Official Bitwarden Self-Hosted on Anubiz Iceland

Section 73 of the constitution prohibits prior restraint. IMMI case law protects sources. Outside Fourteen Eyes. No key escrow. The country is the closest practical match to the idealised privacy jurisdiction for an enterprise vault that holds high value credentials.

The Anubiz Iceland VPS line caps below the official Bitwarden 6 GB floor. Move to an Anubiz Iceland Dedicated tier for the install. NVMe SSD, 32 GB RAM minimum, redundant power. MS SQL transaction log IOPS is what bottlenecks small Bitwarden installs first.

curl -s -o bitwarden.sh https://func.bitwarden.com/api/dl/?app=self-host&platform=linux, then ./bitwarden.sh install. Provide install id and key from bitwarden.com/host. Set the hostname to your public domain (Let's Encrypt issuance happens during install if you accept). Set SMTP for invitations and 2FA email codes. Verify all containers come up: docker ps should show 9.

Replace the installer-issued cert with a Caddy reverse proxy if you want HTTP/3 and tighter cipher suite control. Bind MS SQL to localhost only. Use the Admin Portal to disable signups, force 2FA, set master password policies. Enable Argon2id KDF org wide via Bitwarden Enterprise policy (requires licence).

Vault items are end to end encrypted. MS SQL stores ciphered blobs. Server admins cannot decrypt. Metadata (emails, org names, collection names, item counts, attachment sizes) is visible to anyone with database access. Bitwarden Enterprise policies are stored in MS SQL and can be inspected by an attacker with disk access but cannot weaken existing ciphers.

./bitwarden.sh backup writes a tar including MS SQL dump and attachments. Encrypt with age or gpg using a key not stored in the vault. Restic encrypted archive to Anubiz Host Romania nightly. Retention: 14 daily, 8 weekly, 12 monthly. Restore drill monthly on a throwaway VPS.