Vaultwarden on NAS: Setup Guide

· Last updated

How to install Vaultwarden on a NAS using Docker. A self-hosted Bitwarden-compatible password manager. Works on any NAS running Docker, including Synology and QNAP.

VaultwardenBitwardenself-hostedNASpassword manager

Vaultwarden is an open-source, self-hosted Bitwarden server. It runs on your NAS, is compatible with all official Bitwarden client apps, and stores your passwords on hardware you control with no subscription required. Bitwarden's official cloud service costs $10 USD/year for premium features; Vaultwarden gives you all of those features for free on your own hardware. The container is extremely lightweight (uses under 100MB RAM), runs on any NAS with Docker support, and is one of the most reliable self-hosted apps in the homelab ecosystem. This guide covers the complete setup from Docker deployment to HTTPS configuration to client registration.

In short: Deploy Vaultwarden via Docker, configure HTTPS via NGINX Proxy Manager (required. Bitwarden clients refuse to connect over plain HTTP), register an account on your server, and install the Bitwarden browser extension or mobile app pointing to your self-hosted URL. Setup takes 20-30 minutes.

Why Self-Host a Password Manager?

Bitwarden's cloud service is excellent and audited. Self-hosting Vaultwarden is not about doubting Bitwarden's security. It is about:

  • Cost: Bitwarden Premium is $10/year; Bitwarden Families is $40/year. Vaultwarden is free, including the premium features (TOTP, file attachments, emergency access)
  • Data sovereignty: Your passwords never leave your network (except for encrypted sync to client devices)
  • No dependency on third-party availability: Your vault works even if Bitwarden's servers are down

The trade-off: you are responsible for keeping your Vaultwarden instance updated, backed up, and accessible. If your NAS is offline when you need a password remotely, you need local client caches. Bitwarden clients cache the vault locally, so offline access works for existing passwords. New entries require connectivity.

Step 1: Deploy Vaultwarden via Docker

Create a Docker Compose file at /volume1/docker/vaultwarden/docker-compose.yml (Synology) or /share/docker/vaultwarden/docker-compose.yml (QNAP):

version: '3.8'
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - 8180:80
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true    # set to false after creating your accounts
      - DOMAIN=https://vault.yourdomain.com
      - ADMIN_TOKEN=your_secure_admin_token_here
    volumes:
      - ./data:/data

Deploy with docker compose up -d or via Portainer Stacks. Vaultwarden starts in seconds. It is one of the fastest containers to initialise.

Generate a secure ADMIN_TOKEN for the admin panel with: openssl rand -base64 48. Store this securely. It gives full admin access to your Vaultwarden instance.

Step 2: Configure HTTPS (Required)

All Bitwarden clients require HTTPS. Plain HTTP connections are rejected. You must configure HTTPS before clients will connect.

Using NGINX Proxy Manager (recommended if already running for other containers):

  1. Add a new Proxy Host in NPM
  2. Domain: vault.yourdomain.com
  3. Forward to: NAS IP, port 8180
  4. Enable Websockets Support
  5. SSL: Request Let's Encrypt certificate

After saving, Vaultwarden should be accessible at https://vault.yourdomain.com. The DOMAIN environment variable in the Compose file must match this URL exactly. This is required for WebSocket sync and push notifications to work.

Update the Compose file DOMAIN variable with your actual HTTPS URL and restart the container: docker compose restart.

Step 3: Create Accounts and Disable Open Registration

With SIGNUPS_ALLOWED=true, anyone who knows your Vaultwarden URL can create an account. Create all the accounts you need (yourself, family members), then disable open registration:

  1. Navigate to https://vault.yourdomain.com and click Create Account
  2. Register with your email and a strong master password
  3. Repeat for any family members who will use this server
  4. Once all accounts are created, edit the Compose file: change SIGNUPS_ALLOWED=true to SIGNUPS_ALLOWED=false
  5. Restart the container

New account creation is now blocked. Existing accounts continue to function normally. The admin panel (https://vault.yourdomain.com/admin) using your ADMIN_TOKEN allows you to invite specific users by email even with signups disabled.

Step 4: Connect Bitwarden Clients

Vaultwarden is compatible with all official Bitwarden client apps. No third-party clients required. In any Bitwarden client, change the server URL before logging in:

Browser extension (Chrome, Firefox, Edge, Safari):

  1. Install the official Bitwarden extension from your browser's extension store
  2. Click the extension icon, click the gear/settings icon at the top left
  3. Under Self-Hosted Environment, enter your Vaultwarden URL: https://vault.yourdomain.com
  4. Save and log in with your Vaultwarden account credentials

Mobile app (iOS and Android):

  1. Install the official Bitwarden app
  2. On the login screen, tap the gear icon
  3. Enter your server URL and save
  4. Log in with your credentials

The Bitwarden desktop app follows the same pattern. All clients sync to your Vaultwarden instance once the server URL is set correctly.

Backups: Critical for a Password Manager

Your password database is in the ./data folder defined in the Compose volume mount. Back this up regularly. Losing your Vaultwarden data means losing access to all stored passwords.

Backup strategy:

  • Include the /volume1/docker/vaultwarden/data/ folder in your NAS backup job (Hyper Backup, Hybrid Backup Sync, rsync)
  • The critical file is db.sqlite3. This is the password database
  • Test restoration by restoring the backup to a test instance before relying on it
  • Additionally, use Bitwarden's built-in export (Settings → Export Vault) to keep an encrypted local copy periodically

🇦🇺 Australian Users: Remote Access Notes

Vaultwarden works fine for local-only use, but most users want password sync when away from home. Options:

  • Cloudflare Tunnel (free): Expose Vaultwarden via Cloudflare without opening ports or a static IP. Supports CGNAT. The Cloudflare Tunnel daemon runs as a Docker container alongside Vaultwarden. This is the simplest option for most Australian residential connections
  • Port forward + DuckDNS: If you have a dynamic IP (most NBN connections), DuckDNS (free dynamic DNS) plus port forwarding provides direct remote access without relay overhead
  • VPN: Route all remote access through a WireGuard VPN. Means Vaultwarden does not need to be internet-exposed at all. More complex but highest security for a password manager

Given that Vaultwarden holds your passwords, restricting remote access to a VPN is the most security-conscious option. Cloudflare Tunnel is the pragmatic middle ground. Encrypted transit, no open ports, no static IP needed.

Related reading: our NAS buyer's guide and our NAS explainer.

Is Vaultwarden secure?

Vaultwarden is well-audited community software used by hundreds of thousands of self-hosters. The core vault encryption is identical to Bitwarden's. AES-256 CBC with a key derived from your master password via PBKDF2. Your passwords are encrypted client-side before leaving your device; the server stores only ciphertext. Vaultwarden itself never sees your master password. The main security responsibility you take on: keeping the Vaultwarden container updated and securing the HTTPS endpoint. If your NAS is compromised at the OS level, all bets are off. Use a strong master password and keep NAS admin access locked down.

Can I migrate from Bitwarden cloud to Vaultwarden?

Yes. Export your vault from Bitwarden cloud (Bitwarden Web → Settings → Export Vault → Encrypted JSON). Set up Vaultwarden and create your account. Import the exported file in the Bitwarden client connected to your Vaultwarden server (Settings → Import Data). All passwords, notes, and card entries transfer. Verify the import before deactivating your Bitwarden account. TOTP seeds in Bitwarden Premium export correctly; attachments require manual re-upload.

How much storage does Vaultwarden use?

Minimal. The Vaultwarden container image is approximately 100MB. The data directory with a vault of 500 passwords and minimal file attachments is under 10MB. Vaultwarden is one of the smallest self-hosted applications by storage footprint. File attachments (if enabled) add to storage proportionally.

Does Vaultwarden support TOTP (two-factor authentication codes)?

Yes. Vaultwarden supports storing and generating TOTP codes (the six-digit codes used by authenticator apps). This is a Bitwarden Premium feature that Vaultwarden provides for free. Store your TOTP secrets in Vaultwarden entries, and the Bitwarden client apps will display the current TOTP code alongside the password. This consolidates password + TOTP management in one place. Though for critical accounts, keeping TOTP separate from your password manager is a valid security approach.

Can my family use the same Vaultwarden instance?

Yes. Create individual accounts for each family member. Each person gets their own vault. Shared credentials can be organised using Vaultwarden's Organisation feature: create an Organisation, invite family members, and share specific vault collections with them. This is equivalent to Bitwarden Families, which costs $40/year in the cloud. On Vaultwarden it is free.

Running Vaultwarden alongside other Docker containers? The NAS Sizing Wizard estimates how much RAM your full container stack needs.

NAS Sizing Wizard →