Gradually switching to self-hosting helped me discover numerous useful tools. I now use a Paperless-ngx alongside a local LLM on one of my systems, while my old laptop, with merely 4GB DDR3 RAM, runs eight Docker containers. I also have a few Raspberry Pi and Radxa boards, running a few more tools. Recently, I've dedicated one of my Raspberry Pi Zero 2W, a $15 single-board computer, as a password manager hosting device. It's helpful because it made me ditch LastPass, offers features that are seldom found in paid tools, and works without any data sharing or online interaction.

There are countless benefits of running Vaultwarden on my Raspberry Pi Zero 2W. The best one is that I have an isolated device doing one thing, and it does a great job. It sips negligible power, can run off a power bank, and ensures that I have my password vault access 24/7.

Raspberry Pi is fit for Vaultwarden

Sufficient resources to work

When you add a self-hosted tool to your home server ecosystem, resource consumption is a major factor. Tools like Paperless-ngx or NextCloud require powerful hardware to deliver the best experience across multiple devices with concurrent users.

Vaultwarden is different: you simply store passwords in a database and access them via a web UI whenever you want to log in to a service. Since Vaultwarden only stores password and username combinations, it shows a slight resource spike only when accessing the UI, using its password generator, or similar tools. So, it's perfect to host on a Raspberry Pi Zero 2W with 512MB of RAM, since the tool only needs 20–50MB to run.

However, your Raspberry Pi OS selection makes a lot of difference when you want to host a password manager or any other tool on a Pi Zero 2W. I went with DietPi because the OS barely uses 70 MB of memory when nothing else is running and offers a simple way to deploy tools via its software interface.

You can download the appropriate DietPi version for your SBC from the official website or use the Raspberry Pi Imager. The tool can download and flash the latest edition of DietPi on your SD card. After a brief initial setup, you can use the DietPi_software utility to download and install Vaultwarden.

There’s nothing much to share about the installation because it's direct and easy via DietPi’s tool, and you don’t need to deal with the complexity of setting up a SQL server. The tool packages and sets up everything for you. I have a habit of running the ss -tulpn command after installing something to double-check the port it's running on.

Vaultwarden uses port 8001 on my DietPi, but it may be a different port on your system. So, it's wise to double-check.

Accessing Vaultwarden web UI

Bringing all passwords under one roof

After installing and hosting Vaultwarden on port 8001, you must create an account and then enter the passwords. Vaultwarden needs you to enter an email and set up a master password that's essential to unlock your vault. Since it's the only password you must remember at all times, I created something strong yet memorable.

Vaultwarden suggests using the Bitwarden extension to access your password via Chrome or any other web browser. I skipped it on the first setup and used Vaultwarden’s import section to add all passwords from multiple CSV files. I like the fact that Vaultwarden supports multiple file types, which makes it easy for users.

I also get multiple tools inside the web interface to run checks on my passwords. It can find weak passwords, highlight the ones that appeared in a breach, and do a few more checks.

The password generator is another useful feature that offers a little more control than what you get with a browser’s password suggestion tool. It can suggest strong passwords based on the preferred length, usernames, and passphrases, too. I can also set up multi-factor authentication and use the built-in tool to share files.

Browser extension and remote access

Tailscale solves it

Launching the web UI to find the password and then pasting it into the website is tedious. I prefer using the official browser extension because it reduces the need to launch the Vaultwarden web UI until I need to make some account or password-related changes.

Vaultwarden is a fork of Bitwarden and uses the same browser extension to work. All I need to do is select the self-hosted option, enter the Pi's IP address, and log in with the master password. My vault contents became accessible inside Chrome and work similarly to the native password manager or a tool like LastPass.

The extension automatically suggests turning off Chrome’s autofill for a better experience. Most of the built-in tools are available in the extension, including the password generator features. The vault automatically locks after five minutes of inactivity, which is a good security measure. I can adjust the time interval along with numerous other security mechanisms.

The last piece of the puzzle is remote access, but Tailscale makes it a cakewalk. After adding my Pi to the Tailscale network, I can access the Vaultwarden web UI on my phone and laptop, even when I am outside the home network. I didn't apply any reverse proxy to get Vaultwarden working on the Pi. Running it in Docker requires an HTTPS connection, but my Tailscale method works nicely for now.

Skip password manager subscriptions

Vaultwarden works like a charm on the Raspberry Pi, stores my passwords locally, and I don't need to deal with a complex network setup for it. I used DietPi’s backup tool to continuously back up the system to a USB SSD, keeping an extra copy of my password vault. For power interruptions, I have a 700VA inverter that provides backup electricity to some specific outlets in my home. I keep my router, SBCs, and lightweight Docker systems connected to one of those outlets.

So, I don't lose access to the Vaultwarden server unless my ISP is down when I'm outside my home network. You can use a power bank or UPS instead of an inverter, and it'll work equally well because the Pi and the router need a few Watts at most.