Reading time: ~10 minutes Audience: Privacy-conscious users choosing a self-hosted password manager
Why Self-Host a Password Manager?
Cloud password managers (1Password, LastPass, Dashlane) store your credentials on their servers. Self-hosting provides:
| Benefit | Description |
|---|---|
| Data sovereignty | Your vault stays on your hardware |
| Zero subscription | No monthly fees |
| Auditability | You control the code and updates |
| No vendor lock-in | Export to standard formats anytime |
| No breach exposure | Cloud breaches (LastPass 2022) don’t affect you |
The Options
1. Vaultwarden (Unofficial Bitwarden)
A lightweight Rust implementation of the Bitwarden server API. Compatible with all official Bitwarden clients.
| Aspect | Details |
|---|---|
| License | GPL v3 |
| Language | Rust |
| Resource use | ~10MB RAM, negligible CPU |
| Deployment | Docker (single container) |
| API compatibility | 100% with Bitwarden clients |
| Cost | $0 |
| Organizations | Supported (unlimited users) |
| 2FA | TOTP, WebAuthn/FIDO2, email |
| Attachments | Supported (local storage) |
| Send | Supported (encrypted file sharing) |
| Emergency access | Supported |
| BIOS/UEFI | Not applicable |
Missing vs. official Bitwarden: SSO integration, SCIM, admin portal (enterprise features)
2. Official Bitwarden (Self-Hosted)
The official .NET-based server stack. Fully featured but resource-heavy.
| Aspect | Details |
|---|---|
| License | AGPL v3 |
| Language | .NET/C# |
| Resource use | 2GB+ RAM, 2+ CPU cores |
| Deployment | Docker Compose (8+ containers) |
| API compatibility | 100% (native) |
| Cost | $0 (free tier) or $3–5/user/month (paid) |
| Organizations | Supported (paid tiers) |
| 2FA | TOTP, WebAuthn, Duo, email |
| SSO | SAML 2.0, OpenID Connect (paid) |
| SCIM | Directory sync (paid) |
| Admin portal | Full user/org management |
| Events | Audit logs (paid) |
3. KeePassXC (Desktop + Sync)
An offline password manager with optional sync via your own cloud (Nextcloud, Syncthing, etc.).
| Aspect | Details |
|---|---|
| License | GPL v2 |
| Language | C++ |
| Resource use | ~50MB RAM (desktop app) |
| Deployment | Native app (no server) |
| Sync | Via Nextcloud, Syncthing, rsync, etc. |
| Cost | $0 |
| Database | Encrypted .kdbx file (AES-256, Argon2) |
| 2FA | TOTP generation (built-in) |
| Passkeys | Supported (FIDO2) |
| Auto-type | Global hotkey auto-fill |
| Browser | Extension available (KeePassXC-Browser) |
| Mobile | KeePassDX (Android), Strongbox (iOS) |
| Sharing | Via shared database file |
| Organizations | Manual (shared databases) |
Comparison Matrix
| Feature | Vaultwarden | Bitwarden (Official) | KeePassXC |
|---|---|---|---|
| Server required | Yes (Docker) | Yes (Docker) | No |
| RAM | 10MB | 2GB+ | 0 (desktop only) |
| Mobile sync | Automatic | Automatic | Manual/cloud sync |
| Browser extension | ✅ | ✅ | ✅ |
| Auto-fill | ✅ | ✅ | ✅ (auto-type) |
| TOTP | ✅ | ✅ | ✅ |
| WebAuthn/FIDO2 | ✅ | ✅ | ✅ |
| Passkeys | ✅ | ✅ | ✅ |
| File attachments | ✅ | ✅ | ✅ |
| Secure sharing | ✅ (Send) | ✅ (Send) | ❌ (manual) |
| Organization sharing | ✅ | ✅ | ❌ (manual) |
| Emergency access | ✅ | ✅ | ❌ |
| SSO | ❌ | ✅ (paid) | ❌ |
| Audit logs | ❌ | ✅ (paid) | ❌ |
| Self-hosting complexity | Low | High | None |
| Offline use | ❌ (needs server) | ❌ (needs server) | ✅ |
| Export | JSON, CSV | JSON, CSV | XML, CSV, HTML |
| Encryption | AES-256, PBKDF2-SHA256 | AES-256, PBKDF2-SHA256 | AES-256, Argon2 |
Deployment Guides
Vaultwarden Docker Compose
version: "3.8"
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
environment:
- WEBSOCKET_ENABLED=true
- SIGNUPS_ALLOWED=true
- ADMIN_TOKEN=*** volumes:
- vw-data:/data
ports:
- "80:80"
- "3012:3012"
restart: unless-stopped
volumes:
vw-data:
Official Bitwarden Docker Compose
# Use official Bitwarden installer
curl -Lso bitwarden.sh https://go.btwrdn.co/bw-sh
chmod +x bitwarden.sh
./bitwarden.sh install
./bitwarden.sh start
Requires 2GB+ RAM, generates 8+ containers
KeePassXC Setup
# Linux (Ubuntu/Debian)
sudo apt install keepassxc
# macOS
brew install --cask keepassxc
# Windows
# Download from https://keepassxc.org/download/
# Sync via Nextcloud
# Place .kdbx in ~/Nextcloud/Passwords/
# Open from that path on all devices
Security Comparison
Encryption
| Manager | Algorithm | Key Derivation | Iterations |
|---|---|---|---|
| Vaultwarden | AES-256 | PBKDF2-SHA256 | 600,000 |
| Bitwarden | AES-256 | PBKDF2-SHA256 | 600,000 |
| KeePassXC | AES-256 / ChaCha20 | Argon2 | Customizable |
Threat Model
| Threat | Vaultwarden | Bitwarden | KeePassXC |
|---|---|---|---|
| Server breach | Encrypted vaults safe | Encrypted vaults safe | N/A (no server) |
| Client compromise | Master password needed | Master password needed | Master password needed |
| Cloud provider breach | Your hardware = your risk | Your hardware = your risk | File sync risk only |
| Developer backdoor | Open source (auditable) | Open source (auditable) | Open source (auditable) |
| Master password weak | Brute-forceable | Brute-forceable | Brute-forceable |
| Side-channel | Mitigated by Rust | .NET runtime | Minimal C++ attack surface |
When to Choose Vaultwarden
- Best for: Homelabbers wanting full Bitwarden compatibility at minimal resource cost
- Ideal if: You have Docker running and want browser/mobile sync
- Strength: 10MB RAM, all Bitwarden features, zero cost
- Tradeoff: No SSO, no enterprise admin portal
When to Choose Official Bitwarden
- Best for: Teams needing SSO, SCIM, or audit logs
- Ideal if: You’re a business or need enterprise features
- Strength: Official support, full feature set
- Tradeoff: 2GB+ RAM, complex deployment, paid features
When to Choose KeePassXC
- Best for: Paranoid users wanting offline-only password storage
- Ideal if: You don’t want any server at all
- Strength: No server, minimal attack surface, offline by default
- Tradeoff: Manual sync, no emergency access, no built-in sharing
Conclusion
Summary
For homelabbers, Vaultwarden is the sweet spot. It offers the full Bitwarden experience (browser extensions, mobile apps, auto-fill, TOTP, passkeys) at 1/200th the RAM cost of the official server. KeePassXC is the choice for offline-only users, and official Bitwarden only makes sense for enterprise features.
Next Steps
- Deploy Vaultwarden via Docker Compose (see config above)
- Install Bitwarden apps on all devices (they connect to Vaultwarden seamlessly)
- Enable 2FA (WebAuthn/FIDO2 preferred)
- Set up backups of the
/datavolume
Affiliate Opportunities
- YubiKeys: Hardware 2FA for Vaultwarden/Bitwarden
- Mini PCs: Intel N100 for 24/7 Vaultwarden server
- Storage: SSDs for backup
- Mobile: KeePassDX (Android), Strongbox (iOS)
Internal Linking
docker→docker-compose-tutorial.mdsecurity→wazuh-siem-setup.mdnextcloud→nextcloud-self-hosted.md2fa→two-factor-authentication-guide.md
CTA
- Which password manager secures your vault? Vaultwarden, KeePassXC, or something else?
- Subscribe for homelab security and privacy guides.