Install Vaultwarden with Docker and Harden Its Security
Install Vaultwarden easily with Docker and learn basic steps to keep it secure. Create and manage unique passwords for all your online accounts safely.
WARNINGYou should never store Bitcoin wallet passphrases in Vaultwarden or any digital format.
Docker
Enable running Docker without sudo. Replace “username” with your own:
sudo usermod -aG docker username
Create a folder named vaultwarden:
mkdir ~/docker
cd ~/docker
mkdir vaultwarden
Create docker-compose.yml:
nano docker-compose.yml
Edit docker-compose.yml:
version: '3.8'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
user: 1000:1000
ports:
- "7789:80"
volumes:
- ./volumes/vw-data/:/data/
restart: unless-stopped
environment:
- ADMIN_TOKEN=insecure
Start Docker:
docker compose up -d
Reverse Proxy
Install Caddy:
sudo apt install caddy
Open Caddyfile:
sudo nano /etc/caddy/Caddyfile
Update Caddyfile:
example.com {
route /pass* {
uri strip_prefix /pass
redir https://pass.{host}{uri}
}
}
pass.example.com {
reverse_proxy localhost:7789
}
Restart Caddy:
sudo systemctl restart caddy
Go to Vaultwarden at https://pass.example.com or at https://example.com/pass if you prefer using a subpath.
Security
1. Disable Registration
Before proceeding, create new accounts for yourself and your family.
Go to the admin panel at https://pass.example.com/admin. Enter “insecure” as the admin token.
Go to General Settings and uncheck Allow new signups.
2. Strong Admin Token
On your local machine, run the following commands. Replace “Insecure Password” with new admin password, like a 12-word passphrase or a password with 50+ characters.
sudo apt install argon2
echo -n "Insecure Password" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4
(Retrieved from Vaultwarden wiki on October 5, 2024)
The output will start with ($argon2id$v=19$m=65540,t=3,p=4$...), which is the salt. Go to General Settings and enter the salt in Admin token/Arg2 PHC field.
Save your changes and log out. When you log back in, use your admin password.
Comment out the environment section in docker-compose.yml:
# environment:
# - ADMIN_TOKEN=insecure
Restart Docker:
docker compose down; docker compose up -d
3. Restrict Admin Panel
Redirect anyone trying to access the admin panel to homepage.
Update Caddyfile:
pass.example.com {
reverse_proxy localhost:7789
rewrite /admin* /
}
Restart Caddy:
sudo systemctl restart caddy
4. Disallow Search Engine Indexing
Prevent your Vaultwarden site from being indexed by Google. When you search for “Vaultwarden Web”, you might find other people’s Vaultwarden sites and their admin panels.
Open robots.txt:
sudo nano /var/www/html/robots.txt
Update robots.txt:
User-agent: *
Disallow: /pass
Allow: /$