Vaultwarden: the Rust Bitwarden that fits in 10MB

Added: 2026-05-24

[00:00:00]Most people who self-host Bitwarden aren't actually running Bitwarden.

[00:00:03]They're running an unofficial rewrite that someone named Daniel started in his spare time 8 years ago. It's called Vaultwarden. It's a from-scratch Rust implementation of Bitwarden's server API. So, every official Bitwarden client works against it without modification from the browser extension to the command line tool. It boots in a Docker container that idles at around 10 MB of memory. The official Bitwarden self-host stack wants 4 GB of RAM and it doesn't contain containers to do the same job.

[00:00:32]Vaultwarden runs comfortably on a Raspberry Pi sitting next to your router. That's the gap and that's why home labbers and small teams quietly switched years ago.

[00:00:41]Enjoying this so far? Subscribe to the YouTube channel and grab the free daily newsletter at indiehacker.news.

[00:00:49]New deep dive every weekday.

[00:00:52]Walk through the readme and the framing gets really clear. Right at the top, the author says this is for self-hosted deployment where running the official resource-heavy service might not be ideal. That's the polite way of saying the real Bitwarden server is over-engineered for one person.

[00:01:07]Scroll down and you hit the feature list and it covers nearly the entire Bitwarden surface area.

[00:01:13]The personal vault works one-to-one with upstream plus send for encrypted file sharing and attachments.

[00:01:19]Organizations come with collections and policies you'd expect. Multi-factor auth handles the usual hardware keys and there's emergency access if you go silent. An admin backend sits behind a token you generate yourself then install instructions that are literally two commands long. The whole thing fits on one page.

[00:01:37]Here's the thing about every other option in this space. Bitwarden cloud is free and fine, but in the last year the company tightened the screws on the free tier.

[00:01:46]Premium quietly became a $1.65 a month upsell. That's hard to ignore once you have shared logins at home. 1Password and Dashlane have never been free at all. LastPass had a breach in 2022 that's still costing customers vaults years later.

[00:02:01]Self-hosting the official Bitwarden stack means Microsoft SQL Server plus a stack of containers handling identity and notifications.

[00:02:09]Vaultwarden replaces all of that with one small binary that does the same job.

[00:02:15]Four numbers tell the story.

[00:02:17]Adoption past the official server says people moved. Fork activity proves they're actually hacking on it, not just bookmarking. The contributor count is small enough you can name the regulars.

[00:02:27]And the license choice locked out anyone trying to commercialize a fork.

[00:02:32]Okay, so what's actually inside the personal vault is one-to-one with Bitwarden covering everything from logins to payment card fields without losing any custom field flexibility. Send is in there, too, which handles encrypted file and text sharing with self-destructing links and optional password protection.

[00:02:48]Attachments work, and there's a personal access key that lets command line scripts hit your vault directly.

[00:02:54]Organizations are the big one for small teams.

[00:02:57]You get collections and groups out of the box. Member roles can be scoped tightly. Event logs cover audits, and directory sync picks up new hires.

[00:03:05]Policies enforce things like password complexity or required two-factor across the whole organization.

[00:03:11]On the security side, multi-factor through Vaultwarden covers a few different modes.

[00:03:16]The authenticator app and email codes work out of the box, while hardware keys go through FIDO2 WebAuthn, and the enterprise Duo integration is wired in for bigger teams.

[00:03:27]Emergency access lets a designated person request your vault if you go silent for too long.

[00:03:33]The admin back-end is a separate token-protected page where you create users and set quotas.

[00:03:38]SMTP configuration lives there, too, plus a live view of pending invitations.

[00:03:44]The web vault shipped inside the container is a modified build of Bitwarden's official one kept in lockstep with each upstream release.

[00:03:52]Every part of this came from a community patching against a moving target because the upstream API changes constantly.

[00:03:59]Under the hood, it's pure rust on the Rocket web framework. Storage is pluggable. You can point it at SQLite for a single box install or wire it up to Postgres if you already run one.

[00:04:11]With MySQL supported as a third option for hosted environments.

[00:04:15]Diesel handles the ORM layer underneath all of that. The whole binary cross compiles cleanly to ARM, which is why the Raspberry Pi crowd loves it.

[00:04:24]Container images ship on GHC R alongside Docker Hub and Quay. So, wherever you pull from, you get the same artifact.

[00:04:31]The licensing matters more than it looks. AGPL is the copy left variant that triggers on network use, not just on redistribution.

[00:04:39]If you fork this and ship it as a hosted product, you have to release your changes back to the world.

[00:04:44]That's why no commercial company has bothered to repackage it as their own.

[00:04:49]The install is genuinely two commands long. Pull the container, run it with a data volume, and your domain mapped in.

[00:04:56]That's the whole thing. No 20 question wizard. No half megabyte config file like the upstream installer writes out.

[00:05:02]Just one shell line, and you're up.

[00:05:06]Version 1.36 just shipped on May 3rd.

[00:05:09]Five security fixes landed with GHSA advisories attached. The most consequential being an SSO login CSRF bug and an SSRF through the favicon endpoint.

[00:05:22]The big user facing addition is item archiving, which Bitwarden added on the official side back in March, and Vaultwarden caught up to in the same release cycle.

[00:05:31]There's also a fix for hostname and IP resolution for people behind weird network setups, and the bundled web vault jumped to 2026.4.1 to match what upstream is shipping.

[00:05:43]There are real tradeoffs. It's unofficial. So, when something breaks, you're filing an issue against the open source repo, not paying for a vendor support contract. Backups land on you.

[00:05:54]The vault sits on whatever box you're running it on, and if that storage corrupts before you notice, those passwords are gone in a way no support call brings them back. The honest verdict is this.

[00:06:05]If you already self-host anything else at home, the password manager belongs on the same box you're already babysitting.

[00:06:12]The seat-based pricing math stops working the moment your household or your tiny team grows past a couple of people. That's the moment it earns its keep.