Build a Self-Hosted Password Vault Lab with Vaultwarden
A self-hosted Vaultwarden password vault with backups, recovery notes, and practical safeguards for family use.
Expected Outcome
A working self-hosted password vault that securely stores passwords and provides recovery options for family members.
Assumptions
- Basic knowledge of Docker and Docker Compose
- A server or a Raspberry Pi with Docker installed
- A domain name (optional but recommended for SSL)
Bill of Materials
- A server or Raspberry Pi
- Docker and Docker Compose installed
- A text editor (e.g., VSCode, Nano)
- SSL certificate (e.g., Let's Encrypt, if using a domain)
Build Steps
- Set Up Docker and Docker Compose
Ensure Docker and Docker Compose are installed on your server.
Changes system state: review before running
sudo apt update sudo apt install docker.io sudo systemctl start docker sudo systemctl enable docker sudo apt install docker-compose
- Create Vaultwarden Docker Compose File
Create a directory for Vaultwarden and a Docker Compose file to define the service.
Safe to run: read-only
mkdir ~/vaultwarden cd ~/vaultwarden nano docker-compose.yml
- Configure Docker Compose for Vaultwarden
Add the Vaultwarden service configuration to the docker-compose.yml file.
Safe to run: read-only
echo 'version: "3.8"' >> docker-compose.yml echo 'services:' >> docker-compose.yml echo ' vaultwarden:' >> docker-compose.yml echo ' image: vaultwarden/server:latest' >> docker-compose.yml echo ' container_name: vaultwarden' >> docker-compose.yml echo ' volumes:' >> docker-compose.yml echo ' - ./vw-data:/data' >> docker-compose.yml echo ' ports:' >> docker-compose.yml echo ' - "80:80"' >> docker-compose.yml echo ' environment:' >> docker-compose.yml echo ' WEBSOCKET_ENABLED: "true"' >> docker-compose.yml echo ' restart: unless-stopped' >> docker-compose.yml
- Start Vaultwarden Service
Run the Vaultwarden service using Docker Compose.
Changes system state: review before running
docker-compose up -d
- Access Vaultwarden Web Interface
Open a web browser and navigate to your server's IP address to access the Vaultwarden web interface.
Example pattern only. Adjust for your environment before running.
http://<your-server-ip>
- Set Up Backups
Create a backup strategy for your Vaultwarden data.
Safe to run: read-only
mkdir ~/vaultwarden/backups echo '0 2 * * * docker exec vaultwarden zip -r /data/vaultwarden-backup.zip /data > ~/vaultwarden/backups/backup.log' | crontab -
- Implement Family-Safe Recovery Notes
Create a secure document for recovery notes that can be shared with family members.
Example pattern only. Adjust for your environment before running.
nano ~/vaultwarden/recovery_notes.txt
Validation
- Verify that the Vaultwarden web interface is accessible.
- Check that backups are being created as scheduled.
Troubleshooting
- If a step fails, capture the exact command, exit code, and log line before retrying or changing the design.
- Use `docker compose ps` and `docker compose logs <service>` to separate image, environment, port, and volume problems.
Cleanup or Rollback
- Keep a copy of working configuration, compose files, scripts, and service credentials before removing containers, packages, or data directories.
- Stop test containers with `docker compose down` only after confirming which volumes contain persistent data.
- Rollback by redeploying the previous compose file or image tag and restoring the saved environment file.
Next Improvements
- Explore advanced Vaultwarden configurations.
- Set up SSL for secure access.
- Consider integrating with a family cloud stack.