Setting up complex passwords filled with cryptic characters is one of the best ways to keep hackers off your tail. After all, a 15+ string containing weirdly-arranged alphanumeric strings and symbols is a lot more effective at thwarting brute force and dictionary attacks than awful, easy-to-guess passkeys. The downside is that you’ll have a hard time recalling your wacky passwords, especially if you have different login credentials for all your accounts.
Dedicated password managers like 1Password and Dashlane provide a solid compromise by storing your credentials, API tokens, and encryption keys, thereby sparing your brain cells the trouble of remembering complex passwords. Unfortunately, cloud-based password managers are riddled with privacy and security flaws, which is where self-hosted tools shine.
While Bitwarden and a couple of other utilities can be deployed on local hardware, I’m really impressed with the feature-laden Vaultwarden, to the point where I consider it an essential part of my self-hosted application stack.
Why should you bother hosting Vaultwarden?
It’s a private password manager that runs on local hardware...
The lack of privacy on cloud-based services remains a major issue for most security enthusiasts, but the situation is especially critical in the case of password managers. Database breaches are quite common in the tech space. If your password repository gets leaked, hackers can not only use your breached credentials to access the accounts associated with them, but also leverage them in credential-stuffing attacks to brute force their way into your accounts on other apps and services. Then there’s the fact that your password repositories can technically be accessed by the firms that own the cloud, which is a nightmare when you’re as security-conscious as I am.
Since Vaultwarden is completely self-hosted, you can take extra precautions to ensure hackers won’t target your password repo. Isolating the more vulnerable devices and services in your home lab is quite helpful, and so is creating hardened firewall rules for the machine hosting your Vaultwarden instance. Get rid of port forwarding and stop exposing services to the Internet, and you’ll have extremely low chances of getting your credentials stolen from Vaultwarden.
... And barely occupies any computing resources
If you’ve been a part of the self-hosted ecosystem for a while, you’d know Vaultwarden is far from the only option at your disposal. Bitwarden is a solid alternative that offers a couple of extra features, and Vaultwarden technically borrows several facilities from the former. However, Vaultwarden is extremely lightweight, and you can deploy it on practically any device in your home server, regardless of its computing prowess. As someone who recently ran it alongside dozens of other lightweight containers on a mere Intel N100 system, I can confirm that Vaultwarden works well even on low-spec servers.
Proxmox users have the easiest setup process for Vaultwarden
No need to bother with self-signed certificates
Creating SSL certificates and using them to access a website over HTTPS can add an extra layer of security for your containerized services. However, the self-hosting ecosystem has a couple of tools that won’t work unless you rely on an HTTPS connection. Bitwarden and Vaultwarden are two such utilities, and while you could utilize the Caddy + Let’s Encrypt combo to access them over the HTTPS protocol, the extra legwork makes self-hosting them an uphill battle for complete beginners.
But thanks to the Proxmox VE-Helper Scripts repository, you can deploy a Vaultwarden container in a couple of minutes. That’s because the script for Vaultwarden automatically creates a self-signed certificate for your LXC container, so you don’t have to spend hours editing multiple configuration files for your Vaultwarden server.
Assuming you’ve got a Proxmox rig, you can simply navigate to the Shell tab of your primary node and run the bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/vaultwarden.sh)" script inside the terminal UI. I went with the Default options for the container, and my Proxmox workstation had no issues downloading the dependencies and whipping out the Vaultwarden LXC.
Importing passwords is just as simple
The convenient browser extension is just the cherry on top
Once you’ve got the Vaultwarden LXC up and running, you can access its web UI using the URL generated at the bottom of the terminal interface. After signing up with your Email, Username, and a (strong) Password, you’re free to create a Vault, which is Vaultwarden’s way of referring to your credential repo.
Since I use different sets of passwords to access my online profiles and self-hosted app accounts, I was worried that I’d have to manually feed all my credentials into Vaultwarden. Thankfully, importing the password set is an absolute breeze. All I had to do was download the password list as a .CSV file and import it to Vaultwarden – a process that can be completed in well under 15 minutes.
I also wanted to give a shoutout to Bitwarden's browser extension. Vaultwarden doesn’t have its own browser-based plugin, but it pairs exceedingly well with the one designed for Bitwarden. Thanks to this extension, I can save (and access) my login credentials with the press of a button instead of opening the Vaultwarden web UI.
Make credential management a cakewalk with Vaultwarden
Besides usernames, email addresses, and passwords, Vaultwarden can store IDs, addresses, and other sensitive data. Heck, it can even generate random strings as passwords, and I often use this feature to add an extra layer of security against brute-force attacks.
Speaking of security, Fail2Ban is my favorite companion utility for Vaultwarden. Once configured, the app can be used to prevent access to Vaultwarden (or other self-hosted services, for that matter) after a set number of incorrect login attempts. And if you’re willing to dive even deeper into the self-hosted rabbit hole, you’ll find a plethora of firewall distros and IPS/IDS services that help your Vaultwarden container remain impenetrable to unauthorized users.