CDCloud DashboardLogin
admin@firma.de••••••••••kopiert
Self-Host Your Password Manager
All passwords in one place, synced across all devices, protected by end-to-end encryption. A self-hosted password manager stores your encrypted vault on your own server. The master password never leaves your device. You decide where your data lives, who has access and which software runs on the server.
100% Made in GermanyGDPR compliantHourly billingNo minimum term
Ihr Schlüsselbund·vault.example.de 247Einträge
FKFirmenkreditkarteKarte
VISA • gültig bis 12 / 27•••• 4821kopiert
Master · Ihr Schlüssel№ 001
Master-Passwort••••••••••••
entsperrt247 Einträge · 5 Geräte
VerschlüsselungAES-256 · Argon2id
01
What will you use it for?
Manage family passwords in one place
Your whole family uses streaming services, the vacation home WiFi and dozens of other accounts. A shared vault gives everyone access to current credentials on their devices. Adult children get emergency access to their parents' accounts in case something happens.
New team members productive from day one
A new colleague starts. Instead of sending passwords via Slack or email, they are assigned to a group and instantly have access to staging servers, cloud consoles and API keys. No plaintext password is ever sent. On offboarding, access is revoked with one click.
Share client access with an expiration date
An agency needs temporary access to a client's CMS. The Send feature creates an encrypted link with an expiration date and optional password. After the project ends, access expires automatically without manual cleanup.
Manage secrets in your CI/CD pipeline
Database credentials, API tokens and signing keys live in the vault and are pulled into your CI/CD pipeline via the Bitwarden CLI. No .env files in repositories, no hardcoded secrets in Dockerfiles. Access rights are configurable per project and environment.
Meet compliance requirements without enterprise costs
A small law firm or medical practice needs to prove that credentials for client and patient systems are protected. Vaultwarden on your own infrastructure provides audit logs, two-factor authentication and full data sovereignty in Germany, without five-figure annual licenses.
02
Why a self-hosted password manager
Zero-knowledge encryption
All passwords are encrypted on your device before reaching the server. The server only stores ciphertext. Even with access to the server, the data is unreadable without your master password. This principle applies regardless of whether the server runs at a cloud provider or on your own infrastructure.
Clients for all platforms
Browser extensions for Chrome, Firefox, Safari and Edge. Desktop apps for Windows, macOS and Linux. Mobile apps for iOS and Android with autofill support. Command-line tool (CLI) for automation. Clients sync encrypted through your server.
Two-factor authentication
Secure your vault with an additional layer: authenticator apps (TOTP), FIDO2 WebAuthn (e.g. YubiKey), email codes or Duo Security. Multiple methods can be enabled simultaneously.
Data stays in Germany
Your server is located in Germany, in certified data centers. German data protection law and GDPR apply. No US CLOUD Act, no data transfer to third countries.
All premium features included
Time-based one-time passwords (TOTP), file attachments, encrypted Send, emergency access and shared vaults. Features that require paid tiers with cloud services are available without restriction with open-source solutions.
Open source and auditable
The server source code is fully viewable. You can review, modify or have the software audited by third parties. No black box, no proprietary encryption methods.
03
Which software runs on the server?
There are several open-source projects for self-hosted password management: Bitwarden, Passbolt, Psono or file-based solutions like KeePass. By far the largest ecosystem belongs to Bitwarden. Bitwarden offers clients for every platform (browser, desktop, smartphone, CLI) that encrypt locally and sync the vault through a server. However, the official Bitwarden server requires up to 11 Docker containers, a Microsoft SQL Server database and at least 2 GB of RAM. For individuals and small teams, that is often more than needed. That is why the community built Vaultwarden: a lightweight reimplementation of the Bitwarden server API in Rust that runs in a single container with 30 to 50 MB of RAM. Both servers serve the same API. The Bitwarden clients work identically with either one.
Vaultwarden 60,800+ GitHub stars, AGPL-3.0 license, active development (v1.36.0, May 2026)
Community project that reimplemented the Bitwarden server API in Rust. Not a fork but independent code. A single Docker container, SQLite as the database (a single file, no separate container). All premium features (TOTP, Send, emergency access, organizations) are unlocked. Fully open source under the AGPL-3.0 license. Installation via Coolify or Docker Compose.
Suited for: Individuals, families, small teams, SMBs, privacy-conscious organizations.
Bitwarden (official server) 18,600+ GitHub stars (server), regular security audits (SOC 2, Cure53)
The official server by Bitwarden Inc., written in C#/.NET. Standard installation with up to 11 Docker containers and Microsoft SQL Server (a lite variant with a single container is available). Enterprise features like SCIM provisioning, directory sync and policy management require a commercial license. The core server is licensed under AGPL-3.0, enterprise modules under a proprietary source-available license (Bitwarden License).
Suited for: Enterprise environments, compliance-regulated organizations (SOC 2, HIPAA), teams requiring professional support.
04
Which password manager server?
Vaultwarden
Best choice for individuals, families and small teams.
- One Docker container, 30 to 50 MB RAM
- SQLite as database (single file, no separate container)
- All premium features unlocked at no cost
- Fully open source (AGPL-3.0)
- SSO via OpenID Connect (since v1.35)
- 60,800+ GitHub stars, active community
- No official security audits (community project)
- No enterprise support
- No SCIM provisioning or directory sync
Bitwarden (official server)
Best choice for enterprise and compliance-regulated environments.
- Professional security audits (SOC 2, Cure53, HackerOne)
- Enterprise support and SLAs available
- SCIM provisioning and directory sync
- Compliance certifications (SOC 2, HIPAA)
- Standard installation: up to 11 containers, 2 GB+ RAM
- Premium features require a paid license
- Enterprise modules proprietary (source-available, not AGPL-3.0)
- Lite variant available (1 container) but less tested
Both servers implement the same Bitwarden API. The clients are identical: you install the official Bitwarden app and enter your server URL. The difference lies in resource requirements, licensing and target audience. Vaultwarden is suited for individuals and small teams wanting a lightweight server with all features. The official Bitwarden server is the choice for organizations needing enterprise features and professional security audits.
05
Your own password manager in a few steps
01Step 01
Create a seed
Choose a model with at least 1 CPU and 2 GB RAM. Vaultwarden is extremely lightweight and runs smoothly on the smallest model. For teams with more than 20 users, a model with 2 CPU and 4 GB RAM is recommended.
02Step 02
Install password manager
Vaultwarden can be set up via Coolify with one click or via Docker Compose in a few minutes. Domain and SSL certificate are configured automatically. Find a detailed guide in our tutorial.
03Step 03
Connect clients
Install the Bitwarden app on your devices (browser extension, mobile, desktop). In the settings, enter your own server URL. All passwords are synced encrypted through your server.
06
Step-by-step setup
Detailed tutorials by our engineers, tested on a current dataforest Seed. Accessible without an account.
07
Configure a seed
Billed hourly, no minimum term, no setup fee. One server for your password manager, your backups and all related services.
Entry
Beginner
CPU allocation based on availability
At least Intel Xeon Gold
NVMe SSD storage
3-way replication via Ceph
DDR4
Balanced disk performance
3,65 €
/ MonthStandard
All-rounder
AMD EPYC Turin
At least 2.6 GHz
Up to 4.5 GHz
NVMe SSD storage
3-way replication via Ceph
DDR5
Increased disk performance
9,01 €
/ MonthPerformance
CPU-optimized
AMD EPYC Turin (High Frequency)
At least 3.3 GHz
Up to 5 GHz
NVMe SSD storage
3-way replication via Ceph
DDR5
Maximum disk performance, IOPS-optimized
12,26 €
/ MonthAll prices incl. 19% VAT
08
Why dataforest cloud?
Data sovereignty
Your data stays in Germany. All seeds run in certified data centers in Frankfurt. No data transfers to third countries, full GDPR compliance.
Deployed in seconds
Seeds are provisioned automatically. From configuration to a running server takes only seconds. No waiting, no tickets.
Hourly billing
You only pay for what you use. No minimum terms, no setup fees. Seeds can be created and deleted at any time.
Full control
Root access, public API and full transparency. You decide what runs on your seed. No vendor lock-in, no hidden restrictions.
09
Bevor Sie loslegen.
What is Vaultwarden?
Vaultwarden is an alternative server implementation of the Bitwarden API, written in Rust. It is not a fork but an independent reimplementation serving the same interface. All official Bitwarden clients (browser extension, mobile app, desktop app, CLI) work unchanged with Vaultwarden. The source code is fully open under the AGPL-3.0 license.
What is the difference between Vaultwarden and Bitwarden?
Bitwarden is both a company and a product. The official Bitwarden server is written in C#/.NET and requires up to 11 Docker containers and over 2 GB of RAM. Vaultwarden implements the same API in Rust, runs in a single container with 30 to 50 MB of RAM and unlocks all premium features. The clients are identical: you install the official Bitwarden app and enter your own server URL. The official server offers professional security audits and enterprise support, Vaultwarden excels with minimal resource requirements and a fully open license.
Are my passwords safe if the server is compromised?
As long as your master password is strong, yes. All passwords are encrypted on your device before reaching the server (zero-knowledge architecture). The server only stores encrypted data. Without the master password, attackers cannot decrypt the data. This applies to both server implementations and also to cloud password managers. Use a long, unique master password and enable two-factor authentication.
Can I migrate from an existing password manager?
Yes. Most password managers offer an export function (JSON or CSV). In Vaultwarden, you import the export via the web interface under Tools > Import Data. Numerous formats are supported, including exports from all major password managers and browsers.
What license does Vaultwarden use?
Vaultwarden is licensed under the AGPL-3.0 (GNU Affero General Public License). This is a copyleft license: the source code is freely viewable, usable and modifiable. Anyone running a modified version as a network service must publish the changed source code. For end users deploying Vaultwarden unchanged, the license has no practical restrictions. The official Bitwarden server uses AGPL-3.0 for the core and a proprietary source-available license for enterprise modules.
What responsibility do I take on with self-hosting?
Running your own password manager means taking responsibility for its security. That includes: keeping the operating system and Docker images up to date, applying security updates promptly, setting up regular backups and securing access to the server. With a password manager this is particularly important, as all your credentials reside on that server. Our step-by-step guide covers setup and hardening. If you prefer not to invest that effort, a cloud password manager that handles maintenance, updates and security audits is the better choice.
Do I need technical knowledge?
Basic Linux skills are required: connecting to a server via SSH and running commands in the terminal. Docker experience is helpful but not mandatory. Via a deployment platform, Vaultwarden can be installed without manual Docker configuration. Our step-by-step guide explains every command.
How many users can Vaultwarden handle?
That depends on server resources. A seed with 1 CPU and 2 GB RAM works for up to 50 users. Vaultwarden has no artificial user limit. Since clients cache passwords locally, server load remains low even with many users.
Do the official Bitwarden apps work?
Yes. Both Vaultwarden and the official Bitwarden server implement the same API. All official clients work unchanged with either server: browser extensions (Chrome, Firefox, Safari, Edge), desktop apps (Windows, macOS, Linux), mobile apps (iOS, Android) and the CLI tool. In the app, enter your own server URL under settings.
How do I back up my data?
Vaultwarden stores all data in a SQLite database and a data directory. A daily backup of both components is recommended. The dataforest Cloud offers automatic daily offsite backups as an add-on option. We also recommend independently backing up the database to an external system.
What happens if my server goes down?
Bitwarden clients store all passwords in an encrypted local cache. You have offline access to your passwords. Once the server is reachable again, clients sync automatically. Docker restarts Vaultwarden automatically on server reboot.
Does Vaultwarden support two-factor authentication?
Yes. Supported methods include authenticator apps (TOTP), FIDO2 WebAuthn (e.g. YubiKey), email codes and Duo Security. Multiple methods can be enabled simultaneously. For maximum security, a hardware key (FIDO2) combined with an authenticator app as backup is recommended.
Any questions?
Then our experts are happy to help. You'll be surprised how fast we are.
