Andre Franca

How to self-host Vaultwarden with Podman on a VPS

Published: September 27, 2022
1515 words · 6 minutes to read
Tagged: #self-hosting#security#privacy#password-manager.

I would say that one of the most important things in our digital life is to have good passwords, then to have a proper way to secure and manage those passwords. Thankfully, we have different solutions.

Today I’m going to show you how to self-host Vaultwarden with Podman1.

Vaultwarden is described by its creator as an

alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.


If you’re setting up locally, let’s say on a Raspberry Pi, I wouldn’t mess with port forwarding, unless you know what you’re doing.

I’d instead look for a tool like Tailscale (which is great, free and will allow you to access your passwords even when you’re not at home).


Install Podman

# Ubuntu 20.10 and newer
sudo apt -y update
sudo apt -y install podman

For other distros, or if you’d like to install from source, see the podman documentation.

Install Caddy

# Ubuntu 20.10 and newer
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf '' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf '' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt -y update
sudo apt -y install caddy

For other distros, or if you’d like to install from source, see the caddy documentation.

Enabling firewall ports

I like to use UFW to manage my firewall rules. If you’re running newer versions of Ubuntu, it should be pre-installed. Otherwise, you may search for it in your package manager. Feel free to use any firewall to manage your rules if you feel like it.

Before enabling UFW, make sure to allow ssh access, so you don’t get kicked out of your server.

sudo ufw allow <your-ssh-port>/tcp
sudo ufw allow 80,443/tcp
sudo ufw enable

Install Vaultwarden

By default, root-less podman containers won’t start at boot or keep started when a user is logged out. To allow it to run in the background:

sudo loginctl enable-linger <your-username>

Now, we need to create a volume to mount our container, so we can make sure our data remains permanent after we restart our container.

podman volume create vaultwarden

Let’s create a podman container for Vaultwarden3:

podman run --detach --name vaultwarden --volume vaultwarden:/data/ --restart always --memory 256m --publish 8080:80 --publish 3012:3012 --env WEBSOCKET_ENABLED=true

By now, you should have your container up and running. You can verify that by running podman ps.

CONTAINER ID  IMAGE                                COMMAND            CREATED      STATUS             PORTS                                         NAMES
15e928a3d92e  /          2 weeks ago  Up 43 seconds ago>80/tcp,>3012/tcp  vaultwarden

Set up Caddy as Reverse Proxy

Open the file /etc/caddy/Caddyfile

sudo nano /etc/caddy/Caddyfile

Comment out all existing lines or just delete them, then add the following lines: {
        reverse_proxy localhost:8080
        reverse_proxy /notifications/hub localhost:3012
	reverse_proxy /notifications/hub/negotiate localhost:8080

        tls <your-email> {
                protocols tls1.3
        header {
                # enable HSTS
                Strict-Transport-Security max-age=31536000;
        encode gzip

Make sure to edit the first line with your own domain.tld, and the sixth line with the email you’d like to use when generating your SSL certificate.

Caddy will take care of the certificate automatically for you.

Reload the caddy service:

sudo systemctl reload caddy

Now you should be able to access your Vaultwarden container in your browser by accessing https://your-domain.tld.

Initial Setup

Additional Steps

Configure systemd

Navigate to the ~/.config/systemd/<your-user folder.

cd ~/.config/systemd/<your-user>

If the folder does not exist, just create it it

mkdir -p ~/.config/systemd/<your-user>

Now, you have to create a systemd unit file that can be used to control the container. Luckily podman can help us by issuing the following command:

# Generate systemd unit file
podman generate systemd --files --name vaultwarden

# Enabling our file to start at boot
systemctl --user enable container-vaultwarden.service

The “–user” is a flag, and you should not replace it with your real user.

Reboot your server, then podman ps to confirm that the container started without any problems.


The updating process basically consists of pulling a new image, removing the old one, then recreating our container.

# Check if there's any update for your container image
podman pull

# If any update, you should stop and delete your current container
podman stop vaultwarden && podman rm vaultwarden

# Now we can recreate our Vaultwarden container
podman run --detach --name vaultwarden --volume vaultwarden:/data/ --restart always --memory 256m --publish 8080:80 --publish 3012:3012 --env WEBSOCKET_ENABLED=true

# Check if it's up and running
podman ps

Feel free to automatize this process if you would like to.

Official Documentation

The official Wiki page provides lots of useful information and specific additional configurations you may be interested in like:

Using Vaultwarden

The Vaultwarden container we just created is compatible with upstream Bitwarden clients.

Remember to edit the settings of the application before login. You must point to your custom Server URL.

If you need additional help, check out the Bitwarden Help Center.

Additional Tip

If you want to learn about password manager4 alternatives, for instance local-based password managers, the page bellow is great:

  1. Why Podman instead of Docker?

    I have run into trouble running docker on low-end hardware (like a Raspberry Pi), while Podman works seamlessly.

    In terms of capabilities, as of today I haven’t found any missing features on my use cases. 

  2. You can try to get a certificate using other methods like

  3. Flags explained:

    detach - daemonizes the container to run in the background;
    name - defines a name for the container;
    volume - uses the persisted volume vaultwarden created in the step before;
    restart - this flag ensures that our container will try to stay up in case of something goes wrong;
    memory - limits to total amount of memory used by the container (you can definitely change this value as needed or even ignore this flag;
    publish - defines which host ports will be exposed to the container ports respectively:
    env WEBSOCKET_ENABLED=true environment variable enables the websocket server for our container. 

  4. Password managers basically allow you to securely store and manage passwords and other credentials.

    A cloud-based password manager allows you to sync all your passwords on a cloud server for easy accessibility and safety against device loss, as I’m going to demonstrate in this post.

    A local-based password manager allows you to manage an encrypted password database locally. 

Questions, comments or concerns?
I'd love to hear your thoughts! Please share them through email or Mastodon.

<~ Previous: Ghost as my blogging platform

~> Next: Hurricane Ian

Articles from blogs I follow around the world wide web

Answering machines

Google has been around for almost 25 years. That is an eternity when it comes to the digital world. And Google was not the first engine to go online: from AltaVista to Yahoo! to Lycos we had our fair share of search engines available to search the web. Ri…

via Manuel Moreale RSS Feed May 26, 2023


Regular readers of my notes might have noticed that I have a little trouble being okay with wasting time. Ever since having kids, my time anxiety has driven me to look at every week as a puzzle to be solved. What is the most optimal way to cram all the pi…

via Rach Smith's digital garden May 22, 2023

Underline Your Links

Colored vs. underlined links by Jatan Mehta Jatan talks about why you should have underlined links to make things discoverable and accessible for your readers. Read Post → I’ve talked about this myself in the past and I wholeheartedly agree …

via Kev Quirk May 15, 2023

Generated by openring