Skip to content
Greffon
Tutorial

Self-Host Vaultwarden (Bitwarden) with Greffon

Your passwords are the highest-trust thing you run. That is exactly why the box they live on should be one you own. Here is the honest setup for Vaultwarden on a greffer.

GLGreffon Labs6 min read
~/blog/self-host-vaultwarden

A password manager is the one app where you hand over everything at once. If you are going to trust software with every login you have, it is worth asking where that data actually sits. Self-hosting answers that question plainly: on a machine you own, not an account you rent. Vaultwarden makes that practical, and Greffon takes the fiddly parts off your plate.

Why own the vault

Vaultwarden is a lightweight server that speaks the Bitwarden API, so the official Bitwarden apps and browser extensions work against it unchanged. It is a community reimplementation, not the official Bitwarden server, which is the point: it is small enough to run comfortably on a modest greffer while staying compatible with the clients you already use.

The security model does not change because you host it yourself. Your vault is encrypted on your device with your master password, and the server only ever stores ciphertext. Self-hosting moves where that ciphertext lives. It does not ask you to trust the server with your secrets in the clear.

Graft it from the catalog

On a greffer, you do not hand-write a compose file or wire a reverse proxy. Pick Vaultwarden from the catalog and graft it onto your greffer. Greffon issues the certificate and routes the app, so it comes up reachable over HTTPS without you assembling that plumbing by hand.

HTTPS is not optional for a vault
The Bitwarden clients refuse to talk to a vault over plain HTTP, and they are right to. This is the part Greffon earns its keep on: the certificate and routing are handled the same correct way on every greffer, so your vault is reachable over TLS from the first start.

Reach it from your phone

A vault is only useful if your phone and browser can reach it. On the same network as your greffer, that works the moment it starts. To reach it from anywhere else, you have two honest options.

The simplest is tunnel mode: a greffer connects outbound to the manager's tunnel and serves its apps without opening a single inbound port, which is the answer for a box behind NAT or CGNAT with no public IP. If you would rather expose the greffer directly, port forwarding plus dynamic DNS still works. Either way your vault stays reachable over HTTPS.

Back it up first

This is the section most walkthroughs bury, and for a password vault it is the one that matters most. The vault is the single thing you cannot afford to lose: lose it and you lose every credential at once. Greffon handles TLS and routing today, and native one-click backups are coming in M2. Until then, bring your own backup tool (restic or borgbackup are the usual choices), back up the Vaultwarden data on a schedule, and store a copy off the greffer.

A backup you have not restored is not a backup
Before you move your real passwords in, test a restore once. A self-hosted vault you have never restored is a single point of failure for every account you own. Five minutes now is cheaper than the alternative.

Keep it always-on

You will reach for your vault at odd hours from every device, so it needs to be up when you are. Run it on an always-on greffer, a small VPS, a mini-PC, or a free Oracle Cloud box, rather than a laptop that sleeps at night. The Oracle walkthrough is a good place to get a greffer running before you graft the vault onto it.

FAQ

Is Vaultwarden the same as Bitwarden?
Not exactly. Vaultwarden is a separate, lighter server that implements the Bitwarden API. The official Bitwarden mobile, desktop, and browser clients work against it, so day to day it feels the same while using far fewer resources on your greffer.
Is it safe to self-host my passwords?
It can be, and the math is the same as hosted Bitwarden: the vault is encrypted on your device with your master password, so the server only holds ciphertext. The parts you own are HTTPS (Greffon handles this), a strong master password, two-factor auth, and tested backups. Get those right and self-hosting does not lower your security.
Can I use the official Bitwarden apps?
Yes. Point the app or extension at your own server URL during login and it uses your greffer instead of Bitwarden's servers.
What happens if my greffer goes down?
The clients cache your vault, so you usually keep read access for a while, but you cannot sync changes until the greffer is back. That is the case for keeping it on an always-on machine with backups you have tested.
GL
Greffon Labs
We build Greffon, the simplest way to turn any machine into a server you own.

Ready to turn on your greffer?

Install in minutes. Deploy each app in seconds. Your server, your apps.

Read the docs