Self-Host Vaultwarden (Bitwarden) with Greffon
Your passwords are the highest-trust thing you run. That is exactly why the box they live on should be one you own. Here is the honest setup for Vaultwarden on a greffer.
A password manager is the one app where you hand over everything at once. If you are going to trust software with every login you have, it is worth asking where that data actually sits. Self-hosting answers that question plainly: on a machine you own, not an account you rent. Vaultwarden makes that practical, and Greffon takes the fiddly parts off your plate.
Why own the vault
Vaultwarden is a lightweight server that speaks the Bitwarden API, so the official Bitwarden apps and browser extensions work against it unchanged. It is a community reimplementation, not the official Bitwarden server, which is the point: it is small enough to run comfortably on a modest greffer while staying compatible with the clients you already use.
The security model does not change because you host it yourself. Your vault is encrypted on your device with your master password, and the server only ever stores ciphertext. Self-hosting moves where that ciphertext lives. It does not ask you to trust the server with your secrets in the clear.
Graft it from the catalog
On a greffer, you do not hand-write a compose file or wire a reverse proxy. Pick Vaultwarden from the catalog and graft it onto your greffer. Greffon issues the certificate and routes the app, so it comes up reachable over HTTPS without you assembling that plumbing by hand.
Reach it from your phone
A vault is only useful if your phone and browser can reach it. On the same network as your greffer, that works the moment it starts. To reach it from anywhere else, you have two honest options.
The simplest is tunnel mode: a greffer connects outbound to the manager's tunnel and serves its apps without opening a single inbound port, which is the answer for a box behind NAT or CGNAT with no public IP. If you would rather expose the greffer directly, port forwarding plus dynamic DNS still works. Either way your vault stays reachable over HTTPS.
Back it up first
This is the section most walkthroughs bury, and for a password vault it is the one that matters most. The vault is the single thing you cannot afford to lose: lose it and you lose every credential at once. Greffon handles TLS and routing today, and native one-click backups are coming in M2. Until then, bring your own backup tool (restic or borgbackup are the usual choices), back up the Vaultwarden data on a schedule, and store a copy off the greffer.
Keep it always-on
You will reach for your vault at odd hours from every device, so it needs to be up when you are. Run it on an always-on greffer, a small VPS, a mini-PC, or a free Oracle Cloud box, rather than a laptop that sleeps at night. The Oracle walkthrough is a good place to get a greffer running before you graft the vault onto it.