If you are looking for a highly secure, lightweight, and completely free alternative to Bitwarden’s premium tier, you’ve likely come across Vaultwarden. Originally known as Bitwarden_RS, Vaultwarden is an unofficial Bitwarden-compatible server written in Rust. It packs all the premium features of Bitwarden (like TOTP authenticators, file attachments, and vault health reports) into a footprint so small it can run on a Raspberry Pi.
But the catch with self-hosting any password manager is that uptime and security are entirely your responsibility. If your server goes down, you are locked out of your digital life. If it gets breached, your entire vault is compromised. In this deep dive, we’ll explore the cheapest and most reliable ways to self-host Vaultwarden in 2026, comparing VPS deployments, Docker configurations, and fully managed cloud solutions.
Why Self-Host Vaultwarden Instead of Bitwarden Cloud?
Bitwarden’s official cloud is already fantastic. For a single user, the free tier offers unlimited passwords and cross-device sync. Premium is just $10 a year. So why go through the hassle of self-hosting Vaultwarden?
- Cost Savings for Teams/Families: Bitwarden charges $40/year for families and $4/user/month for teams. Vaultwarden gives you unlimited users and all premium features for free.
- Absolute Data Sovereignty: Your vault never touches a third-party server. For the privacy-conscious, keeping encrypted vaults out of centralized honeypots is a major win.
- Resource Efficiency: The official Bitwarden self-hosted server relies on a heavy stack requiring 4GB+ of RAM and Microsoft SQL Server. Vaultwarden uses a lightweight SQLite database and consumes a mere ~50MB of RAM.
Top Hosting Architectures Compared
There are multiple ways to skin this cat depending on your comfort level with Linux administration and Docker. Let’s break down the most popular hosting models from cheapest to most automated.
1. The Pure DIY Route: Hetzner VPS + Docker (~$4-5/mo)
This is the gold standard for experienced sysadmins. By renting a cheap VPS from a provider like Hetzner (e.g., the CX22 instance with 2 vCPUs and 4GB RAM) or DigitalOcean, you retain complete control over the OS, the firewall, and the reverse proxy.
Here is the exact Docker Compose configuration to get Vaultwarden running securely behind a reverse proxy:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
- WEBSOCKET_ENABLED=true
- SIGNUPS_ALLOWED=false
- DOMAIN=https://vault.yourdomain.com
- ADMIN_TOKEN=your_secure_admin_token_here
volumes:
- vw-data:/data
ports:
- "8080:80"
volumes:
vw-data:docker run -d --name vaultwarden \
-v /vw-data/:/data/ \
-p 8080:80 \
-e SIGNUPS_ALLOWED=false \
-e DOMAIN=https://vault.yourdomain.com \
vaultwarden/server:latestPros: Maximum control, cheapest paid tier, and you can host 20 other lightweight apps on the same VPS.
Cons: You are the sysadmin. If you misconfigure UFW (Uncomplicated Firewall) or forget to renew your Let’s Encrypt SSL certificate, your vault is exposed or broken.
2. The “Free but Risky” Route: Oracle Cloud Free Tier ($0/mo)
Oracle offers an incredibly generous “Always Free” ARM instance boasting 4 OCPUs and 24GB of RAM. It is massively overpowered for Vaultwarden, which only needs 50MB of RAM.
However, the catch is significant. Oracle is notorious for reclaiming “idle” free-tier instances without warning. If Oracle nukes your VM and you haven’t set up automated offsite backups for your SQLite database, you will permanently lose your password vault. It’s a great sandbox, but a risky production environment.
3. The Managed PaaS Route: InstaPods & PikaPods ($2.50 – $3/mo)
If you want the privacy of self-hosting but refuse to touch a Linux terminal, Platform-as-a-Service (PaaS) providers are your best bet. Platforms like PikaPods and InstaPods offer one-click deployments of Vaultwarden.
For roughly $3 a month, these services provision the container, map the storage, attach a custom domain, provision the SSL certificate, and run automated nightly backups. You get all the premium features of Bitwarden without playing sysadmin.
4. The Self-Hosted PaaS Route: Coolify on a VPS (~$5-8/mo)
If you like the idea of owning your server but hate dealing with raw Docker commands, Coolify is a phenomenal middle ground. It acts as an open-source, self-hosted Vercel/Heroku alternative. You rent a slightly beefier VPS (Coolify itself requires about 2GB of RAM, so a $5-$8/mo Hetzner or DigitalOcean droplet is ideal) and install Coolify.
From there, you can deploy Vaultwarden directly from Coolify’s web dashboard using a one-click Docker Compose template. You get automated SSL provisioning and a beautiful UI to manage your environment, though you are still ultimately responsible for underlying OS updates.
5. The Premium Managed Route: Elestio (~$17/mo)
For small businesses or enterprise teams who want dedicated infrastructure without the sysadmin headache, Elestio offers a premium managed service. They deploy Vaultwarden on a dedicated Virtual Machine of your choice (Hetzner, AWS, GCP, or Azure).
While $17/mo is steep for a single user, it provides true zero-maintenance for a dedicated instance. Elestio handles the OS-level security patches, automated Vaultwarden updates, and daily verified backups. For a team of 10 people (who would otherwise pay $480/yr for Bitwarden Teams), $204/yr for a fully managed, isolated Vaultwarden server is a massive bargain.
6. The “Piggyback” Route: Existing Home Lab ($0 extra)
Already running a home lab with a Raspberry Pi, Synology NAS, or an Unraid server? Adding Vaultwarden costs absolutely nothing. Because Vaultwarden is incredibly lightweight (requiring a mere 50MB of RAM), it can comfortably run alongside Pi-hole, Plex, or Nextcloud without stressing your hardware.
Just add the Vaultwarden service to your existing Docker Compose stack, route it securely through your existing Cloudflare Tunnel or Nginx Proxy Manager setup, and you have a free, enterprise-grade password manager running in your closet.
Mandatory Security Checklist for Vaultwarden
If you decide to take the Hetzner/Docker route, you must treat your server like a digital fortress. Before you ever expose your Vaultwarden URL to the internet, ensure you have completed this checklist:
- Disable Signups: Once your personal or family accounts are created, immediately set
SIGNUPS_ALLOWED=falsein your environment variables. This prevents random bots from registering on your instance. - Secure the Admin Panel: Use a long, cryptographically secure
ADMIN_TOKEN. Alternatively, disable the admin panel entirely by leaving the token blank. - Enforce HTTPS: Vaultwarden strictly requires HTTPS to function (the Web Crypto API mandates it). Use a reverse proxy like Caddy or Nginx Proxy Manager to handle SSL termination.
- Fail2Ban: Vaultwarden logs failed login attempts. Pipe these logs into Fail2Ban to automatically block IP addresses attempting brute-force attacks.
- Automated Offsite Backups: Use a cron job to backup your
/datavolume (specifically thedb.sqlite3file and yourattachmentsfolder) to AWS S3, Backblaze B2, or a local NAS every single night.
Summary: The Vaultwarden Hosting Comparison Table
| Hosting Method | Estimated Monthly Cost | Setup Time | Maintenance Level | Best For… |
|---|---|---|---|---|
| Oracle Cloud Free Tier | $0/mo | ~1 hr | High | Testing / Non-critical labs |
| Existing Home Lab / VPS | $0 extra | ~10 min | Low | Users already self-hosting apps |
| PikaPods | ~$2.50/mo | ~1 min | Zero | Non-technical users |
| InstaPods | $3.00/mo | ~30 sec | Zero | Managed setups on a budget |
| Hetzner VPS + Docker | ~$4-5/mo | ~45 min | High | Experienced Sysadmins |
| Coolify on VPS | ~$5-8/mo | ~15 min | Medium | Users wanting a web dashboard |
| Elestio | ~$17/mo | ~3 min | Zero | Teams and small businesses |
Final Verdict: Should You Self-Host?
If you are a solo user who just wants things to work seamlessly, stick to the Bitwarden Cloud Free or Premium tier ($10/year). Their infrastructure is audited by third-party security firms, and they have a dedicated security team monitoring threats 24/7.
However, if you have a team, a family, or simply love taking ownership of your self-hosted infrastructure, Vaultwarden on a cheap $4 Hetzner VPS (or a $3 PikaPods instance) is an unbeatable setup. It delivers enterprise-grade password management for pennies, as long as you take your backups seriously.