS goes down?

Your Bitwarden apps cache vault locally. You can't sync, but passwords work offline. Keep backups!

How often should I backup?

Daily minimum. Cron job recommended.

Vaultwarden vs Bitwarden self-hosted?

Vaultwarden is lighter (50MB vs 2GB+) and includes premium features free. Bitwarden official is heavier but fully supported.

Recommended Setup

Use Case VPS Monthly Cost
Personal Hetzner CX11 €3.79
Family Hostinger KVM1 $4.99
Small Team Hetzner CX21 €5.39

Start with Hetzner CX11 — €3.79/month for complete password sovereignty. Cheaper than Bitwarden premium, and you own the data.

~/best-vps-for-vaultwarden/get-started

Ready to get started?

Get the best VPS hosting deal today. Hostinger offers 4GB RAM VPS starting at just $4.99/mo.

Get Hostinger VPS — $4.99/mo

// up to 75% off + free domain included

// related topics

best vps for vaultwarden vaultwarden hosting self-hosted bitwarden password manager vps vaultwarden setup

fordnox

Expert VPS reviews and hosting guides. We test every provider we recommend.

// last updated: February 8, 2026. Disclosure: This article may contain affiliate links.