Logs from VahaC

Self-Hosted Bitwarden Password Manager

,

Self-Hosted Bitwarden Password Manager on Docker: OpenMediaVault + Nginx Proxy Manager (Install, Update, Backup)

If you have more than a couple of online accounts, you have a password problem—whether you feel it or not. Most people end up reusing passwords, storing them in notes, or relying on memory. That’s how accounts get compromised.

Bitwarden is a modern password manager that solves this cleanly: it stores your passwords (and other secrets) in an encrypted vault, syncs across devices, and lets you auto‑fill logins safely. ✅

In this guide, you’ll deploy a self-hosted Bitwarden password manager behind HTTPS and keep it maintainable with clean updates and reliable backups. 🛡️

In this post, I’ll cover:

  • What Bitwarden is and why it matters 🧠
  • Key benefits (security + convenience) 🚀
  • A detailed, repeatable self‑hosting setup using Bitwarden Lite in Docker on OpenMediaVault (OMV) 🧰
  • How to run a self-hosted Bitwarden password manager behind Nginx Proxy Manager (HTTPS + domain) 🌍🔒
  • How to update and back up your vault safely ♻️🗄️

Target setup used in this guide:

  • Domain: vault.example.com
  • Nginx Proxy Manager: 10.0.0.10
  • OMV (Docker host): 10.0.0.20

What Is Bitwarden? 🧩

Bitwarden is a password manager that stores:

  • Passwords and usernames 🔑
  • Secure notes 📝
  • Credit card details 💳
  • Passkeys / authenticator items (depending on client/platform) 🔐

Everything in your vault is protected with end‑to‑end encryption, meaning the server never sees your secrets in plaintext. Your master password (and related cryptographic keys) remains the gatekeeper.

Bitwarden works via:

  • Web vault (browser access) 🌐
  • Browser extensions 🧩
  • Desktop apps 💻
  • Mobile apps 📱

Why You Need a Password Manager (Even If You Think You Don’t) ⚠️

Here’s the reality:

  • Password reuse makes a single breach cascade into many. Domino effect. 🧱
  • Weak passwords are still common because humans optimize for memory, not entropy. 🧠
  • Phishing is easier when you manually type passwords—auto‑fill helps you notice fake domains. 🎣
  • Two‑factor authentication helps, but it’s not a substitute for strong, unique passwords. 🔒

A good password manager removes the tradeoff between strong security and day‑to‑day convenience.

Bitwarden Benefits (Why People Love It) 🚀

1) Strong security without daily friction 🔐

  • Generate unique, high‑entropy passwords per site 🎲
  • Auto‑fill logins so you don’t type passwords constantly ⌨️
  • Share secrets securely with family/team (depending on your plan) 👥

2) Cross‑platform by design 🌍

  • Same vault on phone, laptop, browser, desktop
  • Works across Windows/macOS/Linux/iOS/Android

3) Self‑hosting option 🏠

If you’re into homelab or just like owning your data:

  • Run Bitwarden server on your own infrastructure
  • Keep control over uptime, updates, and backups

4) Transparent and practical 🔎

Bitwarden is widely used, well documented, and designed for real-world usage—not just theory.

Self‑Hosting Approach Used Here: Bitwarden Lite 🧠➡️🐳

This tutorial builds a self-hosted Bitwarden password manager using Bitwarden Lite, which is great for personal/homelab setups because it can run as a single container.

In this guide we’ll use:

  • Bitwarden Lite (one container)
  • SQLite database stored inside the mounted Bitwarden data volume (simple and reliable for personal use)
  • Nginx Proxy Manager on a separate machine to provide:
    • HTTPS (Let’s Encrypt) 🔒
    • Domain routing (vault.example.com) 🌍

Part 1 — Installation (Docker on OMV + Domain + HTTPS) 🛠️

1) Prerequisites ✅

Before you start:

  • Docker Engine installed on OMV (10.0.0.20) 🐳
  • Docker Compose available (docker compose ...) 🧩
  • Nginx Proxy Manager running on 10.0.0.10 🌐
  • DNS record for vault.example.com pointing to your public IP (where ports 80/443 forward to NPM) 📌
  • Router port-forwarding:
    • TCP 80 → 10.0.0.10
    • TCP 443 → 10.0.0.10

Quick checks on OMV:

docker --version
docker compose version

2) Get Bitwarden Installation ID + Key 🧾🔑

Bitwarden self‑hosting requires:

  • Installation ID
  • Installation Key

Generate them from Bitwarden’s official hosting portal:

https://bitwarden.com/host/

Keep these values private.

3) Create the project folder on OMV 📁

On OMV (10.0.0.20):

sudo mkdir -p /srv/docker/bitwarden-lite/bwdata
cd /srv/docker/bitwarden-lite

bwdata/ will hold your persistent vault data, including the SQLite database file.

4) Create settings.env (secure config) 🧷

sudo nano /srv/docker/bitwarden-lite/settings.env

Paste this:

# Required Settings
BW_DOMAIN=vault.example.com

# Database (single-container simplest)
BW_DB_PROVIDER=sqlite
# If not set, Bitwarden will create /etc/bitwarden/vault.db automatically
# BW_DB_FILE=/etc/bitwarden/vault.db

# Required: generate these at https://bitwarden.com/host/
BW_INSTALLATION_ID=PASTE_YOUR_ID
BW_INSTALLATION_KEY=PASTE_YOUR_KEY

Lock down the file permissions:

sudo chmod 600 /srv/docker/bitwarden-lite/settings.env

5) Create docker-compose.yml 🐳

Because NPM is on a different machine, Bitwarden must be reachable over the LAN. We’ll expose a LAN-only port on OMV.

sudo nano /srv/docker/bitwarden-lite/docker-compose.yml

Paste:

version: "3.8"

services:
  bitwarden:
    image: ghcr.io/bitwarden/lite
    container_name: bitwarden
    restart: unless-stopped
    env_file:
      - settings.env
    volumes:
      - ./bwdata:/etc/bitwarden
    ports:
      # Bind explicitly to OMV LAN IP so it listens only there
      - "10.0.0.20:8085:8080"

Why bind to 10.0.0.20?

  • It prevents accidental exposure on other interfaces.
  • It makes the intent explicit: LAN access only.

6) Start Bitwarden Lite ▶️

cd /srv/docker/bitwarden-lite
sudo docker compose up -d
sudo docker ps --format 'table {{.Names}}\t{{.Status}}\t{{.Ports}}'

Sanity check from any LAN machine:

curl -I http://10.0.0.20:8085

If something fails, check logs:

sudo docker logs --tail 200 bitwarden

7) Nginx Proxy Manager: add the domain vault.example.com 🌍🔒

On NPM (10.0.0.10):

Hosts → Proxy Hosts → Add Proxy Host

Details

  • Domain Names: vault.example.com
  • Scheme: http
  • Forward Hostname / IP: 10.0.0.20
  • Forward Port: 8085
  • Enable:
    • Websockets Support
    • Block Common Exploits ✅ (recommended)

SSL

  • Request a new Let’s Encrypt certificate
  • Enable:
    • Force SSL
    • (Optional) HTTP/2 Support

After that, your vault should be reachable at:

https://vault.example.com

8) Optional hardening: allow only NPM to access port 8085 🧱

If you don’t want other LAN devices to access Bitwarden directly (recommended), only allow 10.0.0.10.

Option A — UFW (if installed)

sudo ufw allow from 10.0.0.10 to any port 8085 proto tcp
sudo ufw deny 8085/tcp
sudo ufw status verbose

Option B — iptables (common on many Linux systems)

sudo iptables -A INPUT -p tcp -s 10.0.0.10 --dport 8085 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8085 -j DROP

Note: iptables rules may not persist across reboots unless you make them persistent.

Part 2 — Updating Bitwarden Lite ♻️

Updating is simple and predictable:

cd /srv/docker/bitwarden-lite
sudo docker compose down
sudo docker compose pull
sudo docker compose up -d

After update, confirm it’s healthy:

sudo docker ps --format 'table {{.Names}}\t{{.Status}}\t{{.Ports}}'
sudo docker logs --tail 100 bitwarden

Part 3 — Backups (Do This. Seriously.) 🗄️

With SQLite, your entire vault database and server data live inside:

/srv/docker/bitwarden-lite/bwdata

That means backups are straightforward—but consistency matters.

1) Simple safe backup (stop → archive → start) ✅

cd /srv/docker/bitwarden-lite
sudo docker compose down
sudo tar -czf /srv/docker/bitwarden-lite-bwdata-$(date +%F).tar.gz bwdata
sudo docker compose up -d

2) Verify your backup file 🧪

ls -lah /srv/docker/bitwarden-lite-bwdata-*.tar.gz

3) Restore procedure (when you really need it) 🧯

  1. Stop the container:
cd /srv/docker/bitwarden-lite
sudo docker compose down
  1. Move the current data aside (safety net):
sudo mv bwdata bwdata.broken.$(date +%F-%H%M)
  1. Restore from backup:
sudo mkdir -p bwdata
sudo tar -xzf /srv/docker/bitwarden-lite-bwdata-YYYY-MM-DD.tar.gz -C /srv/docker/bitwarden-lite
  1. Start again:
sudo docker compose up -d

Quick FAQ 🔎

“Should I use Vaultwarden instead?” 🤔

Vaultwarden is a popular, lightweight, community implementation compatible with Bitwarden clients.

  • ✅ Often uses fewer resources
  • ✅ Works with official Bitwarden mobile apps and browser extensions
  • ⚠️ Not official; compatibility can break after updates

If your priority is maximum simplicity + low resource usage, Vaultwarden is attractive. If your priority is official support path, stick with Bitwarden (Lite/Standard).

“Is SQLite OK?” 🗃️

For personal use and small homelab setups, SQLite is usually fine. If you expect heavier usage (many users, heavy concurrent operations), consider a dedicated database (MariaDB/PostgreSQL).

Final Notes ✅

  • Use HTTPS (you already are via NPM) 🔒
  • Treat this as a production service: a self-hosted Bitwarden password manager is only as safe as your patching and backups 🛡️
  • Protect your settings.env and back up bwdata regularly 🗄️
  • Keep your OS and Docker updated ♻️
,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.