Self-hosting Bitwarden using Docker Compose

Embark on the ultimate journey of data sovereignty by taking full control of your digital secrets. This comprehensive guide will walk you through setting up your own private password manager using the official Bitwarden Server, containerized with Docker. Discover how to leverage Docker to simplify the deployment, ensuring a secure, open-source vault right on your own hardware. Perfect for tech enthusiasts and those seeking robust security, this tutorial details every step, from prerequisites to ongoing maintenance, empowering you to manage your credentials with unparalleled confidence.

Unlock Unrivaled Password Security with Self-Hosted Bitwarden

Bitwarden stands out as a premier open-source password manager, offering both convenience and robust security. While their cloud solution is excellent, the true power for the privacy-conscious lies in self-hosting your vault. This gives you absolute control over your sensitive data, aligning perfectly with the principles of data sovereignty.

When considering self-hosting, you’ll encounter two primary options: Vaultwarden (an unofficial, resource-light Rust implementation ideal for small setups like a Raspberry Pi) and the official Bitwarden Server. This guide focuses on the latter, designed for scenarios requiring greater scalability and comprehensive features, though it demands more resources.

Essential Prerequisites for Your Bitwarden Server

Before diving into the installation, ensure your home lab setup or VPS meets these crucial requirements:

• Compatible Hardware: A 64-bit machine or VPS with a minimum of 2GB RAM (4GB recommended). The official Bitwarden Server does not support ARM architectures, meaning devices like the Raspberry Pi are incompatible for this specific deployment.
• Domain Name: Ownership of a domain name is essential. Bitwarden requires a signed SSL certificate for secure operation, which is most easily obtained via Let’s Encrypt and tied to your domain.
• Remote Access: To access your vault securely from anywhere, you’ll need a method for remote access. This can be achieved through port forwarding or, more securely, by utilizing services like Cloudflare Tunnel or Pangolin.
• SMTP Server: An SMTP configuration is mandatory for user verification and other essential email communications. You can use a third-party provider like Mailgun or Sendgrid, or leverage Gmail’s SMTP relay.

Setting Up the Official Bitwarden Server with Docker

This section guides you through the process of deploying the Bitwarden Server using Docker. We’ll start by preparing your system, ensuring a secure and efficient installation environment.

Preparing Your System

1. The first step is to install the latest version of Docker on your system. Docker simplifies the entire setup, managing all the necessary containers.
   If Docker is already installed, you can skip to the next step. Otherwise, follow a guide to install Docker on your Linux distribution.

2. With Docker in place, ensure your system’s package list cache is updated. If you’re using a Debian-based system (like Ubuntu Server, a highly recommended choice for this setup), execute:

   sudo apt update

3. Next, confirm that curl is installed. We’ll use this utility to download the official Bitwarden server installation script.

   sudo apt install curl -y

Creating a Dedicated Bitwarden User

For enhanced security, it’s best practice to run the Bitwarden server under a dedicated, unprivileged user.

4. Create a new user specifically for Bitwarden:

   sudo useradd -m -s /bin/bash bitwarden

5. Assign a strong, unique password to this new bitwarden user. This password should be long and complex for maximum security.

   sudo passwd bitwarden

6. Add the bitwarden user to the docker group. This grants the user the necessary permissions to interact with the Docker daemon.

   sudo usermod -aG docker bitwarden

Setting Up the Bitwarden Server Directory

A dedicated directory will house the Bitwarden server’s scripts and Docker configuration.

7. Create the directory /opt/bitwarden:

   sudo mkdir /opt/bitwarden

8. Set restrictive permissions on this new directory. Using chmod 700 ensures that only the directory’s owner (which we’ll change next) has read, write, and execute permissions, preventing unauthorized access.

   sudo chmod 700 /opt/bitwarden

9. Change the ownership of the /opt/bitwarden directory to the bitwarden user.

   sudo chown bitwarden:bitwarden /opt/bitwarden

Retrieving Your Bitwarden Host ID and Key

The official Bitwarden Docker installation requires a unique installation ID and key.

10. Navigate to the official Bitwarden hosts page. Provide your email address to generate and retrieve both your installation ID and key. Ensure you have these values before proceeding.

Preparing the Bitwarden Docker Install Script

The remaining steps are best executed as the bitwarden user to maintain proper permissions.

11. Switch to the bitwarden user:

    su - bitwarden

12. Change your current directory to the newly created Bitwarden installation directory:

    cd /opt/bitwarden

13. Download the official Bitwarden installation script using curl:

    curl -Lso bitwarden.sh "https://go.bitwarden.com/bw-sh.sh"

14. Apply restrictive permissions to the downloaded script, allowing only the bitwarden user to execute it:

    chmod 700 bitwarden.sh

Installing the Bitwarden Server with the Official Docker Install Script

With all preparations complete, you can now run the installer. Remember, your domain must be pointing to your server’s IP, and ports 80/443 must be accessible (via port forwarding or a tunnel).

15. Initiate the installation process:

    ./bitwarden.sh install

16. Follow the prompts during the installation:

    • Enter the domain name for your Bitwarden Instance: Provide the domain you wish to use (e.g., vault.yourdomain.com).
    • Do you want to use Let’s Encrypt to generate a free SSL Certificate (y/n): Type y. A valid SSL certificate is crucial for Bitwarden to function correctly.
    • Enter your email address: Required by Let’s Encrypt for certificate generation.
    • Enter the database name for your Bitwarden instance: This is the name for the Docker database container (e.g., vault).
    • Enter your installation id: Input the ID obtained in step 10.
    • Enter your installation key: Input the key obtained in step 10.
    • Enter your region (US/EU): Select US or EU based on your preference or if you plan to connect to a paid subscription.

Configuring Your Email Settings

SMTP configuration is vital for user verification and account recovery.

17. Open the global.override.env file located in ./bwdata/env/ for editing. This file allows you to customize various Bitwarden settings.

    nano ./bwdata/env/global.override.env

18. Locate the SMTP configuration section and update it with your chosen SMTP provider’s details. SMTP is a must-have for the proper functioning of your private password manager, enabling crucial features like email verification.

    globalSettings__mail__replyToEmail=
    globalSettings__mail__smtp__host=
    globalSettings__mail__smtp__port=
    globalSettings__mail__smtp__ssl=
    globalSettings__mail__smtp__username=
    globalSettings__mail__smtp__password=

    For example, if using Mailgun:

    globalSettings__mail__replyToEmail=no-reply@yourdomain.com
    globalSettings__mail__smtp__host=smtp.mailgun.org
    globalSettings__mail__smtp__port=587
    globalSettings__mail__smtp__ssl=false
    globalSettings__mail__smtp__username=your_mailgun_smtp_username
    globalSettings__mail__smtp__password=your_mailgun_smtp_password

19. (Optional) To access the Bitwarden admin panel, specify the email addresses that should have access. Separate multiple emails with a comma.
    Find the setting:

    adminSettings__admins=

    And update it, for example:

    adminSettings__admins=admin@yourdomain.com,anotheruser@yourdomain.com

20. Save your changes and exit the editor by pressing CTRL + X, then Y, and ENTER.

Starting Your Bitwarden Server with Docker

Now, let’s bring your Bitwarden Docker containers to life.

21. Start the Bitwarden server using the bitwarden.sh script. Be aware that the initial startup can take some time as it downloads all necessary Docker images.

    ./bitwarden.sh start

Accessing Your New Bitwarden Server

Your secure private password manager is now ready for use!

22. Open your web browser and navigate to the domain name you configured for your Bitwarden instance.

23. On the login screen, click “Create account” to set up your master vault.

24. Enter your desired email address (1.) and an optional account name. Then, click “Continue” (2.).

25. Create a strong, memorable master password (1.) that is at least 12 characters long. This password is the key to your vault and cannot be recovered if lost. Click “Create account” (2.).

26. To log in, enter your email address (1.) and click “Continue” (2.).

27. Finally, enter your master password (1.) and click “Log in with master password” (2.).

28. Congratulations! You have successfully deployed your own Bitwarden server using Docker, taking a significant step towards full data sovereignty. You can now begin securely storing your passwords and linking your Bitwarden applications.

Disabling User Registration

For a single-user or small-group setup, it’s crucial to disable public user registration.

29. Re-open the global.override.env file:

    nano ./bwdata/env/global.override.env

30. Locate the following option:

    globalSettings__disableUserRegistration=false

    Change `false` to `true`:

    globalSettings__disableUserRegistration=true

31. Save and exit the file (CTRL + X, Y, ENTER).

32. For the change to take effect, restart the Bitwarden Docker stack:

    ./bitwarden.sh restart

Updating Your Bitwarden Server Docker Container

Regular updates are crucial for security and new features. The bitwarden.sh script makes this process straightforward.

1. Switch back to the bitwarden user:

   su - bitwarden

2. Navigate to the Bitwarden installation directory:

   cd /opt/bitwarden

3. First, update the bitwarden.sh script itself:

   ./bitwarden.sh self-update

4. Finally, update the Bitwarden Server Docker stack. This process may take some time, and your server will be briefly inaccessible.

   ./bitwarden.sh update

Conclusion

You’ve successfully self-hosted your very own Bitwarden Server using Docker! This achievement puts you firmly in control of your password data, reinforcing your digital security and promoting true data sovereignty. While the process involves several steps, the long-term benefits of managing your private password manager on your own terms are immense.

Should you encounter any challenges, feel free to leave a comment below. If you found this tutorial valuable, explore our other Docker projects to expand your home lab setup capabilities!

FAQ

<h3>Question 1: Why should I self-host Bitwarden instead of using their cloud service?</h3>
Answer 1: Self-hosting Bitwarden provides unparalleled control over your sensitive data. It ensures **data sovereignty**, meaning your passwords are stored on hardware you own and manage, rather than on a third-party server. This can significantly enhance your privacy and security posture, giving you peace of mind that your **private password manager** is truly yours.

<h3>Question 2: What's the main difference between the official Bitwarden Server and Vaultwarden?</h3>
Answer 2: The official Bitwarden Server is designed for larger deployments and offers full feature parity with Bitwarden's cloud service, but it's more resource-intensive. Vaultwarden, on the other hand, is a lightweight, alternative implementation written in Rust, perfect for resource-constrained environments like a Raspberry Pi or smaller **home lab setup**. While it supports core Bitwarden features, it might not include every single niche feature available in the official server.

<h3>Question 3: What's a secure alternative to direct port forwarding for remote access to my self-hosted Bitwarden instance?</h3>
Answer 3: For enhanced security and simplicity, consider using a reverse proxy like Nginx Proxy Manager or a tunneling service like Cloudflare Tunnel. These solutions allow you to expose your Bitwarden server securely to the internet without directly opening ports on your router. A reverse proxy also makes it easier to manage multiple self-hosted services on a single domain using subdomains, and can integrate with Let's Encrypt for automatic SSL certificate renewal.

Read the original article