The topic I’ve been running Vaultwarden on my Proxmox home server for two years, and I… is currently the subject of lively discussion — readers and analysts are keeping a close eye on developments.
This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.
As much as I adore self-hosted services, I still have to use cloud platforms for mission-critical services. for example, I don’t plan to run Email servers locally anytime soon, as their overly complicated setup process and constant maintenance issues make them worse than cloud-based email providers.
Likewise, I used to avoid self-hosted password managers when I first jumped into the FOSS ecosystem, partly because they seemed too complex to deploy, and also because I was worried I’d get marooned without my credentials if things went wrong with my server. But unlike self-hosted email servers, I realized my Vaultwarden fears were unfounded after I finally began using it. In fact, it has been two years since I migrated to Vaultwarden from LastPass, and this tool has never let me down.
Unlike LastPass, which runs on cloud servers, Vaultwarden is a local-only password manager, meaning you’ll have to arrange the hardware (or VPS, if that’s what you’re into). But if you’re a home labber like me, this drawback becomes trivial. If anything, I don’t have to worry about paying monthly subscriptions to access my Vaultwarden server from multiple clients. Plus, Vaultwarden doesn’t have any restrictions on the number of accounts I can add to my database, so I can share my password manager with my family without worrying about max user caps. Since everything runs locally, I don’t have to worry about getting my passwords exposed in large-scale database breaches on cloud platforms. I’m not trying to imply that my LAN’s security is superior to a cloud’s; it’s just that the possibility of hackers targeting my home network specifically (which is already locked behind CGNAT, robust firewall rules, and overly-complex Tailscale ACLs) is a lot slimmer than a cloud server that’s accessible to the public. But I digress.
On the features front, Vaultwarden has everything I could want from a reliable password manager. Besides storing conventional account credentials, Vaultwarden also houses my TOTP codes, API tokens, SSH keys, and digital copies of private documents. I often use its random password generator when creating security keys for containers, before saving them to its vault. Since it’s a lot lighter than Bitwarden, I can run it alongside other mission-critical home lab services on my cheap Proxmox node, with the PVE-Helper Scripts repo offering a one-line installation script that spins up Vaultwarden in less time than it takes to finish reading this section.
While we’re on the subject of Bitwarden, Vaultwarden doesn’t technically have client applications of its own. But since it’s compatible with Bitwarden’s API, it works with its rival’s client tools, including its browser extensions and desktop and mobile apps. The best part? It doesn’t require any wacky workarounds to accomplish this, either. All you have to do is type Vaultwarden’s URL and enter the user credentials on the clients to pair them with the central password server. Couple Vaultwarden’s lack of a max user cap with its simple UI and rock-solid support for Bitwarden client services, and you can see how I managed to convince my family to migrate to it from flimsy browser extensions and paid cloud platforms.
When it comes to self-hosted services, arranging the hardware isn’t that big of a deal. The real problem is ensuring the app remains operational at all times. For something as crucial as a password manager, things can get dire when it goes offline. Or, at least, that’s what I thought before I migrated to Vaultwarden.
If you’ve got client devices hooked up to your Vaultwarden instance like I have, losing access to the central server doesn’t mean you’ll be stranded without passwords. That’s because these clients keep a copy of the Vaultwarden database locally. Sure, it might not be possible to sync new passwords you might add to the client with other devices without a central server. But being able to access the cached credentials is a godsend if a botched server experiment takes out the Vaultwarden container. Better yet, you can even use the cached database from the clients to recreate the password collection inside a fresh Vaultwarden instance.
As a hardcore data-hoarder, I tend to keep redundant (and encrypted) snapshots of my Vaultwarden instance just to be safe. But after moving the LXC to a secondary Proxmox node designed specifically for essential services, I haven’t had any uptime issues with this powerful password manager. Plus, the firewall rules in my OPNsense router are enough to deter external threats from laying their grubby hands on my password manager, while Tailscale handles my remote access needs, so I can access Vaultwarden even while I’m away from my goblin cave.