Deploy Your Own Bitwarden Password Management Server

Published: 2021-02-17

Many people are not comfortable storing their passwords online with services like LastPass. Even though the official claim is that passwords are encrypted and the server cannot see user passwords, some still feel uneasy. In that case, you can deploy the open-source Bitwarden to set up your own password management server.

Prerequisites: A VPS server and a domain name with the IP address already resolved to the server.

Install Docker

1. Run the official installation script

wget -qO- get.docker.com | bash

2. Verify the installation

docker version

3. Start Docker

systemctl start docker

4. Check Docker startup status (green active)

systemctl status docker

5. Enable Docker to start on boot

systemctl enable docker

Install Bitwarden

Quick Start
No customization needed, no domain name required—just quickly set up a Bitwarden backend.

1. Pull the bitwarden_rs image

docker pull bitwardenrs/server:latest

2. Run the container

cd ~
mkdir bw-data
docker stop bitwarden
docker rm bitwarden
docker run -d --name bitwarden -v /root/bw-data/:/data/ -p 80:80 -p 443:443 bitwardenrs/server:latest

3. Open firewall port 80

firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --reload

Run with Custom Parameters

Customize some parameters, add HTTPS support, etc.

1. Pull the bitwarden_rs image

docker pull bitwardenrs/server:latest

2. Generate an admin token for the user management page

openssl rand -base64 48

3. Generate an SSL certificate to enable HTTPS. Using acme.sh for free issuance and automatic renewal is recommended.

> 3.1 Download and execute the acme.sh script

curl https://get.acme.sh | sh

> 3.2 Generate a certificate—this is just one method. Other methods can be searched for independently.

apt install socat # debian 系为例
acme.sh –issue -d yourdomain.com –standalone

> 3.3 Copy and install the generated certificate to the specified folder

acme.sh –installcert -d yourdomain.com \
–key-file /path/to/yourdomain.com.key \
–fullchain-file /path/to/fullchain.cer \

4. Run the bitwarden_rs container

docker stop bitwarden
docker rm bitwarden
docker run -d --name bitwarden \
-e SIGNUPS_ALLOWED=false \
-e INVITATIONS_ALLOWED=false \
-e ADMIN_TOKEN={ADMIN_TOKEN} \
-e ROCKET_TLS='{certs="/ssl/fullchain.pem",key="/ssl/privkey.pem"}' \
-e DOMAIN=https://margrop.net \
-e DATA_FOLDER=/data/ \
-p 443:80 \
-v /root/bw-ssl:/ssl/ \
-v /root/bw-data:/data/ \
bitwardenrs/server:latest
docker logs --tail=100 bitwarden

Parameter explanations:

SIGNUP_ALLOWED：是否允许注册
INVITATIONS_ALLOWED: 是否允许组织邀请注册
ADMIN_TOKEN：用户管理界面 (/admin)，可用于删除用户及邀请用户注册
ROCKET_TLS：ssl 证书信息，同时需要配置-v /path/to/host/ssl/:/path/to/docker/ssl/卷，前者为宿主机ssl证书的位置，后者为容器证书位置
DOMAIN：域名
LOG_FILE、LOG_LEVEL、EXTENDED_LOGGING：日志保存文件路径以及日志等级定义
DATA_FOLDER：docker容器数据保存文件夹（默认为 /data），除了定义这个文件夹之外，还可以定义附件、图标缓存、数据库等参数
DATABASE_URL：数据库路径
ATTACHMENT_FOLDER：附件路径
ICON_CACHE_FOLDER：图标缓存路径

The above are the configurations I personally find necessary. For more parameters, refer to the official Wiki.

Example:

docker run -d –name bitwarden -e SIGNUPS_ALLOWED=false -e INVITATIONS_ALLOWED=false -e ADMIN_TOKEN=bTVsf7Hj99HPxECRPOL9U70bP0Iy5lXmbbJVP2tvwDszB8CClv+MD3TT6mSJTa4L -e ROCKET_TLS='{certs=”/ssl/bw.withdewhua.space/fullchain.cer”,key=”/ssl/bw.withdewhua.space/bw.withdewhua.space.key”}’ -e DOMAIN=https://bw.withdewhua.space -e LOG_FILE=/data/bitwarden.warn.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true -p 443:80 -v /bw-data/:/data/ -v /usr/local/nginx/conf/ssl/:/ssl/ bitwardenrs/server:latest

Container Management Commands

$name is the name defined in docker run

Start a container

docker start $name

Stop a container

docker stop $name

Remove a container

docker rm $name

View running containers

docker ps -as

Upgrade the Bitwarden Image

1. Re-pull the image

docker pull bitwardenrs/server:latest

2. Stop and remove the old container

docker stop bitwarden
docker rm bitwarden

3. Re-run the docker run command

4. View image files

docker image ls

5. Delete the old image file. $ID can be found in step 4.

docker image rm $ID

Client Usage Instructions

For usage instructions, I’ll cover the Chrome extension. Other methods are similar.

Open the extension and click the settings button in the top-right corner. Enter the Bitwarden domain name in server-url, then save and log in normally.

You can also export from the official Bitwarden and then import into your own server.

This Docker image has low hardware requirements—512 MB of RAM is sufficient. All the features you need are available, including the most basic password storage and file attachments. Even the TOTP and password breach monitoring features, which are paid features on the official plan, are directly usable here. If you don’t trust your passwords on someone else’s server, you can set up your own, or even host it on your NAS at home.

Reference Articles

https://www.jianshu.com/p/e432752a659d https://hub.docker.com/r/bitwardenrs/server https://github.com/dani-garcia/bitwarden_rs/wiki https://host.bitwarden.in/deploying-and-using-of-bitwarden_rs/configuration