Vaultwarden: Unofficial Bitwarden compatible server written in Rust

Original Article ↗ Hacker News Discussion ↗

Self‑hosting Vaultwarden: Experiences

  • Many report running Vaultwarden for years “flawlessly,” often via Docker on home servers or cheap cloud VMs.
  • Setup is considered easy for those already running reverse proxies (e.g., Caddy) and other self‑hosted services.
  • For some, Vaultwarden is invaluable for personal/family use, while they still use Bitwarden’s cloud offering at work for reliability.

Cloud vs Self‑hosted: Cost, Effort, and When It’s Worth It

  • Several concluded that for small businesses, the labor cost (setup, monitoring, patching) exceeds Bitwarden’s low per‑user cloud fees.
  • Others argue self‑hosting scales well once you’ve built up infrastructure and skills; incremental cost of another service is low.
  • Some people maintain a paid Bitwarden account anyway (to support the project, for emergency access for family, or as a fallback).

Security, Threat Models, and Updates

  • Strong warnings about relying on automatic Docker updaters like Watchtower; renames or image changes can silently stall updates or break envs.
  • Suggested alternatives: manual monitoring, Ansible, gitops workflows, or running Watchtower manually.
  • Debate over necessary “enterprise‑grade” hardening vs pragmatic home setups; many accept being safe from “random internet scans” but not state‑level actors.
  • Opinion split: some think self‑hosting a password manager is overkill risk; others see central SaaS vaults as more attractive targets.

Offline Access and Client Behavior

  • Mixed reports about offline access: some can unlock mobile apps without connectivity; others say browser extensions (especially Firefox) sometimes log out and require server contact.
  • A cited Bitwarden policy: offline sessions expire after 30 days, which pushed some to KeePass‑style solutions.

Alternatives and Comparisons

  • Alternatives discussed: KeePass/Strongbox, pass + git/syncthing, Proton Pass, 1Password, LastPass (historical).
  • KeePass/Strongbox praised for simple file‑based offline model but can be clumsy for sync/sharing.
  • Pass + git is favored by CLI‑oriented users; YubiKey integration highlighted.
  • 1Password seen by some as significantly more polished, faster, and better for non‑technical family sharing than Bitwarden/Vaultwarden.
  • Proton Pass praised for easier family sharing and email alias integration.

Migration, Backup, and Features

  • Migrating from official Bitwarden server to Vaultwarden is non‑trivial due to attachment handling; exports don’t include attachments.
  • Emphasis on robust backups (volume snapshots, offsite copies); losing a vault can be catastrophic.
  • OIDC/SSO support is under active development but currently limited to authorization, not full vault unlock.

Language Choice (Rust)

  • Discussion on using Rust vs Go: Rust favored by some for type system, safety, and personal preference, even if performance isn’t critical.