Introduction
Vaultwarden is an unofficial Bitwarden server alternative written in Rust. It uses supports connections via Bitwarden clients and is less resource-heavy than the official Bitwarden service. This tutorial explains how to install Vaultwarden on Ubuntu 20.04 with Docker and docker-compose, and uses Caddy to secure the configuration.
Prerequisites
Before you begin these steps, you should:
- Deploy an Ubuntu 20.04 server.
- Update the server.
- Create a non-root user with sudo privileges.
- Log in to your server as a non-root user.
- Open port 433 on your RCS firewall or your ufw.
You should also create a DNS "A" record that points a hostname to the IP address of your server. Caddy requires a DNS name to install a TLS/SSL certificate.
Installation
Remove any older versions of Docker and the Docker engine.
$ sudo apt remove docker docker.io containerd runcEnsure that your version of snapd is up to date.
$ sudo snap install core; sudo snap refresh coreInstall Docker using
snap.$ sudo snap install docker
Configuration
Docker Container
Create a directory called
vaultwardenin your home directory and enter it.$ mkdir ~/vaultwarden $ cd ~/vaultwardenCreate and open a new
docker-compose.ymlfile.$ nano docker-compose.ymlAdd the following lines to the file.
version: '3' services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: always environment: - WEBSOCKET_ENABLED=true volumes: - ./vw-data:/data caddy: image: caddy:2 container_name: caddy restart: always ports: - 80:80 - 443:443 volumes: - ./Caddyfile:/etc/caddy/Caddyfile:ro - ./caddy-config:/config - ./caddy-data:/data environment: - DOMAIN= - EMAIL= - LOG_FILE=/data/access.logAdd the domain name or subdomain to the
DOMAINvalue under Caddy'senvironmentvariables.environment: - DOMAIN=https://example.comAdd an email address for TLS/SSL certificate registration to the
EMAILvalue under Caddy'senvironmentvariables.environment: - DOMAIN=https://example.com - EMAIL=user@example.comSave and exit the text editor by using CTRL + X, then Y, followed by ENTER.
Caddy Configuration File
Create and open a new
Caddyfile.$ nano CaddyfileAdd the following lines to the file.
{$DOMAIN}:443 { log { level INFO output file {$LOG_FILE} { roll_size 10MB roll_keep 10 } } # Get a cert by using the ACME HTTP-01 challenge. tls {$EMAIL} encode gzip # Headers to improve security. header { # Enable HSTS Strict-Transport-Security "max-age=31536000;" # Enable cross-site filter (XSS) X-XSS-Protection "1; mode=block" # Disallow the site to be rendered within a frame (clickjacking protection) X-Frame-Options "DENY" # Prevent search engines from indexing X-Robots-Tag "none" # Remove Caddy branding -Server } # Redirect notifications to the WebSocket. reverse_proxy /notifications/hub vaultwarden:3012 reverse_proxy vaultwarden:80 { header_up X-Real-IP {remote_host} } }Save and exit the text editor by using CTRL + X, then Y, followed by ENTER.
The Caddyfile configures Caddy to forward HTTPS requests from port 443 to Vaultwarden and adds additional headers to improve security, such as HTTP Strict Transport Security (HSTS) and Cross-Site Scripting (XSS) protection.
Running Vaultwarden
Run Vaultwarden by using
docker-composein detached mode. This may take a few seconds.$ sudo docker-compose up -dCheck that Vaultwarden is running by using
docker. The status should beUp.$ sudo docker ps STATUS Up x seconds/minutes
Additional Security Configuration
To further improve security, additional configuration is available.
Disabling Registration
By default, anyone who accesses your Vaultwarden instance can create an account. This is useful when first creating your instance but may pose a security risk later.
After creating your account, you can disable registration by setting the SIGNUPS_ALLOWED environment variable to false in docker-compose.yml.
services:
vaultwarden:
... other configuration ...
environment:
- SIGNUPS_ALLOWED=false
... other configuration ...
Disabling Invitations
Vaultwarden also allows registered users to invite other new users to create accounts on the server. This feature is not a security risk as long as you trust your users. However, if you are the only user, you may want to disable this.
You can disable invitations by setting the INVITATIONS_ALLOWED environment variable to false in docker-compose.yml.
services:
vaultwarden:
... other configuration ...
environment:
- INVITATIONS_ALLOWED=false
... other configuration ...
Disabling Password Hints
Bitwarden's password hints are usually sent by email. However, Vaultwarden accommodates personal deployments, so password hints are available on the password hint page. This feature exists, so you do not have to configure an email service.
If you want to disable password hints, set the SHOW_PASSWORD_HINT variable to false in docker-compose.yml.
services:
vaultwarden:
... other configuration ...
environment:
- SHOW_PASSWORD_HINT=false
... other configuration ...
Finishing Steps
Saving Your New Configuration
If you changed any of the environment variables from the steps above, you must restart Vaultwarden. To do this, follow these steps:
Stop Vaultwarden by using
docker-compose.$ sudo docker-compose downRerun Vaultwarden by using
docker-composein detached mode.$ sudo docker-compose up -d
Your new configuration should now be in effect.
Use Bitwarden to Access Your Vaultwarden Instance
You can use upstream Bitwarden clients by changing the server URL to your Vaultwarden instance.
Using Vaultwarden
You should now navigate to your Vaultwarden installation and create an account (if you haven't already).
https://example.com
After logging in, you can start adding your logins and passwords to your vault.
This completes the steps to install Vaultwarden and secure it using Caddy.
