Vaultwarden

• 16 October 2025
• Selfhosting,
• FOSS,
• A Beginners Guide To Selfhosting

An unofficial reimplementation of the BitWarden server. Securely stores your passwords, 2FA TOTP and Passkeys. It can also act as your SSH Agent, generate custom secure passwords and warn you if you use insecure password or the same password more than once.

My folder structure

• /opt/docker/vaultwarden/
  • data (attachements, database, config)
  • compose.yml (Docker container instructions)
  • .env (Contains your Admin Panel access password)

compose.yml

services:
    vaultwarden:
      container_name: vaultwarden
      volumes:
        - ./data:/data/
      enviroment:
        - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
      ports:
        - '8001:80'
      image: 'vaultwarden/server:latest'
      restart: unless-stopped

Caddyfile Entry

vault.yourdomain.com {
  reverse_proxy XXX.XXX.XXX.XXX:8001 {
   header_up X-Real-IP {remote_host}
  }
  encode zstd gzip
  import security_headers
}

.env
To create a secure access token for the Vaultwarden Admin Panel (https://sub.yourdomain.com/admin), run the following commands on your VPS

# Install argon2 to generate the secure token
sudo apt install argon2

# Create the token (Use an actual complicated password for MySecretPassword)
echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4

# Copy the resulting token (starting with $argon2) with CTRL+SHIFT+C

# create the .env file and open it with nano
sudo nano /opt/docker/vaultwarden/.env

# Write the following into the file
VAULTWARDEN_ADMIN_TOKEN=''

# Paste your copied token inbetween the ''
# With the MySecretPassword example, it will end up like this
VAULTWARDEN_ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$RWptWUtkdS82OEIvVnZDazFWK3hYcmZNR2pSNDNqV3lTOTR2UDF0Znh1az0$yUMVIw13Z+gJWQmlGAeU+w1MbM8owG7FvF+1ZtlZE9Q'

# Save your file with CTRL+O and close nano with CTRL+X

To log into the admin panel, you will use your MySecretPassword and not the generated argon2 token.

Disable Admin Panel
Once you've made your desired changes in the Vaultwarden Admin Panel, I recommend disabling it by commenting out the following two lines from your compose.yml with the # symbol

      #enviroment:
        #- ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}

You will also need to remove it from your /opt/docker/vaultwarden/data/config.json file by deleting the line starting with

"admin_token": "$argon2...",

and restarting your Vaultwarden container. If you want to re-enable it, just remove the # from your compose.yml.

Additional Ressources
Official GitHub
Official Documentation